New to CAPEC? Start Here
Home > CAPEC List > CAPEC-459: Creating a Rogue Certification Authority Certificate (Version 3.5)  

CAPEC-459: Creating a Rogue Certification Authority Certificate

Attack Pattern ID: 459
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).
+ Likelihood Of Attack

Medium

+ Typical Severity

Very High

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.473Signature Spoof
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Exploit
  1. The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.
  2. The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.
  3. The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.
+ Prerequisites
Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed
+ Skills Required
[Level: High]
Understanding of how to force a hash collision in X.509 certificates
[Level: High]
An attacker must be able to craft two X.509 certificates that produce the same hash value
[Level: Medium]
Knowledge needed to set up a certification authority
+ Resources Required
Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance
A valid certificate request and a malicious certificate request with identical hash values
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Access Control
Authentication
Gain Privileges
+ Mitigations
Certification Authorities need to stop using deprecated or cryptographically insecure hashing algorithms to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.
+ Example Instances
MD5 Collisions

The MD5 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.

See also: CVE-2004-2761
SHA1 Collisions

The SHA1 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.

See also: CVE-2005-4900
PKI Infrastructure vulnerabilities

Research has show significant vulnerabilities in PKI infrastructure. Trusted certificate authorities have been shown to use weak hashing algorithms after attacks have been demonstrated against those algorithms. Additionally, reliable methods have been demonstrated for generated MD5 collisions that could be used to generate malicious CSRs.

+ References
[REF-395] Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger. "MD5 Considered Harmful Today: Creating a Rogue CA Certificate". Phreedom.org. 2008-12-30. <http://www.phreedom.org/research/rogue-ca/>.
[REF-587] Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger. "MD5 considered harmful today". 2009-12. <https://www.win.tue.nl/hashclash/rogue-ca/#Ref>. URL validated: 2020-06-04.
+ Content History
Submissions
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modifications
Modification DateModifierOrganization
2017-05-01CAPEC Content TeamThe MITRE Corporation
Updated Description Summary
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated References
2020-07-30CAPEC Content TeamThe MITRE Corporation
Updated Consequences, Description, Example_Instances, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Resources_Required, Skills_Required, Taxonomy_Mappings
2020-12-17CAPEC Content TeamThe MITRE Corporation
Updated Description, Execution_Flow
2021-06-24CAPEC Content TeamThe MITRE Corporation
Updated Taxonomy_Mappings
Previous Entry Names
Change DatePrevious Entry Name
2017-05-01Creating a Rogue Certificate Authority Certificate
More information is available — Please select a different filter.
Page Last Updated or Reviewed: December 17, 2020