CAPEC - CAPEC-459: Creating a Rogue Certification Authority Certificate (Version 3.9)


CAPEC Common Attack Pattern Enumeration and Classification A Community Resource for Identifying and Understanding Attacks	New to CAPEC? Start Here

Home > CAPEC List > CAPEC-459: Creating a Rogue Certification Authority Certificate (Version 3.9)

CAPEC-459: Creating a Rogue Certification Authority Certificate

Attack Pattern ID: 459

Abstraction: Detailed

View customized information:

Description

An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.

Extended Description

Alternatively, the second certificate could be a signing certificate. Thus the adversary is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attacker's first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will the Certificate Authority set up by the adversary and any certificates that it signs. As a result, the adversary is able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec).

Likelihood Of Attack

Medium

Typical Severity

Very High

Relationships

Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

Nature	Type	ID	Name
ChildOf	Standard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.	473	Signature Spoof

Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.

View Name	Top Level Categories
Domains of Attack	Software
Mechanisms of Attack	Engage in Deceptive Interactions

Execution Flow

Experiment

Craft Certificates: The adversary crafts two different, but valid X.509 certificates that when hashed with an insufficiently collision resistant hashing algorithm would yield the same value.
Send CSR to Certificate Authority: The adversary sends the CSR for one of the certificates to the Certification Authority which uses the targeted hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the adversary which is signed with its private key.

Exploit

Insert Signed Blob into Unsigned Certificate: The adversary takes the signed blob and inserts it into the second X.509 certificate that the attacker generated. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob is valid in the second certificate. The result is two certificates that appear to be signed by a valid certificate authority despite only one having been signed.

Prerequisites

Certification Authority is using a hash function with insufficient collision resistance to generate the certificate hash to be signed

Skills Required

[Level: High]

Understanding of how to force a hash collision in X.509 certificates

[Level: High]

An attacker must be able to craft two X.509 certificates that produce the same hash value

[Level: Medium]

Knowledge needed to set up a certification authority

Resources Required

Knowledge of a certificate authority that uses hashing algorithms with poor collision resistance

A valid certificate request and a malicious certificate request with identical hash values

Consequences

Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

Scope	Impact	Likelihood
Access Control Authentication	Gain Privileges

Mitigations

Certification Authorities need to stop using deprecated or cryptographically insecure hashing algorithms to hash the certificates that they are about to sign. Instead they should be using stronger hashing functions such as SHA-256 or SHA-512.

Example Instances

MD5 Collisions

The MD5 algorithm is not collision resistant, allowing attackers to use spoofing attacks to create rogue certificate Authorities.

See also: CVE-2005-4900

PKI Infrastructure vulnerabilities

Research has show significant vulnerabilities in PKI infrastructure. Trusted certificate authorities have been shown to use weak hashing algorithms after attacks have been demonstrated against those algorithms. Additionally, reliable methods have been demonstrated for generated MD5 collisions that could be used to generate malicious CSRs.

Related Weaknesses

Section HelpA Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful. If multiple weaknesses are associated with the attack pattern, then any of the weaknesses (but not necessarily all) may be present for the attack to be successful. Each related weakness is identified by a CWE identifier.

CWE-ID	Weakness Name
327	Use of a Broken or Risky Cryptographic Algorithm
295	Improper Certificate Validation
290	Authentication Bypass by Spoofing

Taxonomy Mappings

Section HelpCAPEC mappings to ATT&CK techniques leverage an inheritance model to streamline and minimize direct CAPEC/ATT&CK mappings. Inheritance of a mapping is indicated by text stating that the parent CAPEC has relevant ATT&CK mappings. Note that the ATT&CK Enterprise Framework does not use an inheritance model as part of the mapping to CAPEC.

Relevant to the ATT&CK taxonomy mapping (see parent )

References

[REF-395] Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger. "MD5 Considered Harmful Today: Creating a Rogue CA Certificate". Phreedom.org. 2008年12月30日. <http://www.phreedom.org/research/rogue-ca/>.

[REF-587] Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik and Benne de Weger. "MD5 considered harmful today". 2009-12. <https://www.win.tue.nl/hashclash/rogue-ca/#Ref>. URL validated: 2020年06月04日.

Content History

Submissions
Submission Date	Submitter	Organization
2014年06月23日 (Version 2.6)	CAPEC Content Team	The MITRE Corporation
2014年06月23日 (Version 2.6)
Modifications
Modification Date	Modifier	Organization
2017年05月01日 (Version 2.10)	CAPEC Content Team	The MITRE Corporation
2017年05月01日 (Version 2.10)	Updated Description Summary
2018年07月31日 (Version 2.12)	CAPEC Content Team	The MITRE Corporation
2018年07月31日 (Version 2.12)	Updated References
2020年07月30日 (Version 3.3)	CAPEC Content Team	The MITRE Corporation
2020年07月30日 (Version 3.3)	Updated Consequences, Description, Example_Instances, Likelihood_Of_Attack, Mitigations, Prerequisites, References, Resources_Required, Skills_Required, Taxonomy_Mappings
2020年12月17日 (Version 3.4)	CAPEC Content Team	The MITRE Corporation
2020年12月17日 (Version 3.4)	Updated Description, Execution_Flow
2021年06月24日 (Version 3.5)	CAPEC Content Team	The MITRE Corporation
2021年06月24日 (Version 3.5)	Updated Taxonomy_Mappings
2022年02月22日 (Version 3.7)	CAPEC Content Team	The MITRE Corporation
2022年02月22日 (Version 3.7)	Updated Description, Execution_Flow, Extended_Description
2022年09月29日 (Version 3.8)	CAPEC Content Team	The MITRE Corporation
2022年09月29日 (Version 3.8)	Updated Example_Instances
Previous Entry Names
Change Date	Previous Entry Name
2017年05月01日 (Version 2.10)	Creating a Rogue Certificate Authority Certificate

More information is available — Please select a different filter.

Page Last Updated or Reviewed: July 31, 2018


MITRE	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| CAPEC on Twitter CAPEC on LinkedIn CAPEC on YouTube CAPEC Out-of-Bounds-Read Podcast CAPEC Blog on Medium Use of the Common Attack Pattern Enumeration and Classification (CAPEC), and the associated references from this website are subject to the Terms of Use. Copyright © 2007–2025, The MITRE Corporation. CAPEC and the CAPEC logo are trademarks of The MITRE Corporation.	HSSEDI

Common Attack Pattern Enumeration and Classification

CAPEC-459: Creating a Rogue Certification Authority Certificate