and revocation public key certificationsconce.ics.uci.edu/134-w18/slides/lec13.pdf · public key...
TRANSCRIPT
![Page 1: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/1.jpg)
Lecture 13
1
Public Key Certificationand Revocation
![Page 2: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/2.jpg)
CertificationTree / Hierarchy
Logical tree of CA-s
2
root
CA1
CA2CA3
PKroot
[PKCA1]SKroot
[PKCA2]SKCA1[PKCA3]SKroot
CA4[PKCA4]SKCA3
![Page 3: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/3.jpg)
Hierarchical Public Key Infrastructure (PKI) Example
3
UCI UCSB UCSD UCR
![Page 5: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/5.jpg)
Hierarchical PKI Example
5
State Govt.
![Page 6: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/6.jpg)
Cross Certificate Based PKI Example
6
![Page 7: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/7.jpg)
Cross Certificate Based PKI Example
7
UC System UMass UTexas
![Page 8: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/8.jpg)
Hybrid PKI Example
8
Note that no cross arrows down or up!
![Page 9: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/9.jpg)
Certificate Paths
Derived from PKI
9
![Page 10: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/10.jpg)
Certificate Paths
10
![Page 11: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/11.jpg)
Certificate Paths
• Verifier must know public key of the first CA
• Other public keys are ‘discovered’ one by one
• All CAs on the path must be (implicitly) trusted by the verifier
11
![Page 12: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/12.jpg)
X.509 Standard• X.509v3 is the current version
• ITU standard
• ISO 9495-2 is the equivalent ISO standard
• Defines certificate format, not PKI
• Identity and attribute certificates
• Supports both hierarchical model and cross certificates
• End users cannot be CAs
12
![Page 13: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/13.jpg)
X.509 Service
• Assumes a distributed set of servers maintaining a database about certificates
• Used in S/MIME, PEM, IPSec, SSL/TLS, SSH
• RSA, DSA, SHA, MD5 are most commonly used algorithms
13
![Page 14: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/14.jpg)
X.509 Certificate Format
• version• serial number• signature algorithm ID• issuer name(X.500 Distinguished Name)• validity period• subject(user) name (X.500 Distinguished Name)• subject public key information• issuer unique identifier (version 2 and 3 only)• subject unique identifier (version 2 and 3 only) • extensions (version 3 only), e.g., revocation info• signature on the above fields
14
![Page 15: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/15.jpg)
X.509 Certificate Format
15
![Page 16: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/16.jpg)
A Sample X.509 Certificate
16
Certificate: Data: Version: 3 (0x2) Serial Number: 28 (0x1c) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, O=Globus, CN=Globus Certification Authority Validity Not Before: Apr 22 19:21:50 2010 GMT Not After : Apr 22 19:21:50 2020 GMT Subject: C=US, O=Globus, O=University of Southern California, \ ou=ISI, CN=bonair.isi.edu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:bf:4c:9b:ae:51:e5:ad:ac:54:4f:12:52:3a:69: <snip> b4:e1:54:e7:87:57:b7:d0:61 Exponent: 65537 (0x10001)Signature Algorithm: md5WithRSAEncryption 59:86:6e:df:dd:94:5d:26:f5:23:c1:89:83:8e:3c:97:fc:d8: <snip>
![Page 17: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/17.jpg)
17
A Sample Certificates in Practice (1/3)
![Page 18: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/18.jpg)
18
A Sample Certificates in Practice (2/3)
![Page 19: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/19.jpg)
A Sample Certificates in Practice (3/3)
