tags:

views:

438

answers:

2
+4  Q: 

SSL authentication by comparing certificate fingerprint?

Question for all the SSL experts out there:

We have an embedded device with a little web server on it, and we can install our own SSL self-signed certificates on it. The client is written in .NET (but that doesn't matter so much).

How can I authenticate the device in .NET? Is it enough to compare the fingerprint of the certificate against a known entry in the database?

My understanding is that the fingerprint is a hash of the whole certificate, including the public key. A device faking to be my device could of course send the same public certificate, but it couldn't know the private key, right?

Or do I have to build up my own chain of trust, create my own CA root certificate, sign the web server certificate and install that on the client?

+2  A: 

In the same way you wouldn't and shouldn't consider two objects to be equal just because their hash codes matched, you shouldn't consider a certificate to be authentic just because its fingerprint appears in a list of "known certificate fingerprints".

Collisions are a fact of life with hash algorithms, even good ones, and you should guard against the possibility that a motivated attacker could craft a rogue certificate with a matching fingerprint hash. The only way to guard against that is to check the validity of the certificate itself, i.e. check the chain of trust as you're implying in your last statement.

Chris W. Rea  2009-07-08 01:47:39
Huh? Cryptographic hash functions such as SHA1 have been designed such that it is infeasible to find two inputs that hash to the same output. Hence if their hash match then it is safe to assume that the inputs are equal. Hence it also is safe to assume that a motivated attacker can NOT craft two certificates with matching hashes (at least as long as the hash is not broken).Moreover, checking the signature of a self-signed certificate alone is not enough. You need to be able to trust the signing key.
Accipitridae  2009-07-09 06:35:40
Collisions *are* a fact of life with hash algorithms. And despite some of these algorithms having been designed with the best of intentions, MD5 was dethroned already, and SHA-1 has been shown to have weaknesses as well.See http://www.crn.com/security/212700354 and http://www.rsa.com/rsalabs/node.asp?id=2834. I maintain it is better to check the certificate thoroughly and not rely only on the fingerprint.
Chris W. Rea  2009-07-09 11:38:40
... and in order to check the validity of a signature you first hash your data and then check that it is the same hash value that was signed. Hence if you verify digital signatures then you actually do rely on the collision resistance of your hash algorithm.
Accipitridae  2009-07-09 17:31:01
@Accipitridae: that's what I was thinking, too.
chris166  2009-07-09 19:18:14
@Accipitridae: Good point. +1. Damned if we do, damned if we don't, and I suppose there's no easy working around the weaknesses. But, work is underway to replace the old algorithms. See http://csrc.nist.gov/groups/ST/hash/index.html
Chris W. Rea  2009-07-10 02:20:51
+2  A: 

What you propose is in principle ok. It is for example used during key signing parties. Here the participants usually just exchange their name and fingerprints of their public keys and make sure that the person at the party really is who he/she claims. Just verifying fingerprints is much easier than to verify a long public key.

Another example is the so called self certifying file system. Here again only hashes of public keys get exchanged over a secure channel. (I.e. these hashes are embedded in URLs.) In this scheme the public keys don't have to be sent securely. The receiver only has to check that the hash of the public keys matche the hashes embedded in the URLs. Of course the receiver also has to make sure that these URLs come from a trusted source.

This scheme and what you propose are simpler than using a CA. But there is a disadvantage. You have to make sure that your database with hashes is authentic. If your database is large then this will likeley be difficult. If you use CAs then you only have to ensure that the root keys are authentic. This usually simplifies the key management significantly and is of course one reason, why CA based schemes are more popular than e.g. the self certifying file system mentioned above.

Accipitridae  2009-07-09 18:03:35
The scalability is really a good reason for the PKI, thanks!
chris166  2009-07-09 19:16:31

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security