Public Key Infrastructure Towards a reliable revocation status checking method Royal Holloway, University of London Keith Vella Licari Weekend Conference 2013 keith@vellalicari.com
Agenda ● About me ● Project approach ● Certificate status validation (CSV) methods ● What could go wrong? ● Criteria to evaluate CSV methods ● Revocation Status Discovery Protocol (RSDP) ● Next steps ● Project tips
Connecting the dots ● 1978: Born ● 1990: First computer in the house (386SX) ● 1991: Took dad’s computer apart ● 1994: Purchased own computer (486DX4) ● 1994: Became interested in networking (BBSs) ● 1995: Started using the Internet (dial-up) ● 1998: Started working in IT ● 2001: Branched off to information security
Connecting the dots ● 2003: Involved in the design and implementation of PKI-enabled secure messaging and a remote access solution ● 2007: Involved in a project that delivered a PKI to support services offered by the Government of Malta ● 2007: Proposed and developed an alternative certificate status validation (CSV) method ● 2013: Developed a set of criteria to evaluate CSV methods and proposed the Revocation Status Discovery Protocol (RSDP)
Project approach ● Identified a challenge in a context ● Looked at the project work as my contribution to help address the identified challenge ● Reviewed state of the practice/art ● Identified shortcomings/security weaknesses in existing methods ● Identified requirements for an alternative method ● Proposed an alternative method
Responding to security threats Security threats Tampering CURTAIL Data origin authentication Security services Data integrity PROVIDE Security mechanisms Digital signature
Key exchange in public key crypto Alice Mallory Bob Trent Alice Bob Certificate Certificate
Card payment processing Acquiring Issuing bank bank 4 1 2 Card holder 3 Merchant Card 1 Request card 3 Transact with merchant 2 Issue card 4 Verify card status
PKI Participants Relying party Issuing CA CA 4 1 2 Subscriber 3 Relying party Certificate 1 Request certificate 3 Transact with relying party 2 Issue certificate 4 Verify certificate status
Typical scenario 5 Acquiring Issuing bank bank Relying party Issuing CA CA 4 2 3 Card holder Merchant Relying party Subscriber 1 1 Entity authentication 3 Submit payment info 5 Fund transfer 2 Validate certificate 4 Request authorisation
Digital certificate (X.509) Standard guarantee offered by a certificate: “This certificate is good until the expiration date. Unless, of course, you hear that it has been revoked”. (Rivest)
Certificate validation ● Certificate discovery: collect issuing CA certificate and all CA certificates up to the root and carry out expiry check ● Path validation: verify digital signatures one by one up to the root ● Revocation checking: ○ Periodic publication mechanisms (e.g. CRL) ○ Online query mechanisms (e.g. OCSP)
Example
Pointers to revocation status service CRL method OCSP method
CRL check Certificate CRL
OCSP check Request OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 39AF18B41C021F39109656FDC6D358EF74858B99 Issuer Key Hash: 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF Serial Number: 77085914F9CB7A7FC924B84F755708CB Request Extensions: OCSP Nonce: 041075DD789343AFE0484E4D24B4329D6BF4 Response WARNING: no nonce in response Response verify OK test-sspev.verisign.com: revoked This Update: Jul 11 08:21:17 2013 GMT Next Update: Oct 5 10:04:24 2013 GMT Reason: unspecified Revocation Time: Oct 30 22:20:23 2012 GMT
What could go wrong? Main issues: CRL OCSP Lightweight OCSP Can easily become large Ambiguous answer Pre-produced responses and unwieldy (good|revoked|unknown) Timeliness (delay until next Only definitive answers are Only definitive answers are update) digitally signed digitally signed Scalability (self-inflicted Optional protection against No protection against DDoS) replay attacks replay attacks
Internet browser statistics
Default setting
Proprietary method (not online)
Alternative method (naïve) 2 Certificate Relying party status service 4 (DNS) 1 5 6 3 Security service/s 1 Extract serial number Data origin authentication Send status request 2 Data integrity Lookup pre-produced response 3 Send response to requester 4 5 Verify signature 6 Read status in response
Criteria to evaluate CSV methods Design Performance Security Simplicity Status accuracy Protection against impersonation attacks Uniqueness of target Scalability Protection against certificate identifier manipulation Unambiguity of certificate Size of request Protection against replay status information attacks Completeness Size of response Protection against sniffing Extensibility Demand smoothness Auditability
Revocation Status Discovery Protocol (RSDP) 3 Certificate Relying party 4 status service (TLS) 6 1 2 7 5 8 Security service/s 1 Compute certificate identifier (fingerprint) Entity authentication Construct URL (using fingerprint) 2 Confidentiality Establish TLS connection with responder 3 Data origin authentication Data integrity Send status request 4 5 Lookup pre-produced response 7 Verify signature 6 Send response to requester 8 Read status in response
Next steps ● Alternative evaluation ● Peer/Expert review ● Practical implementation ● Standardisation
Recap ● Highlighted the need to validate certificate status ● Looked at 2 standard and 1 proprietary certificate status validation (CSV) methods ● Reviewed challenges in the use of CSV methods ● Introduced evaluation criteria for CSV methods ● Looked at the proposed Revocation Status Discovery Protocol (RSDP)
Project tips ● Get started as early as you can ● Choice of optional modules is key ● Use your project supervisor wisely ● Make use of resources/subscriptions provided ● Focus on analysis rather than implementation ● Use reference management software
Further reading Books/Papers Adams, C. and S. Lloyd, Understanding PKI : concepts, standards, ● and deployment considerations Georgiev, M., et al.,, The most dangerous code in the world : ● validating SSL certificates in non-browser software Gutmann, P., Engineering security ● Kohnfelder, L. M., Towards a practical public-key cryptosystem ● ● Marlinspike, M., Defeating OCSP With The Character '3' VeriSign Inc., VeriSign update on certificate revocation list ● expiration Standards CRL method - X.509, RFC 5280 ● ● OCSP method - RFC 2560 Lightweight OCSP - RFC 5019 ●
Recommend
More recommend