RE: Can you impersonate a client side cert??

[Jason Brvenik <jason () brvenik com>]

Hi Darren,

  In short, a properly configured systems will not allow this to happen.

As I have not read the paper you describe I will assume we are talking
about the ability to issue a cert from two different CA's that have the
same DN. This is possible and done quite often but the certificate
issued will be signed by a different Certificate Authority and as a
result will have different level of trust (ability). It's kinda like
this.

CA1 creates a cert
CA2 creates a cert ( with the same DN )
your server knows of CA1 and believes it to be a trusted CA and has no
knowledge of CA2.
When the certificate from CA2 is presented the signature on the cert
will not verify and access should be blocked.
Now if your server trusts both CA1 and CA2 it can get interesting. In
this case, depending on the implementation it is quite possible that
both certificates will get mapped to the same user / access / privilege
levels. There should be many other mitigating factors that prevent this
from happening though like CRL checking, OCSP, Certificate validation,
presence in a directory...

-Jason


> -----Original Message-----
> From: Darren Craig [mailto:darren.craig () celare co uk]
> Sent: Monday, January 28, 2002 7:00 AM
> To: pen-test () securityfocus com
> Subject: Can you impersonate a client side cert??
>
>
> Hi All,
>
>
> I have been reading a paper which was published back in Feb 2001 by a
> company call Sensepost which says that there is a way to impersonate a users
> client side cert by using the same common name. Does anybody have any
> experience of doing this or is it even possible considering that the users
> public part of the cert would be installed on the web server?
>
> Darren
>
>
> ******************************************************************
> Privileged, confidential and/or copyright information may
> be contained in this e-mail. This e-mail is for the use only
> of the intended addressee. If you are not the intended
> addressee, or the person responsible for delivering it to
> the intended addressee, you may not copy, forward,
> disclose or otherwise use it or any part of it in any way
> whatsoever, to do so is prohibited and may be unlawful.
>
> If you receive this e-mail by mistake please advise the
> sender immediately by using the reply facility in your
> e-mail software. Celare Limited may monitor the content
> of e-mails sent and received via its network for the purposes
> of ensuring compliance with its policies and procedures.
>
> This message is subject to and does not create or vary
> any contractual relationship between Celare Limited
> and you.
>
> Thank you.
> ******************************************************************
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/