Robust Group Key Management with Revocation and Collusion Resistance for SCADA in Smart Grid
Public Key Infrastructure › dl › weekendconference2013 › slides ›...
Transcript of Public Key Infrastructure › dl › weekendconference2013 › slides ›...
Public Key InfrastructureTowards a reliable revocation status
checking method
Keith Vella [email protected]
Royal Holloway, University of LondonWeekend Conference 2013
Agenda
● About me● Project approach● Certificate status validation (CSV) methods● What could go wrong?● Criteria to evaluate CSV methods● Revocation Status Discovery Protocol (RSDP)● Next steps● Project tips
Connecting the dots
● 1978: Born● 1990: First computer in the house (386SX)● 1991: Took dad’s computer apart● 1994: Purchased own computer (486DX4)● 1994: Became interested in networking (BBSs)● 1995: Started using the Internet (dial-up)● 1998: Started working in IT● 2001: Branched off to information security
Connecting the dots
● 2003: Involved in the design and implementation of PKI-enabled secure messaging and a remote access solution
● 2007: Involved in a project that delivered a PKI to support services offered by the Government of Malta
● 2007: Proposed and developed an alternative certificate status validation (CSV) method
● 2013: Developed a set of criteria to evaluate CSV methods and proposed the Revocation Status Discovery Protocol (RSDP)
Project approach
● Identified a challenge in a context● Looked at the project work as my contribution to
help address the identified challenge● Reviewed state of the practice/art● Identified shortcomings/security weaknesses in
existing methods● Identified requirements for an alternative method● Proposed an alternative method
Responding to security threats
Security threats
Security mechanisms
CURTAIL
Security services
PROVIDE
Digital signature
Data origin authenticationData integrity
Tampering
Alice Mallory
Key exchange in public key crypto
Bob
Alice
Trent
Bob
Certificate Certificate
Issuing bank
Card holder Merchant
Card payment processing
Card
1 2
3
4
1 Request card
2 Issue card
3 Transact with merchant
4 Verify card status
Acquiring bank
PKI Participants
Issuing CA
Relying partySubscriber
Relying party CA
Certificate
1 2
3
4
1 Request certificate
2 Issue certificate
3 Transact with relying party
4 Verify certificate status
5 Fund transfer
Typical scenario
3
5Issuing bank
Card holder Merchant
Acquiring bank
Relying party Subscriber
Issuing CA Relying party CA
2
1
4
1 Entity authentication
2 Validate certificate
3 Submit payment info
4 Request authorisation
Digital certificate (X.509)
Standard guarantee offered by a certificate: “This certificate is good until the expiration date. Unless, of course, you hear that it has been revoked”. (Rivest)
Certificate validation
● Certificate discovery: collect issuing CA certificate and all CA certificates up to the root and carry out expiry check
● Path validation: verify digital signatures one by one up to the root
● Revocation checking:○ Periodic publication mechanisms (e.g. CRL)○ Online query mechanisms (e.g. OCSP)
Example
Pointers to revocation status service
CRL method OCSP method
CRL check
Certificate CRL
OCSP check
RequestOCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 39AF18B41C021F39109656FDC6D358EF74858B99 Issuer Key Hash: 4E43C81D76EF37537A4FF2586F94F338E2D5BDDF Serial Number: 77085914F9CB7A7FC924B84F755708CB Request Extensions: OCSP Nonce: 041075DD789343AFE0484E4D24B4329D6BF4
ResponseWARNING: no nonce in responseResponse verify OKtest-sspev.verisign.com: revoked This Update: Jul 11 08:21:17 2013 GMT Next Update: Oct 5 10:04:24 2013 GMT Reason: unspecified Revocation Time: Oct 30 22:20:23 2012 GMT
What could go wrong?
Main issues:
CRL OCSP Lightweight OCSP
Can easily become large and unwieldy
Ambiguous answer (good|revoked|unknown)
Pre-produced responses
Timeliness (delay until next update)
Only definitive answers are digitally signed
Only definitive answers are digitally signed
Scalability (self-inflicted DDoS)
Optional protection against replay attacks
No protection against replay attacks
Internet browser statistics
Default setting
Proprietary method (not online)
Alternative method (naïve)
1
Relying partyCertificate
status service(DNS)
2
5
1 Extract serial number
2 Send status request
3 Lookup pre-produced response
4 Send response to requester
Security service/s
Data origin authentication
Data integrity
4
3
5 Verify signature
6 Read status in response
6
Criteria to evaluate CSV methods
Design Performance Security
Simplicity Status accuracy Protection against impersonation attacks
Uniqueness of target certificate identifier
Scalability Protection against manipulation
Unambiguity of certificate status information
Size of request Protection against replay attacks
Completeness Size of response Protection against sniffing
Extensibility Demand smoothness Auditability
Revocation Status Discovery Protocol (RSDP)
1
Relying partyCertificate
status service(TLS)
3
2
1 Compute certificate identifier (fingerprint)
2 Construct URL (using fingerprint)
3 Establish TLS connection with responder
4 Send status request
Security service/s
Entity authentication
Confidentiality
Data origin authentication
Data integrity
6
5
5 Lookup pre-produced response
6 Send response to requester
4
7 Verify signature
8 Read status in response
8
7
Next steps
● Alternative evaluation
● Peer/Expert review
● Practical implementation
● Standardisation
Recap
● Highlighted the need to validate certificate status
● Looked at 2 standard and 1 proprietary certificate status validation (CSV) methods
● Reviewed challenges in the use of CSV methods
● Introduced evaluation criteria for CSV methods
● Looked at the proposed Revocation Status Discovery Protocol (RSDP)
Project tips
● Get started as early as you can● Choice of optional modules is key● Use your project supervisor wisely● Make use of resources/subscriptions provided● Focus on analysis rather than implementation● Use reference management software
Further reading
Books/Papers
● Adams, C. and S. Lloyd, Understanding PKI : concepts, standards, and deployment considerations
● Georgiev, M., et al.,, The most dangerous code in the world : validating SSL certificates in non-browser software
● Gutmann, P., Engineering security● Kohnfelder, L. M., Towards a practical public-key cryptosystem● Marlinspike, M., Defeating OCSP With The Character '3'● VeriSign Inc., VeriSign update on certificate revocation list
expiration
Standards
● CRL method - X.509, RFC 5280● OCSP method - RFC 2560● Lightweight OCSP - RFC 5019