-----BEGIN CERTIFICATE----- MIIDTzCCAvmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBcMSEwHwYDVQQKExhFdXJv cGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24g QXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHQwHhcNOTcwNDAyMTczNTU5WhcN OTgwNDAyMTczNTU5WjBrMSEwHwYDVQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2pl Y3QxIzAhBgNVBAsTGlYzLUNlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQH EwlEYXJtc3RhZHQxDTALBgNVBAMTBFVTRVIwWTAKBgRVCAEBAgICAANLADBIAkEA qKhTY0kbk8PDC2yIEVXefmri+VKg3GklxMi/VeExqM7kqSmFmYoVmt72L+G0UF9e BHWm9HbcPA453Dq+PqRhiwIDAQABo4IBmDCCAZQwHwYDVR0jBBgwFoAUfnLy+DqG nEKINDRmdcPU/NGiETMwHQYDVR0OBBYEFJfc4B8gjSoRmLUx4Sq/ucIYiMrPMA4G A1UdDwEB/wQEAwIB8DAcBgNVHSABAf8EEjAQMAYGBCoDBAUwBgYECQgHBjBDBgNV HREEPDA6gRV1c2VyQGRhcm1zdGFkdC5nbWQuZGWGIWh0dHA6Ly93d3cuZGFybXN0 YWR0LmdtZC5kZS9+dXNlcjCBsQYDVR0SBIGpMIGmgQxnbWRjYUBnbWQuZGWGEWh0 dHA6Ly93d3cuZ21kLmRlghdzYXR1cm4uZGFybXN0YWR0LmdtZC5kZaRcMSEwHwYD VQQKExhFdXJvcGVhbiBJQ0UtVEVMIHByb2plY3QxIzAhBgNVBAsTGlYzLUNlcnRp ZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQHEwlEYXJtc3RhZHSHDDE0MS4xMi42 Mi4yNjAMBgNVHRMBAf8EAjAAMB0GA1UdHwQWMBQwEqAQoA6BDGdtZGNhQGdtZC5k ZTANBgkqhkiG9w0BAQQFAANBAGkM4ben8tj76GnAE803rSEGIk3oxtvxBAu34LPW DIEDzsNqPsfnJCSkkmTCg4MGQlMObwkehJr3b2OblJmD1qQ=
-----END CERTIFICATE-----
19
![Page 20: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/20.jpg)
Certificates in Practice
•X.509 certificate format is defined in Abstract Syntax Notation 1 (ASN.1)
•ASN.1 structure is encoded using the Distinguished Encoding Rules (DER)
•A DER-encoded binary sting is typically base-64 encoded to get an ASCII representation (previous slide)
20
![Page 21: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/21.jpg)
Certificate Revocation Scenario
What if:• Bob’s CA goes berserk? • Bob forgets his private key?• Someone steals Bob’s private key?• Bob looses his private key?• Bob willingly discloses his private key?
• Eve can decrypt/sign while Bob’s certificate is still valid ...• Bob reports key loss to CA (or CA finds out somehow) • CA issues a Certificate Revocation List (CRL)
• Distributed in public announcements• Published in public databases
•When verifying Bob’s signature or encrypting a message for Bob, Alice first checks if Bob’s certificate is still valid!• IMPORTANT: what about signatures “Bob” generated before he realized his
key is lost?
21
![Page 22: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/22.jpg)
Certificate is a capability
• Certificate revocation needs to occur when:• certificate holder key compromise/loss• CA key compromise• end of contract (e.g., certificates for employees)
• Certificate Revocation List (CRL) lists certificates that are not yet naturally expired but revoked
• CRL reissued periodically, even if no activity!
• More on revocation later …
22
![Page 23: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/23.jpg)
Requirements for Revocation
• Timeliness• Before using a certificate, must check most recent revocation
status
• Efficiency • Computation • Bandwidth and Storage• Availability
• Security
23
![Page 24: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/24.jpg)
Types of Revocation
• Implicit• Each certificate is periodically (re-issued)• Alice has a fresh certificate ➔ Alice not revoked• No need to distribute/publish revocation info
• Explicit•Only revoked certificates are periodically announced • Alice’s certificate not listed among the revoked ➔ Alice not
revoked•Need to distribute/publish revocation info
24
![Page 25: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/25.jpg)
Revocation Methods
• CRL - Certificate Revocation List• CRL-DP, indirect CRL, dynamic CRL-DP, • Delta-CRL, windowed CRL, etc.• Certificate Revocation Tree (CRT) and other Authenticated Data Structures
• OCSP – On-line Certificate Status Protocol
• CRS - Certificate Revocation System
25
![Page 26: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/26.jpg)
Certificate Revocation List (CRL)
• Off-line mechanism
• CRL = list of revoked certificates (e.g., SNs) signed by a revocation authority (RA)
• RA not always CA that issued the revoked PKC
• Periodically issued: daily, weekly, monthly, etc.
