3

I ran a scan on a server and the results of the authentication for digital certificate was as follows : Certificate 1 (root) signature algorithm: Sha256withRSA

Certificate 2 (chain of trust) signature algorithm: SHA256withRSA

Certificate 3 (chain of trust) signature algorithm: Sha1with RSA (weak but no impact on root certificate). This certificate shows in the certificate path as trusted.

There is a lot of literature online that SHA1 should be replaced to SHA 2 to prevent brute force and MITM attacks due to its weaker algorithm.

Could someone help me understand the risk if the root certificate is a SHA2 while the chain of trust certificate is a SHA1? Can a client use the chain of trust certificate instead of the root certificate?

user107327
  • 41
  • 5
  • Is the root certificate the Certificate 1 our Certificate 3? The scanner, or possibly your copy pasting seems to have confused what is root and what is part intermediate certificate. – Lie Ryan Apr 13 '16 at 01:14
  • Sorry for the confusion. Certificate 1 is the root – user107327 Apr 13 '16 at 01:21
  • See also https://security.googleblog.com/2015/12/an-update-on-sha-1-certificates-in.html, emphasis mine: _"At this point, sites that have a SHA-1-based signature as part of the certificate chain (**not including the self-signature on the root certificate**) will trigger a fatal network error."_ – Arjan Sep 15 '16 at 08:56

1 Answers1

5

The signature algorithm used in the root certificate is not used to establish trust against the root certificate because a root certificate is trusted by the virtue of a copy of the root certificate is installed in the browser, either included in the browser as part of the installation, or added later by the user to their certificate store.

For the rest of the trust chain, including intermediate and end certificate, a root certificate asserts the authority and encoded data in the intermediate certificate by cryptographically signing the signature of the intermediate certificate with its private key. Likewise, the intermediate certificate asserts the authority and encoded data in the end certificate by cryptographically signing the signature of the end certificate. There can be more than one level of intermediate certificates.

If an intermediate or end certificate has a weak signature, then it is possible that an attacker can generate two certificates with the same signature with different encoded information (e.g. looks-harmless.com and your-bank.com). The attacker can then ask a certificate authority to sign one of the certificate (looks-harmless.com) then copied the signature to the other certificate (your-bank.com).

The problem with SHA1 is that it has flaws that renders it feasible for an attacker with sufficient resource to find such collisions.

In your example, if intermediate Certificate 3 has SHA1 signature, then it is vulnerable to this attack. If the scanner didn't flag this chain as untrusted, then it should have.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93