<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Signing Key on Tarragon</title><link>https://tarrragon.github.io/blog/tags/signing-key/</link><description>Recent content in Signing Key on Tarragon</description><generator>Hugo -- gohugo.io</generator><language>zh-TW</language><copyright>Tarragon (CC BY 4.0)</copyright><lastBuildDate>Thu, 30 Apr 2026 00:00:00 +0000</lastBuildDate><atom:link href="https://tarrragon.github.io/blog/tags/signing-key/index.xml" rel="self" type="application/rss+xml"/><item><title>Storm-0558 2023:雲端簽章金鑰壓力</title><link>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/storm-0558-2023-cloud-signing-key-pressure/</link><pubDate>Thu, 30 Apr 2026 00:00:00 +0000</pubDate><guid>https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/field-cases/storm-0558-2023-cloud-signing-key-pressure/</guid><description>&lt;p>本案例的責任是提供雲端簽章金鑰壓力素材。Storm-0558 顯示,當一把過期 MSA consumer signing key 結合 token validation 缺陷時,一個身份信任根可以被用來偽造跨 tenant 的 access token。&lt;/p>
&lt;h2 id="來源">來源&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>來源&lt;/th>
 &lt;th>可引用範圍&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>&lt;a href="https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/">Microsoft MSRC:Storm-0558 mitigation&lt;/a>&lt;/td>
 &lt;td>initial mitigation、affected scope、key revocation&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/">Microsoft Security Blog:Analysis of Storm-0558&lt;/a>&lt;/td>
 &lt;td>token forgery、OWA 與 Outlook.com 路徑、IOC&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a">CISA:Enhanced Monitoring (AA23-193A)&lt;/a>&lt;/td>
 &lt;td>M365 audit log 監控建議、detection guidance&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>&lt;a href="https://www.helpnetsecurity.com/2024/04/03/microsoft-storm-0558-key/">CSRB report (Help Net Security 摘要)&lt;/a>&lt;/td>
 &lt;td>key rotation 流程缺口、cascade of errors、治理檢討&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="defender-pressure">Defender Pressure&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>壓力&lt;/th>
 &lt;th>服務判讀&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>Signing key trust pressure&lt;/td>
 &lt;td>一把長期金鑰可以影響大量 tenant 的身份信任&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Key rotation pressure&lt;/td>
 &lt;td>自動化輪替與退役流程需要可觀測&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Tenant boundary pressure&lt;/td>
 &lt;td>consumer 與 enterprise token 邊界要明確分離&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>Detection coverage pressure&lt;/td>
 &lt;td>受影響客戶常需依賴雲端供應商提供 audit log 才能查證&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="control-gap">Control Gap&lt;/h2>
&lt;p>控制缺口的核心是身份信任根的生命週期管理。當 signing key 缺少自動輪替與退役監控,且 token validator 接受跨類型金鑰時,單一遺留金鑰會升級成跨租戶風險。&lt;/p>
&lt;h2 id="detection-route">Detection Route&lt;/h2>
&lt;table>
 &lt;thead>
 &lt;tr>
 &lt;th>訊號&lt;/th>
 &lt;th>判讀用途&lt;/th>
 &lt;th>下一步&lt;/th>
 &lt;/tr>
 &lt;/thead>
 &lt;tbody>
 &lt;tr>
 &lt;td>雲端 mailbox 出現未預期的 OWA token 使用&lt;/td>
 &lt;td>判斷 token forgery 可能性&lt;/td>
 &lt;td>啟動雲端身份事件回應&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>audit log 缺少 token issuer 與 key id&lt;/td>
 &lt;td>判斷 detection coverage gap&lt;/td>
 &lt;td>補強 logging 與 &lt;a href="https://tarrragon.github.io/blog/backend/knowledge-cards/token-revocation/" data-link-title="Token Revocation" data-link-desc="說明事件中如何撤銷 token，縮短可利用窗口">token revocation&lt;/a>&lt;/td>
 &lt;/tr>
 &lt;tr>
 &lt;td>供應商 advisory 指出簽章金鑰受影響&lt;/td>
 &lt;td>判斷 key rotation 與 session 收斂優先序&lt;/td>
 &lt;td>啟動 vulnerability response state&lt;/td>
 &lt;/tr>
 &lt;/tbody>
&lt;/table>
&lt;h2 id="exercise-hook">Exercise Hook&lt;/h2>
&lt;p>本案例可支撐 &lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/scenarios/identity-support-token-tabletop/" data-link-title="Identity Support Token Tabletop" data-link-desc="以支援流程與 session token 風險設計身份接管 tabletop 情境">Identity support token tabletop&lt;/a> 的雲端變體。演練重點是確認團隊能在雲端供應商通報後,快速判讀受影響 tenant、收集 audit log 並協調金鑰相關 session 收斂。&lt;/p>
&lt;h2 id="write-back-target">Write-back Target&lt;/h2>
&lt;ul>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/vulnerability-response-state-machine/" data-link-title="7.B11 Vulnerability Response State Machine" data-link-desc="把漏洞回應拆成狀態機，建立 observed 到 closed 的可交接流程">7.B11 Vulnerability Response State Machine&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/control-owner-pattern/" data-link-title="Control Owner Pattern" data-link-desc="定義高風險控制面如何配置 owner、協作角色、決策角色與升級路徑">Control owner pattern&lt;/a>&lt;/li>
