Public Key InfrastructureTowards a reliable revocation status

checking method

Keith Vella Licarikeith@vellalicari.com

Royal Holloway, University of LondonWeekend Conference 2013

Agenda

● About me● Project approach● Certificate status validation (CSV) methods● What could go wrong?● Criteria to evaluate CSV methods● Revocation Status Discovery Protocol (RSDP)● Next steps● Project tips

Connecting the dots

● 1978: Born● 1990: First computer in the house (386SX)● 1991: Took dad’s computer apart● 1994: Purchased own computer (486DX4)● 1994: Became interested in networking (BBSs)● 1995: Started using the Internet (dial-up)● 1998: Started working in IT● 2001: Branched off to information security

Connecting the dots

● 2003: Involved in the design and implementation of PKI-enabled secure messaging and a remote access solution

● 2007: Involved in a project that delivered a PKI to support services offered by the Government of Malta

● 2007: Proposed and developed an alternative certificate status validation (CSV) method

● 2013: Developed a set of criteria to evaluate CSV methods and proposed the Revocation Status Discovery Protocol (RSDP)

Project approach

● Identified a challenge in a context● Looked at the project work as my contribution to

help address the identified challenge● Reviewed state of the practice/art● Identified shortcomings/security weaknesses in

existing methods● Identified requirements for an alternative method● Proposed an alternative method

Responding to security threats

Security threats

Security mechanisms

CURTAIL

Security services

PROVIDE

Digital signature

Data origin authenticationData integrity

Tampering

Alice Mallory

Key exchange in public key crypto

Bob

Alice

Trent

Bob

Certificate Certificate

Issuing bank

Card holder Merchant

Card payment processing

Card

1 2

3

4

1 Request card

2 Issue card

3 Transact with merchant

4 Verify card status

Acquiring bank

PKI Participants

Issuing CA

Relying partySubscriber

Relying party CA

Certificate

1 2

3

4

1 Request certificate

2 Issue certificate

3 Transact with relying party

4 Verify certificate status

5 Fund transfer

Typical scenario

3

5Issuing bank

Card holder Merchant

Acquiring bank

Relying party Subscriber

Issuing CA Relying party CA

2

1

4

1 Entity authentication

2 Validate certificate

3 Submit payment info

4 Request authorisation

Digital certificate (X.509)

Standard guarantee offered by a certificate: “This certificate is good until the expiration date. Unless, of course, you hear that it has been revoked”. (Rivest)

Certificate validation

● Certificate discovery: collect issuing CA certificate and all CA certificates up to the root and carry out expiry check

● Path validation: verify digital signatures one by one up to the root

● Revocation checking:○ Periodic publication mechanisms (e.g. CRL)○ Online query mechanisms (e.g. OCSP)

Example

Pointers to revocation status service

CRL method OCSP method

CRL check

Certificate CRL

OCSP check

RequestOCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 39AF18B41C021F39109656FDC6D358EF74858B99 Issuer Key Hash: 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF Serial Number: 77085914F9CB7A7FC924B84F755708CB Request Extensions: OCSP Nonce: 041075DD789343AFE0484E4D24B4329D6BF4

ResponseWARNING: no nonce in responseResponse verify OKtest-sspev.verisign.com: revoked This Update: Jul 11 08:21:17 2013 GMT Next Update: Oct 5 10:04:24 2013 GMT Reason: unspecified Revocation Time: Oct 30 22:20:23 2012 GMT

What could go wrong?

Main issues:

CRL OCSP Lightweight OCSP

Can easily become large and unwieldy

Ambiguous answer (good|revoked|unknown)

Pre-produced responses

Timeliness (delay until next update)

Only definitive answers are digitally signed

Only definitive answers are digitally signed

Scalability (self-inflicted DDoS)

Optional protection against replay attacks

No protection against replay attacks

Internet browser statistics

Default setting

Proprietary method (not online)

Alternative method (naïve)

1

Relying partyCertificate

status service(DNS)

2

5

1 Extract serial number

2 Send status request

3 Lookup pre-produced response

4 Send response to requester

Security service/s

Data origin authentication

Data integrity

4

3

5 Verify signature

6 Read status in response

6

Criteria to evaluate CSV methods

Design Performance Security

Simplicity Status accuracy Protection against impersonation attacks

Uniqueness of target certificate identifier

Scalability Protection against manipulation

Unambiguity of certificate status information

Size of request Protection against replay attacks

Completeness Size of response Protection against sniffing

Extensibility Demand smoothness Auditability

Revocation Status Discovery Protocol (RSDP)

1

Relying partyCertificate

status service(TLS)

3

2

1 Compute certificate identifier (fingerprint)

2 Construct URL (using fingerprint)

3 Establish TLS connection with responder

4 Send status request

Security service/s

Entity authentication

Confidentiality

Data origin authentication

Data integrity

6

5

5 Lookup pre-produced response

6 Send response to requester

4

7 Verify signature

8 Read status in response

8

7

Next steps

● Alternative evaluation

● Peer/Expert review

● Practical implementation

● Standardisation

Recap

● Highlighted the need to validate certificate status

● Looked at 2 standard and 1 proprietary certificate status validation (CSV) methods

● Reviewed challenges in the use of CSV methods

● Introduced evaluation criteria for CSV methods

● Looked at the proposed Revocation Status Discovery Protocol (RSDP)

Project tips

● Get started as early as you can● Choice of optional modules is key● Use your project supervisor wisely● Make use of resources/subscriptions provided● Focus on analysis rather than implementation● Use reference management software

Further reading

Books/Papers

● Adams, C. and S. Lloyd, Understanding PKI : concepts, standards, and deployment considerations

● Georgiev, M., et al.,, The most dangerous code in the world : validating SSL certificates in non-browser software

● Gutmann, P., Engineering security● Kohnfelder, L. M., Towards a practical public-key cryptosystem● Marlinspike, M., Defeating OCSP With The Character '3'● VeriSign Inc., VeriSign update on certificate revocation list

expiration

Standards

● CRL method - X.509, RFC 5280● OCSP method - RFC 2560● Lightweight OCSP - RFC 5019