Installing Fake Root Keys in a PC

  • Adil Alsaid
  • Chris J. Mitchell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3545)


If a malicious party can insert a self-issued CA public key into the list of root public keys stored in a PC, then this party could potentially do considerable harm to that PC . In this paper, we present a way to achieve such an attack for the Internet Explorer web browser root key store, which avoids attracting the user’s attention. A realisation of this attack is also described. Finally, countermeasures that can be deployed to prevent such an attack are outlined.


Malicious Code Creation Tool Malicious Party Monitoring Thread False Root 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Box, D.: Essential COM. Addison-Wesley, Boston (1998)zbMATHGoogle Scholar
  2. 2.
    Microsoft Corporation. Certificate creation tool (makecert.exe) (May 2004),
  3. 3.
    Microsoft Corporation. Cryptography, CryptoAPI, and CAPICOM (May 2004),
  4. 4.
    Microsoft Corporation. Messages and Message Queues (May 2004),
  5. 5.
    Esposito, D.: Windows Hooks in the.NET Framework. MSDN Magazine 17(10) (October 2002)Google Scholar
  6. 6.
    Gutmann, P.: A reliable, scalable general-purpose certificate store. In: 16th Annual Computer Security Applications Conference, New Orleans, Louisiana, December 11-15, pp. 278–287. IEEE, Los Alamitos (2000)Google Scholar
  7. 7.
    Hayes, J.M.: The problem with multiple roots in web browsers – certificate masquerading. In: IEEE 7th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 306–311. IEEE Computer Society, Los Alamitos (1998)Google Scholar
  8. 8.
    Hayes, J.M.: Secure in-band update of trusted certificates. In: IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 168–173. IEEE Computer Society, Los Alamitos (1999)Google Scholar
  9. 9.
    Honeycutt, J.: Microsoft Windows XP Registry Guide. Microsoft Press, Richmond (2003)Google Scholar
  10. 10.
    Levi, A.: How secure is secure web browsing? Communications of the ACM 46(7), 152 (2003)CrossRefGoogle Scholar
  11. 11.
    Mitchell, C.J., Schaffelhofer, R.: The personal PKI. In: Mitchell, C.J. (ed.) Security for Mobility, ch. 3, pp. 35–61. IEEE, London (2004)Google Scholar
  12. 12.
    Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 Internet Public Key Infrastructure Online Certificate Status Protocol — OCSP. RFC 2560 (June 1999)Google Scholar
  13. 13.
    Nash, A., Duane, W., Joseph, C., Brink, D.: PKI: Implementing and Managing E-Security. Osborne/McGraw-Hill, Berkeley (2001)Google Scholar
  14. 14.
    Roberts, S.: Programming Microsoft Internet Explorer 5. Microsoft Press, Redmond (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Adil Alsaid
    • 1
  • Chris J. Mitchell
    • 1
  1. 1.Information Security Group, Royal HollowayUniversity of London EghamSurrey

Personalised recommendations