Dark Mode

Settings

Capec-459 Detail

Creating a Rogue Certification Authority Certificate

Detailed Software Likelihood: Medium Typical Severity: Very High

Parents: 473

Threats: T59 T263 T271 T292 T307

Description

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

Extended Description

Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).
External ID Source Link Description
CAPEC-459 capec https://capec.mitre.org/data/definitions/459.html
CWE-327 cwe http://cwe.mitre.org/data/definitions/327.html
CWE-295 cwe http://cwe.mitre.org/data/definitions/295.html
CWE-290 cwe http://cwe.mitre.org/data/definitions/290.html
REF-395 reference_from_CAPEC http://www.phreedom.org/research/rogue-ca/ Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 Considered Harmful Today: Creating a Rogue CA Certificate, 2008--12---30, Phreedom.org
REF-587 reference_from_CAPEC https://www.win.tue.nl/hashclash/rogue-ca/#Ref Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, MD5 considered harmful today, 2009--12
Experiment

  1. Craft Certificates: The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.

  2. Send CSR to Certificate Authority: The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.

Exploit

  1. Insert Signed Blob into Unsigned Certificate: The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.

  1. Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed
  1. Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance
  2. A valid certificate request and a malicious certificate request with identical hash values
High Medium
An attacker must be able to craft two X.509 certificates that produce the same hash value
Knowledge needed to set up a certification authority
Access Control Authentication
Gain Privileges Gain Privileges
  1. MD5 Collisions The MD5 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.See also: CVE-2004-2761
  2. SHA1 Collisions The SHA1 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.See also: CVE-2005-4900
  3. PKI Infrastructure vulnerabilities Research has show significant vulnerabilities in PKI infrastructure. Trusted certificate authorities have been shown to use weak hashing algorithms after attacks have been demonstrated against those algorithms. Additionally, reliable methods have been demonstrated for generated MD5 collisions that could be used to generate malicious CSRs.

We use cookies to ensure you get the best experience on our website.