17th Annual Computer Security Applications Conference
December 10-14, 2001
New Orleans, Louisiana

Restricting Access with Certificate Attributes in Multiple Root Environments -A Recipe for Certificate Masquerading

James Hayes
National Security Agency

The issue of certificate masquerading against the SSL protocol is pointed out in [4]. In [4], various forms of server certificate masquerading are identified. It should also be noted that the attack described is a man-in-the-middle (MITM) attack that requires direct manipulation of the SSL protocol. This paper is a mirror of [4] and involves client certificate masquerading. The motivation for this paper comes from the fact that this anomaly has shown up in commercial products. It is potentially more damaging than [4] since a MITM attack is not involved and the only requirement is that the application trust a given root certificate authority (CA). The problem arises when applications use multiple roots that do not cross-certify. The problem is further exasperated since the applications themselves do not have the ability to apply external name constraints and policies. Unfortunately, the problem is a fairly well known problem within the public key infrastructure (PKI) community, but continues to persist in practice despite this knowledge.

Keywords: Certificate, Masquerading, PKI, Trust, Cross-certification, Mapping, Binding, Policy,Name Constraints, Root, Attributes

Read Paper Read Paper (in PDF)