CAPEC-459: Creating a Rogue Certification Authority Certificate

Description

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

Extended Description

Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).

Severity :

Very High

Possibility :

Medium

Type :

Detailed

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-473: Signature Spoof Signature Spoof

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

High Understanding of how to force a hash collision in X.509 certificates
High An attacker must be able to craft two X.509 certificates that produce the same hash value
Medium Knowledge needed to set up a certification authority

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance

A valid certificate request and a malicious certificate request with identical hash values

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-290: Authentication Bypass by Spoofing

CWE-295: Improper Certificate Validation

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Visit http://capec.mitre.org/ for more details.