SSL authentication by comparing certificate fingerprint?

security authentication ssl hash
11,097

Solution 1

What you propose is in principle ok. It is for example used during key signing parties. Here the participants usually just exchange their name and fingerprints of their public keys and make sure that the person at the party really is who he/she claims. Just verifying fingerprints is much easier than to verify a long public key.

Another example is the so called self certifying file system. Here again only hashes of public keys get exchanged over a secure channel. (I.e. these hashes are embedded in URLs.) In this scheme the public keys don't have to be sent securely. The receiver only has to check that the hash of the public keys matche the hashes embedded in the URLs. Of course the receiver also has to make sure that these URLs come from a trusted source.

This scheme and what you propose are simpler than using a CA. But there is a disadvantage. You have to make sure that your database with hashes is authentic. If your database is large then this will likeley be difficult. If you use CAs then you only have to ensure that the root keys are authentic. This usually simplifies the key management significantly and is of course one reason, why CA based schemes are more popular than e.g. the self certifying file system mentioned above.

Solution 2

In the same way you wouldn't and shouldn't consider two objects to be equal just because their hash codes matched, you shouldn't consider a certificate to be authentic just because its fingerprint appears in a list of "known certificate fingerprints".

Collisions are a fact of life with hash algorithms, even good ones, and you should guard against the possibility that a motivated attacker could craft a rogue certificate with a matching fingerprint hash. The only way to guard against that is to check the validity of the certificate itself, i.e. check the chain of trust as you're implying in your last statement.

Solution 3

Short:

Well in theory you then do exactly what a Certificate Authority does for you. So it should be fine.

Longer:

When a Certificate Authority signs your public-key/certificate/certificate request it doesn't sign the whole certificate data. But just the calculated hash value of the whole certificate data. This keeps the signature small.

When you don't want to establish your own CA or use a commercial/free one - by comparing the fingerprint with the one you trust you'll gain the second most trustworthy configuration. The most trustworthy solution would be by comparing the whole certificate, because also protects you from hash collision attacks.

As the other guys here stated you should make sure to use a secure/safe hashing algorithm. SHA-1 is no longer secure.

more detailed informations to this topic:

Share:
11,097
chris166
Author by

chris166

Updated on June 11, 2022

Comments

  • chris166
    chris166 about 2 years

    Question for all the SSL experts out there:

    We have an embedded device with a little web server on it, and we can install our own SSL self-signed certificates on it. The client is written in .NET (but that doesn't matter so much).

    How can I authenticate the device in .NET? Is it enough to compare the fingerprint of the certificate against a known entry in the database?

    My understanding is that the fingerprint is a hash of the whole certificate, including the public key. A device faking to be my device could of course send the same public certificate, but it couldn't know the private key, right?

    Or do I have to build up my own chain of trust, create my own CA root certificate, sign the web server certificate and install that on the client?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Are security concerns sending a password using a GET request over https valid?
Non-random salt for password hashes
Where do you store your salt strings?
php not redirecting and logging in
How can I calculate the Failed Acceptance Rate and False Recognition Rate?
Apache 2.4.37 with openssl 1.1.1: cannot perform post-handshake authentication
ASP.NET Core using custom authenticationhandler with cookieauthentication
ASP.Net Authentication using <credentials> in web.config
SSL Handshake_failure in Java test client while connecting to server with two-way authentication
WCF transport security with no authentication