26
![Page 27: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/27.jpg)
Pros & Cons of CRLs
• Pros• Simple• Does not need secure channels for CRL distribution
• Cons• Timeliness: “window of vulnerability”• CRLs can be huge • How to distribute CRLs reliably?
27
![Page 28: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/28.jpg)
X.509 CRL Format
28
![Page 29: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/29.jpg)
PKI and Revocation
• On January 29 and 30, 2001, VeriSign, Inc. issued two certificates for Authenticode Signing to an individual fraudulently claiming to be an employee of Microsoft Corporation. • Any code signed by these certificates appears to be legitimately signed by Microsoft. • Users who try to run code signed with these certificates will generally be presented with a warning dialog, but who wouldn't trust a valid certificate issued by VeriSign, and claimed to be for Microsoft? • Certificates were very soon placed in a CRL, but:
• code that checks signatures for ActiveX controls, Office Macros, and so on, didn't do any CRL processing.
• According to Microsoft: • since the certificates don't include a CRL Distribution Point (DP), it's
impossible to find and use the CRL!
29
![Page 30: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/30.jpg)
Certificate Revocation Tree (CRT)
• Proposed by P. Kocher (1998)
• Based on hash trees•Hash trees first proposed by R. Merkle in another context in 1979 (one-time signatures)•Improvement to Lamport-Diffie one time signature (OTS) scheme•Based on the following idea:
• A wants to sign (in the future) 1 bit of information • A gives B the image Y produced as Y=F(X) • To sign, A reveals the pre-image: X• B checks that: Y=F(X)
30
![Page 31: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/31.jpg)
Merkle Hash Trees: I
•Authenticate a sequence of data values D0
, D1
, …, DN
•Construct binary tree over data values
T0
D0 D2 D3D1 D4 D6 D7D5
T1 T2
T3 T4 T5 T6
![Page 32: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/32.jpg)
Merkle Hash Trees: II
• Verifier knows T0
•How can verifier authenticate tree leaf Di ?
• Solution: re-compute T0
using Di
• Example: to authenticate D2
, send D2 and co-path=[D
3 ,T
3 ,T
2]
• Verify T0
= H( H( T3
|| H( D2
|| D3
)) || T2
)
T0
D0 D2 D3D1 D4 D6 D7D5
T1 T2
T3 T4 T5 T6
![Page 33: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/33.jpg)
CRT Contd.
• Express ranges of SN of PKC’s as tree leaf labels: •E.g., (5--12) means: 5 and 12 are revoked, the others larger than 5 and smaller than 12 are okay•Place the hash of the range in the leaf
• Response includes the corresponding tree leaf, the necessary hash values along the path to the root, the signed root
• The CA periodically updates the structure and distributes to untrusted servers called Confirmation Issuers
33
![Page 34: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/34.jpg)
Example of CRT
34
Signedroot (N
3,0)HASH
N2,0
N1,1
N1,0
HASHN0,1
N0,0
HASH
N0,3
N0,2
HASH
N0,5
N0,4
HASH
N0,7
N0,6
HASH
N2,1
N1,3
N1,2
HASH
(-∞ to 7)HASH
(7 to 23)HASH
(23 to 27)HASH
(27 to 37)HASH
(37 to 49)HASH
(49 to 54)HASH
(54 to 88)HASH
(88 to +∞)HASH
query: Is 67 revoked?
![Page 35: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/35.jpg)
Characteristics of CRT
• Each response represents a proof
• Length of proof is: O(log n)• Much shorter than CRL which is O(n)• Where n is # of revoked certificates
• Only one “real” signature for tree root (can be done off-line)
35
![Page 36: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/36.jpg)
Explicit Revocation: OCSP
• OCSP = On-line Certificate Status Protocol (RFC 2560) - June 1999
• In place of or, as a supplement to, checking CRLs
• Obtain instantaneous status of a PKC
• OCSP may be used in sensitive, volatile settings, e.g., stock trades, electronic funds transfer, military
36
![Page 37: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/37.jpg)
OCSP Players
37
Alice
OCSPrespon
der
CABob
1. Cert request
2.
