0

I am not an expert (not even a novice :))) in security certificates and such - thus the question - but I was wondering if one can generate a new certificate by using a known fingerprint? :D (lost my certificate for a google play app and was wondering about this workaround)

Thanks.

user2285967
  • 27
  • 4

1 Answers1

1

This is practically impossible. The fingerprint uses a cryptographic hash like SHA-1 or SHA-256. With current technology it is impossible for a normal user to create the input which results in a specific hash value. It is doable with lots of efforts (i.e. still very very expensive) when MD5 was used for the fingerprint (not common), it might be doable by the NSA for SHA-1 and it is considered impossible to do it today for SHA-256.

Apart from that certificates are commonly not validated by the fingerprint but because a trusted CA has signed this certificate. This signature is part of the certificate so that you would not only need to recreate the certificate but also somehow get a valid signature which is impossible without having the private key of the CA which of course you don't.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I know these fall into the one-way function mathematics, but at the security of everyday usage I hoped that knowing the result (I understand that the fingerprint is the output) and the passwords used, one could recreate a close enough image of what was used for Google Play needs, at least. I was thrown off by the fact that the developer console only complains about the fingerprint but that is just scratching the surface of the actual problem. Thanks for the answer! – user2285967 Nov 30 '16 at 18:14