Windows Phone 8: these are not the certificates you are looking for

tl;dr Looks like SSL stack on Windows Phone 8 is completely broken.

We were running some tests of WP8 devices against a server that requires client certificate-based authentication. After issuing a device certificate from our own CA – the device would authenticate against the server. Sometimes it would authenticate using our certificate, but sometimes it would show up with a completely different certificate.

Here are snippets of the SSL handshake. The interesting part starts when server sends a Certificate Request (click the image for full resolution):

Certificate Request

 

Our server issues a Certificate Request, with the request for the client to provide a certificate matching the Distinguished Name of our own local CA.

And here’s the response we see from the client:

So what happened here? The client responded with a certificate issued by Microsoft, rather than providing our certificate or failing the authentication.

The hierarchy of certificate is:

  • Certificate (id-at-commonName=urn:wp-ac-hash-2:PAzCfbUuekP_SrTA0NUecBjyqN1f5,id-at-organizationalUnitName=9DFF3EFECE1B1D3E352EF654DEFBB9DED7)
    • Certificate (id-at-commonName=Microsoft Genuine Windows Phone CA4,id-at-organizationalUnitName=GFS,id-at-organizationName=Microsoft Corporation,id-at-localityName=Redmond,id-at-stateOrProvinceName=WA,id-at-countryName=US)
      • Certificate (id-at-commonName=Microsoft Windows Phone PCA,id-at-organizationName=Microsoft Corporation,id-at-localityName=Redmond,id-at-stateOrProvinceName=Washington,id-at-countryName=US)

Google is not very helpful in explaining what “wp-ac-hash-2” is. But it looks to me like a device-specific certificate issued by Microsoft Global Foundation Services. Looking at http://www.globalfoundationservices.com/ – looks like this is the team that delivers Zune and other MS cloud services, so I would not be too surprised to see this certificate being used for WP8 store authentication or other MS services.

There are couple upsetting conclusions from seeing this Windows Phone 8 behavior:

  • WP8 may or may not be able to authenticate against your server if you need client certificate-based authentication
  • If there are multiple certificates on the device – phone may fail to reach out to Microsoft services, if they require client certificate. So I can imagine the Microsoft Store not being available, or phone not being able to verify software developer.
  • Your certificate is exposed. I think it may be possible now for a malicious user run an attack against services that rely on certificate-based authentication. All an attacker has to do is make the user access your website with her phone, attacker’s website would issue a Certificate Request hoping for the phone to respond with your certificate, and then proxy the request to your services. The traffic would look like issued by user’s device where in fact it would originate from malicious source.

Oh and did I mention that on top of that looks like certificates were an afterthought for Windows Phone 8? All you have to do is take a look at Windows Phone 8 Certificate Installation document. The only option of installing certificates being through IE or email? No MDM-installed certificates user can use?

 

 

This post is also available in: English polski

One thought on “Windows Phone 8: these are not the certificates you are looking for”

Leave a Reply

Your email address will not be published.