• caglararli@hotmail.com
  • 05386281520

What damage could be done if a malicious certificate had an identical "Subject Key Identifier"?

Çağlar Arlı      -    29 Views

What damage could be done if a malicious certificate had an identical "Subject Key Identifier"?

I'm looking at the the Subject Key Identifier attribute of a CA certificate and am trying to understand the role it plays in validation and infer how validating client software could get it wrong.

  • What is the role of the Subject Key Identifier in validating a CA or End certificate?
    Any knowledge of how it's implemented popular software packages would be helpful

  • What is the worst that an attacker could do if they could generate a public key that also contained the same hash?

As I read RFC3280 I see that the Subject Key Identifier (SKI) is like the glue that is used to build and verify the PKI chain. The SKI also appears to be a more secure version than the certificate serial number and name that was also used to bind two certs together.

With regard to client validation of the certificate hash, do clients simply do a "pattern match" of the SKI, or is the chain SKI actually computed as described below:

For CA certificates, subject key identifiers SHOULD be derived from
the public key or a method that generates unique values. Two common
methods for generating key identifiers from the public key are:

  (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
  value of the BIT STRING subjectPublicKey (excluding the tag,
  length, and number of unused bits).

  (2) The keyIdentifier is composed of a four bit type field with
  the value 0100 followed by the least significant 60 bits of the
  SHA-1 hash of the value of the BIT STRING subjectPublicKey
  (excluding the tag, length, and number of unused bit string bits).

One example risk I'm trying to mitigate is a malformed CA certificate with a public key that doesn't hash to a correct SKI (done by manual ASN.1 editing and resigning the cert from the attacker's root)