15

Taken from here:

Don't worry if the root certificate uses SHA1; signatures on roots are not used (and Chrome won't warn about them.

Why are the signatures not used? Are not root certificates vulnerable too? Is there nothing that can be gained from breaking SHA1 to fake a root cert?

Christian
  • 1,876
  • 1
  • 14
  • 23
user53029
  • 2,657
  • 5
  • 24
  • 35

3 Answers3

21

A root certificate is a self-signed certificate (by definition).

So how do you want to verify the signature of a root certificate? The root certificate is valid in itself, therefore you cannot verify it.

This is also the most problematic part of root certificates: they cannot be validated independently. If they are in the browser, then they are trusted.

TRiG
  • 609
  • 5
  • 14
Uwe Plonus
  • 2,267
  • 12
  • 14
  • Right but if you can fake a CA root then you can impersonate the CA, and issue your own leaf's down to the identity, is this not a practical attack vector to impersonate a website? – user53029 Sep 17 '14 at 09:59
  • 1
    @user53029: That is "a practical attack vector to impersonate a website"; it's just independent of what hash(es) was/were used in root certificate(s)'(s) self-signature(s). –  Sep 17 '14 at 11:21
  • 4
    @user53029 That actually happened recently. DigiNotar, a Dutch certificate authority, was hacked a few years ago and issued fraudulent root certificates for the Google domain. the hackers then managed to hack 300,000 Iranian Gmail users. DigiNotar is now bankrupt and all certificates issued by it have been revoked by every major browser. – Nzall Sep 17 '14 at 11:26
  • Thanks Nate - so if not the hash, what security measures are in place to keep the root from being faked? Does the attacker need to hack the CA like you described or is there something in the root cert itself that can be exploited? – user53029 Sep 17 '14 at 11:30
  • 3
    @user53029 either the hash needs to be broken (which happened in [2008](http://www.zdnet.com/blog/security/ssl-broken-hackers-create-rogue-ca-certificate-using-md5-collisions/2339) with MD5 hashed certs) or the CA needs to be compromised. Most CA's use heavy physical authority including measures like keeping the root certificate itself offline to prevent catastrophic damage in the event of a hack. http://security.stackexchange.com/questions/24896/how-do-certification-authorities-store-their-private-root-keys – Dan Is Fiddling By Firelight Sep 17 '14 at 12:50
  • Dan - thanks. That brings me back full circle. So even if TLS clients do not use the hash to verify the identity of a root cert what is stopping me from forging a CA's root cert from the SHA1 hash and potentially replacing the real CA root from the trust store with an identical copy of mine using my key pair? Would doing this allow an attacker a way to impersonate a website of perform a MiTM attack? – user53029 Sep 17 '14 at 13:28
  • 3
    @user53029 If you have access to a user's trust store, you could just add your own root certificate without having to mess with existing certificates for the same effect. See also [Ángel](https://security.stackexchange.com/users/49489/%c3%81ngel)'s answer and the comment. – ntoskrnl Sep 17 '14 at 15:01
  • 2
    @NateKerkhofs Regarding DigiNotar: A certificate authority does not issue **root** certificates. Root certificates are self-signed and they are on the top (root) of the CA hierarchy chain. There is no CA above them to sign the certificate. The fraudulent certificates were signed by the DigiNotar CA. ------ **Extending the answer:** You either trust a root certificate or not. It is your decision. The signature serves no real purpose there, it could be created by anyone. --- Hash received through a different way can be used to check the integrity of the certificate. – pabouk - Ukraine stay strong Sep 24 '14 at 08:22
18

The browser already contains a copy of the root cert. Thus, it doesn't need to verify it through its signature. Even if you broke SHA-1, you couldn't replace the root certificate that is already stored in the browser.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • 17
    Or, from the other direction, if you _can_ alter the root certificate store (for example by saying "employee, install this corporate root certificate if you want to keep your job", or by patching the browser), you can insert your own certificate regardless of which signature algorithm you use, and regardless of which algorithms legitimate CA certificates used. – armb Sep 17 '14 at 12:27
6

For non-root CA certificates, the browser can only verify the certificate by validating the signature of the certificates hash. If the signed hash was generated by a weak algorithm, an attacker may be able to create a fake certificate with the same hash, but a different key pair.

For a root certificate, however, this does not have to be a problem. Since the entire trusted certificate (not just the hash) is in your trusted root store, it is possible to compare the full certificate, and not just the hash. As such, the hashing function used is irrelevant.

lzam
  • 872
  • 5
  • 16