Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to anyone to create a fake certification?

I have created my self signed certification and installed it to my client's Trusted root and used to .pfx [server side] to confirm that certification and the Authentication is going smoothly without any errors

But there is a question that really confuses me is there any way for a hacker to fake the authentication with my client ? with his fake cert and server ?

Example :

My code to validate the certification is

    private static bool OnCertificateValidation(
        object sender,
        X509Certificate certificate,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors)
    {
        if (sslPolicyErrors == SslPolicyErrors.None)
        {
            if (CaVerify(chain) && ServerVerify(certificate)) return true;
        }
        return false;
    }

    public static bool CaVerify(X509Chain chain)
    {
        if (chain.ChainElements.Count > 0)
        {
            var certHash = chain.ChainElements[chain.ChainElements.Count - 1].Certificate.GetCertHash();
            if (certHash.Length == ApiCertHash.Length)
            {
                for (var idx = 0; idx < certHash.Length; idx++)
                {
                    if (certHash[idx] == ApiCertHash[idx])
                    {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    public static bool ServerVerify(X509Certificate certificate)
    {
        var certHash = certificate.GetCertHash();

        if (certHash.Length == ApiCertHash.Length)
        {
            for (var idx = 0; idx < certHash.Length; idx++)
            {
                if (certHash[idx] == ApiCertHash[idx])
                {
                    return true;
                }
            }

        }
        return false;
    }

So could some one create a fake certification.pfx and associate it to his fake server and connect my client to his fake server ?

like image 403
Daniel Eugen Avatar asked Sep 15 '12 22:09

Daniel Eugen


2 Answers

The Common Name (CN) field of the SSL certificate should be the DNS name of the host you are are trying to connect to. You are "Trusting" the "Trusted Root Certificate Authorites" that they will not issue a certificate with a CN without validating ownership of DNS name listed in the CN.

You have bypassed this by manually adding a Certificate Authority (CA) to the Trusted list. So the computer trusts your personal CA that the certificate it received from the server is authorized to be used for whatever CN listed on the certificate.

A attacker can not make a "Fake" certificate as the CA who issued the unauthorized certificate is not "Trusted" so the validation fails.


This is how coperate proxies often work. The IT department installs a CA on the workstations. When you make a SSL request it goes through the proxy, when the reply comes back the proxy intercepts "CN=*.google.com Signed by VeriSign" and sends to your workstation "CN=*.google.com, Signed by XYZ Corperate Proxy". Because the IT pre-installed the Trusted Root CA the browser does not complain.

However if you use some browser that does not use the normal store, or does not have CA installed you would get a certificate error as your computer would see the "Signed by XYZ Coperate Proxy" cert, not know who that CA is, then return RemoteCertificateChainErrors on the sslPolicyErrors argument.


Code example of checking the CA's hash.

if (sslPolicyErrors == SslPolicyErrors.None)
{
    var apiCertHash = new byte[] { 0x79, 0x04, 0x15, 0xC5, 0xC4, 0xF1, 0x6A, 0xA7, 0xC9, 0x12, 0xBB, 0x23, 0xED, 0x5A, 0x60, 0xA7, 0x92, 0xA8, 0xD5, 0x94 };
    if(chain.ChainElements.Count > 0)
    {
        //Not 100% if the root is first or last in the array. Don't have the program running to check.
        var certHash = chain.ChainElements[chain.ChainElements.Count - 1].Certificate.GetCertHash();
        if (certHash.Length == apiCertHash.Length)
        {
            for (var idx = 0; idx < certHash.Length; idx++)
            {
                if (certHash[idx] == apiCertHash[idx])
                {
                    return true;
                }
            }
        }
    }
}
like image 155
Scott Chamberlain Avatar answered Oct 25 '22 14:10

Scott Chamberlain


If you are going to use your self-signed certificate, you need to use the code you presented otherwise it is enough to just use

private static bool OnCertificateValidation(
    object sender,
    X509Certificate certificate,
    X509Chain chain,
    SslPolicyErrors sslPolicyErrors)
{
    if (sslPolicyErrors == SslPolicyErrors.None)
    {
        return true;

    }
    return false;
}
like image 35
Roman Ratskey Avatar answered Oct 25 '22 15:10

Roman Ratskey