Can a SHA2 x509 cert thumbprint be spoofed/specified?

Question

Looking at a potential solution where the thumbprint of a client cert is used to identify individual users and provide access control.

Supposing someone was able to view the thumbprint of a cert installed on a machine, would they be able to create/fake a cert with an identical thumbprint to impersonate another user?

I expect it would be a safe solution where the cert is issued by a trusted authority. That might or might not be an option, but at the moment looking at self-signed certs. (The process for creating, installing and recording the thumbprints of certs is considered secure. The bit I am not sure about is whether someone could just create a self signed cert with the same CN and thumbprint, were they able to view it.)

If the thumbprint approach is not good, is there an alternative way of identifying the certs that would be secure?

Answer 1

It seems that your central question is:

Supposing someone was able to view the thumbprint of a cert installed on a machine, would they be able to create/fake a cert with an identical thumbprint to impersonate another user?

In other words, what you are asking is: can two different inputs produce the same SHA256 hash? This is known as a hash collision*. SHA256 is thought to be highly resistant to collisions; and to date, a SHA256 collision has not been found. See https://crypto.stackexchange.com/questions/47809/why-havent-any-sha-256-collisions-been-found-yet for why this is, and why it is not likely that one will be found anytime soon.

However, it's also worth noting that: in addition to your server verifying that the hash of the certificate that the user presents matches the hash that the server has on file - your server must also verify that the user is in possession of the private key that corresponds with the public key in the certificate. Otherwise, an attacker could simply steal another user's certificate (which is simple to do, because certificates are, by nature, public), and impersonate that user. See Could a stolen certificate show as trusted? for more info.

Edit: *Actually, it's not a collision, it's a secondary preimage. This makes it even more unlikely for such an attack to succeed. Thank you kelalaka for the correction.

Answer 2

A cryptographic Collision is not related to your case;

• Collision is finding two arbitrary input x and y such that h(x) = h(y)

This is rather secondary pre-image attack;

• Given a message m and hash of it x = h(m) find another message m' != m such that h(m) = h(m')

If someone sees a cert thumbprint (simply a hash of the entire certificate) they need to find a secondary pre-image attack.

MD5 (corkami) and SHA-1 (shatteref.io)are broken in their collision resistances, whereas none of the Cryptographic hash functions is broken on the secondary pre-images resistances. This may be why some CA's still using SHA-1, bad for them.

In any case, we should not use MD5 or SHA-1 since a malicious cert issuer can use the collision attacks to create two different valid certificates.

One can use SHA-512, SHA3-512, or the faster on BLAKE2. Both are even secure against Grover's quantum attacks.

Answer 3

Any hashing algorithm is subject for spoofing, because output size if fixed while the number of possible inputs exceeds the number of hash combinations. Whether it is MD5, SHA1 or SHA2, or something else. Any hash algorithm is vulnerable to collisions by definition.

The problem is how it is likely in practice. For SHA2 it is statistically unlikely (if you try to brute-force input in order to get known output).

cert with an identical thumbprint to impersonate another user

and this is a bit unrelated, because thumbprints are never used to identify someone. For example, if you use client certificate for Kerberos auth in Active Directory, then certificate content and chain is examinated before the certificate is linked to some entity in account databse. And no authentication provider would link only thumbprint to account because of maintenance questions.