crlite when industry academia collide
play

CRLite: When Industry & Academia Collide Thyla van der Merwe - PowerPoint PPT Presentation

CRLite: When Industry & Academia Collide Thyla van der Merwe Real World Crypto 9 January 2020 Trust TLS PKI = + l Root CA PKI signature Intermediate CA signature Intermediate CA signature TLS l Impersonate MITM TLS TLS >


  1. CRLite: When Industry & Academia Collide Thyla van der Merwe Real World Crypto 9 January 2020

  2. Trust TLS PKI = + l

  3. Root CA PKI signature Intermediate CA signature Intermediate CA signature TLS l

  4. Impersonate MITM TLS TLS > 500 000 private keys compromised! l

  5. Root CA PKI signature Intermediate CA signature revocation Intermediate CA Owner requests → CA signature produces public, verifiable attestation that the certificate should no longer be trusted. TLS Is this a revoked certificate? l

  6. Revocation is important! Revocation is broken! Current Methods Future Methods Implementing CRLite CRLs and OCSP In Firefox CRLite fuv l

  7. Revocation is important! Revocation is broken! Current Methods Future Methods Implementing CRLite CRLs and OCSP In Firefox CRLite Building the thing! Where are we now? Are we done yet? fuv CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers. Larisch et al. IEEE S&P 2017 l

  8. Current Methods CRLs OCSP OCSP CA CA serial number CA signature CA signature OCSP request serial number serial number OCSP request serial number OCSP response OCSP response OCSP responder OCSP responder serial number URL URL CA signature URL 10 days? a few days? O C S P r e s p o n s e

  9. Fail-open vs Fail-closed l

  10. Current Methods Must-Staple CRLs OCSP OCSP CA CA serial number CA signature CA signature OCSP request serial number serial number OCSP request serial number OCSP response OCSP response OCSP responder OCSP responder serial number URL URL CA signature URL 10 days? a few days? O C S P r e s p o n s e

  11. Delays 200 ms Fail-open Privacy concerns l

  12. Evolving... CRLSets OneCRL Size?? CRLite

  13. Bloom Filters Certificate Ecosystem Use a data structure that supports queries for the finite set of unexpired certificates.

  14. Bloom Filters 0 0 1 0 1 0 0 0 0 1 0 1 m = 12 k = 4 Let’s put data item d in the filter: Compute h_1 (d) = 4 → set bit in index 4 to 1. Compute h_2 (d) = 11 → set bit in index 11 to 1. Compute h_3 (d) = 9 → set bit in index 9 to 1. Compute h_4 (d) = 2 → set bit in index 2 to 1.

  15. Bloom Filters 0 1 1 0 1 1 0 1 0 1 0 1 m = 12 k = 4 Let’s put data item d in the filter: Add another Compute h_1 ( d ) = 4 → set bit in index 4 to 1. item d’ ? Compute h_2 ( d ) = 11 → set bit in index 11 to 1. Compute h_3 ( d ) = 9 → set bit in index 9 to 1. Compute h_4 ( d ) = 2 → set bit in index 2 to 1.

  16. Bloom Filters 0 1 1 0 1 1 0 1 0 1 0 1 m = 12 k = 4 Is d* in the filter? If any of the h_i(d*) values is 0 If all of the h_i(d*) values are 1 then DEFINITELY NOT in the then MAYBE in the filter. filter. So maybe it’s a legitimate insertion, maybe it’s not.

  17. Bloom Filters 0 1 1 0 1 1 0 1 0 1 0 1 m = 12 k = 4 Will have false positives → rate p determined by m , k , occupancy.

  18. Bloom Filters Say we want to store R U. R is the set of revoked certificates, and U is the finite set of unexpired certificates. R S = U. But there will be false positives!

  19. Cascading Bloom Filters Say we want to store R U. R is the set of revoked certificates, and U is the finite set of unexpired certificates. R S = U. Store those in another bloom filter.

  20. Cascading Bloom Filters R BF 1 But there are going to be Elements of S that false positives shouldn’t be in BF 1 !

  21. Cascading Bloom Filters R BF 1 But there are going to be false positives BF 2 But there are going to be false positives

  22. Cascading Bloom Filters R BF 1 But there are going to be false positives BF 2 But there are going to be Elements of R that false positives shouldn’t be in BF 2 !