3. Transaction +
request
4. OCSP request
5. OCSP response / Error message6. Transaction response
Bob
![Page 38: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/38.jpg)
OCSP Definitive Response
•All definitive responses have to be signed:
• either by issuing CA
• or by a Trusted Responder (OCSP client trusts the TR’s PKC)
• or by a CA Authorized Responder which has a special PKC (issued by the CA) saying that it can issue OCSP responses on CA’s behalf
38
![Page 39: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/39.jpg)
Responses for Each Certificate
•Response format:
•target PKC SN
•PKC status: • good - positive answer• revoked - permanently/temporarily (on-hold)• unknown - responder doesn’t know about the certificate being
requested
•response validity interval
•optional extensions
39
![Page 40: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/40.jpg)
Special Timing Fields
•A response contain three timestamps:
•thisUpdate - time at which the status being indicated is known to be correct
•nextUpdate - time at or before which newer information will be available
•producedAt - time at which the OCSP responder signed this response. Useful for response pre-production
40
![Page 41: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/41.jpg)
Security Considerations
•On-line method
•DoS vulnerability •flood of queries + generating signatures!•unsigned responses → false responses•pre-computing responses offers some protection against DoS, but…
•Pre-computing responses allows replay attacks (since no nonce included)•but OCSP signing key can be kept off-line
41
![Page 42: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/42.jpg)
Open Questions
• Consistency between CRL and OCSP responses•It is possible to have a certificate with two different statuses.
• If OCSP is more timely and provides the same information as CRLs, do we still need CRLs?• Which method should come first - OCSP or to CRL?
42
![Page 43: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/43.jpg)
Implicit Revocation:Certificate Revocation System (CRS)
• Proposed by Micali (1996)
• Aims to improve CRL communication costs
• Basic idea: CA periodically refreshes valid certificates
• Uses off-line/on-line signature scheme to reduce update cost
43
![Page 44: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/44.jpg)
One-Way Hash Chains
•Versatile cryptographic primitive•Construction:
1. Pick random YN
and public hash function H()
2. Compute all values YN-1
,…,Y0 such that Y
i-1 = H(Y
i)
3. Secret ROOT=YN
, public ANCHOR=Y0
1.Properties:2. Use in reverse order of construction: Y
0 , Y
1 , …, Y
N
3. Hard to compute Yi from Y
j (if j<i), easy to compute Y
j from Y
i1. For example: easy to compute Y
1 from Y
2 since Y
1=H(Y
2)
2. But, Infeasible to compute Y2 from Y
1
2.Verifier can efficiently authenticate Yj knowing Y
i (j<i):
by verifying whether Yj = Hi-j(Y
i) = H(H(…H(Y
i)...))
3.This method is robust to missing values
YN-1 YNY1Y0H
Y2HHH H …
![Page 45: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/45.jpg)
CRS: Creation of a Certificate
•Two new parameters in PKC: Y0 and N
Y0 = HMAX(Y
MAX)
N0 = H(N
1)
• [Y0,N
0] -- per-PKC secrets stored by CA
•H() -- public one-way function, e.g., SHA-2
45
ANCHOR ROOT
![Page 46: and Revocation Public Key Certificationsconce.ics.uci.edu/134-W18/slides/LEC13.pdf · Public Key Certification and Revocation. CertificationTree / Hierarchy Logical tree of CA-s 2](https://reader033.vdocument.in/reader033/viewer/2022053002/5f0635167e708231d416d591/html5/thumbnails/46.jpg)
CRS Example:Certificate issued for a year, refreshed daily
46
CAPublic
Directory
daily update UPDifor each certificate
- If Alice’s certificate is valid:•UPDi =Yi and•Yo = Hi(Yi) ← verifier can easily check this •Also, note that: Yi = HMAX-i(YMAX)
- If her certificate is revoked, UPDi = N1
- Y0 and N0 are distinct for each certificateVerifier
(Bob)Q: I
s A
lice’s
cer
t va
lid ?
NOTE: i=0 at issuance date
A: U
PDi