&lt;li>&lt;a href="https://tarrragon.github.io/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/evidence-chain-pattern/" data-link-title="Evidence Chain Pattern" data-link-desc="定義事故與演練需要保存的訊號、決策、artifact、timeline 與 retention 證據">Evidence chain pattern&lt;/a>&lt;/li>
&lt;/ul></description><content:encoded><![CDATA[<p>本案例的責任是提供雲端簽章金鑰壓力素材。Storm-0558 顯示,當一把過期 MSA consumer signing key 結合 token validation 缺陷時,一個身份信任根可以被用來偽造跨 tenant 的 access token。</p>
<h2 id="來源">來源</h2>
<table>
  <thead>
      <tr>
          <th>來源</th>
          <th>可引用範圍</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td><a href="https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/">Microsoft MSRC:Storm-0558 mitigation</a></td>
          <td>initial mitigation、affected scope、key revocation</td>
      </tr>
      <tr>
          <td><a href="https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/">Microsoft Security Blog:Analysis of Storm-0558</a></td>
          <td>token forgery、OWA 與 Outlook.com 路徑、IOC</td>
      </tr>
      <tr>
          <td><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a">CISA:Enhanced Monitoring (AA23-193A)</a></td>
          <td>M365 audit log 監控建議、detection guidance</td>
      </tr>
      <tr>
          <td><a href="https://www.helpnetsecurity.com/2024/04/03/microsoft-storm-0558-key/">CSRB report (Help Net Security 摘要)</a></td>
          <td>key rotation 流程缺口、cascade of errors、治理檢討</td>
      </tr>
  </tbody>
</table>
<h2 id="defender-pressure">Defender Pressure</h2>
<table>
  <thead>
      <tr>
          <th>壓力</th>
          <th>服務判讀</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>Signing key trust pressure</td>
          <td>一把長期金鑰可以影響大量 tenant 的身份信任</td>
      </tr>
      <tr>
          <td>Key rotation pressure</td>
          <td>自動化輪替與退役流程需要可觀測</td>
      </tr>
      <tr>
          <td>Tenant boundary pressure</td>
          <td>consumer 與 enterprise token 邊界要明確分離</td>
      </tr>
      <tr>
          <td>Detection coverage pressure</td>
          <td>受影響客戶常需依賴雲端供應商提供 audit log 才能查證</td>
      </tr>
  </tbody>
</table>
<h2 id="control-gap">Control Gap</h2>
<p>控制缺口的核心是身份信任根的生命週期管理。當 signing key 缺少自動輪替與退役監控,且 token validator 接受跨類型金鑰時,單一遺留金鑰會升級成跨租戶風險。</p>
<h2 id="detection-route">Detection Route</h2>
<table>
  <thead>
      <tr>
          <th>訊號</th>
          <th>判讀用途</th>
          <th>下一步</th>
      </tr>
  </thead>
  <tbody>
      <tr>
          <td>雲端 mailbox 出現未預期的 OWA token 使用</td>
          <td>判斷 token forgery 可能性</td>
          <td>啟動雲端身份事件回應</td>
      </tr>
      <tr>
          <td>audit log 缺少 token issuer 與 key id</td>
          <td>判斷 detection coverage gap</td>
          <td>補強 logging 與 <a href="/blog/backend/knowledge-cards/token-revocation/" data-link-title="Token Revocation" data-link-desc="說明事件中如何撤銷 token，縮短可利用窗口">token revocation</a></td>
      </tr>
      <tr>
          <td>供應商 advisory 指出簽章金鑰受影響</td>
          <td>判斷 key rotation 與 session 收斂優先序</td>
          <td>啟動 vulnerability response state</td>
      </tr>
  </tbody>
</table>
<h2 id="exercise-hook">Exercise Hook</h2>
<p>本案例可支撐 <a href="/blog/backend/07-security-data-protection/blue-team/materials/scenarios/identity-support-token-tabletop/" data-link-title="Identity Support Token Tabletop" data-link-desc="以支援流程與 session token 風險設計身份接管 tabletop 情境">Identity support token tabletop</a> 的雲端變體。演練重點是確認團隊能在雲端供應商通報後,快速判讀受影響 tenant、收集 audit log 並協調金鑰相關 session 收斂。</p>
<h2 id="write-back-target">Write-back Target</h2>
<ul>
<li><a href="/blog/backend/07-security-data-protection/identity-access-boundary/" data-link-title="7.2 身分與授權邊界" data-link-desc="以問題驅動方式整理身分、授權、會話與供應商身分鏈">7.2 身分與授權邊界</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/vulnerability-response-state-machine/" data-link-title="7.B11 Vulnerability Response State Machine" data-link-desc="把漏洞回應拆成狀態機，建立 observed 到 closed 的可交接流程">7.B11 Vulnerability Response State Machine</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/control-owner-pattern/" data-link-title="Control Owner Pattern" data-link-desc="定義高風險控制面如何配置 owner、協作角色、決策角色與升級路徑">Control owner pattern</a></li>
<li><a href="/blog/backend/07-security-data-protection/blue-team/materials/control-patterns/evidence-chain-pattern/" data-link-title="Evidence Chain Pattern" data-link-desc="定義事故與演練需要保存的訊號、決策、artifact、timeline 與 retention 證據">Evidence chain pattern</a></li>
</ul>
]]></content:encoded></item></channel></rss>