  23. Cascading Bloom Filters BF 1 But there are going to be false positives BF 2 But there are going to be false positives BF x no false positives* * for a constrained, finite set

  24. Cascading Bloom Filters 3 levels R If d* in not in BF1, then definitely not in R . If d* is in BF1, then we don’t know. But there are going to be false positives If d* in BF1 but not in BF2, then in R. If d* is in BF1 and BF2, then we don’t But there are going to be know. false positives If d* in BF1 and BF2 but not in BF3, then definitely not in R . If d* is all three, then in R . no false positives

  25. Cascading Bloom Filters Is u in U in R ? R Starting at i = 1 , keep going until u not in BF_i . But there are going to be false positives ● If i is odd , u not in R . ● If i is even , u in R . But there are going to be If u in all BF_i , look at number of false positives levels, l . ● If l is odd , u in R . ● If l is even , u not in R . no false positives

  26. Cascading Bloom Filters in BF1? Is u in U in R ? R N Y Starting at i = 1 , keep going until u not in BF_i . But there are going to be not in R in BF2? false positives ● If i is odd , u not in R . ● If i is even , u in R . N Y But there are going to be If u in all BF_i , look at number of false positives in R in BF3? levels, l . N Y ● If l is odd , u in R . ● If l is even , u not in R . no false positives not in R in R

  27. Cascading Bloom Filters Want the minimum possible size… Bloom filter minimized: How do we set for p for filter k = log_2(1/p) and m ≅ 144r log_2(1/p) cascades? r = |R|, s = |S| Analysis → p_1 for BF_1, p for other BFs p_1 = r√p/s p = 0.5 → close to theoretical lower bound Simulations confirm! Size of R dominates, does not grow considerably with S !

  28. CRLite Architecture CRLite Aggregator

  29. CRLite Architecture CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers. Larisch et al. IEEE S&P 2017

  30. CRLite Architecture

  31. Implementing CRLite for Firefox Building the thing! Principle 4 ● CRL-like properties Individuals’ security ● Small data sizes (fast to parse) and privacy on the ● Incremental updates Internet are ● Scales well fundamental and ● Builds on useful properties of CT must not be treated as optional.

  32. Implementing CRLite for Firefox Building the thing! 95 M 1.4 MB 4 x 0.4 MB

  33. Implementing CRLite for Firefox Building the thing! 95 M 1.4 MB 4 x 0.4 MB Have our OneCRL mechanism for signing and pushing.

  34. Implementing CRLite for Firefox Building the thing! Paper did have a prototype using Firefox → built as a Firefox extension. Academic Prototype Mozilla Prototype TLS APIs for cert checking Native code (C++, Rust, some JS) - JavaScript (11.9MB memory) 10ms to check a cert chain 0.04 ms (check a cert) < 8ms (all Firefox calls to check a - includes parsing certs (API chain) provides unparsed certs) - We check end-entity certs - Use OneCRL -> intermediates

  35. Implementing CRLite for Firefox Building the thing! 1. Create our aggregator to produce filters 2. Write the client-side code for checking filters 3. Link up to our Remote Settings infrastructure to push filters

  36. Implementing CRLite for Firefox Building the thing! 1. Create our aggregator to produce filters 2. Write the client-side code for checking filters 3. Link up to our Remote Settings infrastructure to push filters S unexpired, valid > 2B! R unexpired, revoked

  37. Implementing CRLite for Firefox Building the thing! 1. Create our aggregator to produce filters 2. Write the client-side code for checking filters 3. Link up to our Remote Settings infrastructure to push filters S unexpired, valid > 2B! “It’s hard, Thyla, just plain hard.” R unexpired, revoked

  38. Implementing CRLite for Firefox Building the thing! 1. Create our aggregator to produce filters single high-performance server, large disk Golang timeouts cache size? slow downs

  39. Implementing CRLite for Firefox Building the thing!

  40. Implementing CRLite for Firefox Building the thing! process CT logs create filters store publish

  41. Implementing CRLite for Firefox Building the thing! CPU usage of the Kubernetes cluster for filter generation, each peak is a generation run.

  42. Implementing CRLite for Firefox Building the thing! creating R & S cascaded filter generation Filter generation times (minutes)

  43. Implementing CRLite for Firefox Building the thing! 1. Create our aggregator to produce filters 2. Write the client-side code for checking filters 3. Link up to our Remote Settings infrastructure to push filters

  44. Implementing CRLite for Firefox Where are we now? 12-day period in December 289

  45. Implementing CRLite for Firefox Where are we now? median 125 ms 12-day period in December

  46. Implementing CRLite for Firefox Where are we now? A few technical caveats ● We don’t catch Let’s Encrypt entries in our filter -- currently don’t have a CRL, but this should change soon ● The client needs to check if using CRLite for revocation is possible -- if not, resort to OSCP ● So, we’re not fully fail-closed, yet PROTOTYPE!

  47. Implementing CRLite for Firefox Are we done yet?

  48. Implementing CRLite for Firefox Are we done yet? ● Deeper security questions and attack scenarios ○ stress testing, sizing, p values? ● Crypto agility ○ upgrade the hash functions? ● Architecture enhancements ● Performance enhancements ○ smaller delta sizes As robust as possible!

Recommend


More recommend