- Description has changed:
Diff:
~~~~
--- old
+++ new
@@ -1,8 +1,10 @@
RPKI objects can have multiple parents in a few cases. This should be
supported such that if any path to a trust anchor is valid, the object is
considered valid.
In an "evil twin" attack, a malicious CA tweaks, re-signs, and publishes
another CA's certificate. The re-signed copy appears to be a parent of the
victim CA's children: the issuer, AKI, etc. in the victim CA's children match
the subject, SKI, etc. of the re-signed CA cert. However, one or both of the
following will be true of the re-signed copy if it is an "evil twin" CA
certificate:
+
* the evil twin certificate is invalid (e.g., it claims RFC3779 resources that
are not held by the malicious CA that signed it), or
* the victim CA's children appear to be invalid when checked against the evil
twin (e.g., because the children use resources outside the modified resources
in the evil twin).
+
If a relying party only attempts to validate the victim CA's children via the
evil twin, the RP will incorrectly consider the children to be invalid.
Certain circumstances can cause RPSTIR to only attempt to validate an object
via an evil twin, which makes it possible for an attacker to effectively
invalidate another party's objects.
~~~~
---
** [tickets:#29] "evil twin" certificates can invalidate valid objects**
**Status:** in-progress
**Created:** Tue Nov 10, 2015 09:29 PM UTC by Richard Hansen
**Last Updated:** Tue Nov 10, 2015 09:29 PM UTC
**Owner:** Richard Hansen
RPKI objects can have multiple parents in a few cases. This should be
supported such that if any path to a trust anchor is valid, the object is
considered valid.
In an "evil twin" attack, a malicious CA tweaks, re-signs, and publishes
another CA's certificate. The re-signed copy appears to be a parent of the
victim CA's children: the issuer, AKI, etc. in the victim CA's children match
the subject, SKI, etc. of the re-signed CA cert. However, one or both of the
following will be true of the re-signed copy if it is an "evil twin" CA
certificate:
* the evil twin certificate is invalid (e.g., it claims RFC3779 resources that
are not held by the malicious CA that signed it), or
* the victim CA's children appear to be invalid when checked against the evil
twin (e.g., because the children use resources outside the modified resources
in the evil twin).
If a relying party only attempts to validate the victim CA's children via the
evil twin, the RP will incorrectly consider the children to be invalid.
Certain circumstances can cause RPSTIR to only attempt to validate an object
via an evil twin, which makes it possible for an attacker to effectively
invalidate another party's objects.
---
Sent from sourceforge.net because rpstir-devel@lists.sourceforge.net is
subscribed to https://sourceforge.net/p/rpstir/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://sourceforge.net/p/rpstir/admin/tickets/options. Or, if this is a
mailing list, you can unsubscribe from the mailing list.
------------------------------------------------------------------------------
_______________________________________________
rpstir-devel mailing list
rpstir-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rpstir-devel
