Home > CAPEC List > CAPEC-459: Creating a Rogue Certification Authority Certificate (Version 3.2)  

CAPEC-459: Creating a Rogue Certification Authority Certificate

Attack Pattern ID: 459
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
An adversary exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The adversary specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The adversary then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key. An adversary then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the adversary and of course any certificates that it signs. So the adversary is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).
+ Typical Severity

Very High

+ Relationships

The table below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.473Signature Spoof

The table below shows the views that this attack pattern belongs to and top level categories within that view.

+ Prerequisites
Certification Authority is using the MD5 hash function to generate the certificate hash to be signed
+ Skills Required
[Level: High]
Understanding of how to force an MD5 hash collision in X.509 certificates
[Level: High]
An attacker must be able to craft two X.509 certificates that produce the same MD5 hash
[Level: Medium]
Knowledge needed to set up a certification authority
+ Mitigations
Certification Authorities need to stop using the weak collision prone MD5 hashing algorithm to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.
+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1130Install Root Certificate
+ References
[REF-395] Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger. "MD5 Considered Harmful Today: Creating a Rogue CA Certificate". Phreedom.org. 2008-12-30. <http://www.phreedom.org/research/rogue-ca/>.
+ Content History
Submission DateSubmitterOrganization
2014-06-23CAPEC Content TeamThe MITRE Corporation
Modification DateModifierOrganization
2017-05-01CAPEC Content TeamThe MITRE Corporation
Updated Description Summary
2018-07-31CAPEC Content TeamThe MITRE Corporation
Updated References
Previous Entry Names
Change DatePrevious Entry Name
2017-05-01Creating a Rogue Certificate Authority Certificate
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 30, 2019