Security Protocols and Infrastructures. Winter Term 2015/2016

Transcription

1 Security Protocols and Infrastructures Winter Term 2015/2016 Nicolas Buchmann (Harald Baier) Chapter 9: Status Verification of Certificates

2 Contents Certificate Revocation Lists (CRL) Online Certificate Status Protocol (OCSP) Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 2

3 Boundary Conditions of Status Information Validity information shall match the following properties: Availability: Everywhere and everytime Authenticity Up-to-date Verifiable efficiently Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 3

4 Contents Certificate Revocation Lists (CRL) Online Certificate Status Protocol (OCSP) Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 4

5 Foundations of a CRL Signed list of revoked certificats: Either signed by CA or a dedicated service REV Key Usage = crlsign Blacklist Issuance on a regular basis or on demand Off-line model to provide status information Format of CRL specified in X.509 standard: Current CRL version: X.509v2-CRL. But standardised in X.509v3. Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 5

6 Sperrlistentypen (Auswahl) Komplette Sperrlisten: Enthalten alle ungültigen Zertifikate der PKI. Verteilte Sperrlisten (Redirect CRLs): Segmentierung => Teilsperrlisten Angabe im X.509-Zertifikat, wo die zugehörige Teil-CRL zu finden ist (CRL Distribution Point, CDP). Typischerweise ist dies eine URL (z.b. WWW-Adresse). Delta Sperrlisten: Enthält nur die gesperrten Zertifikate seit Erstellung der letzten Sperrliste. Bisher kaum verbreitet. Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 6

7 Specification of an X.509 CRL Version 1 (1988) Version (0=v1, 1=v2) Signature Algorithm Issuer This update Next update (optional) CRLEntries (Serial numbers of of revoked certificates) Version 2 (1993) No additional CRL fields Version 3 (1997) Extensions: For For whole CRL CRL (CRL Extension) For For a dedicated certficate (CRL Entry Extension) Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 7

8 CRL extensions standardised in PKIX Authority Key Identifier: Unique identifier of a key used to verify a CRL signature. Issuer Alternative Name: Additional name of the issuer of a CRL. CRL Number: Unique serial number of a CRL. Delta CRL Indicator: Indicates if the CRL actually is a delta CRL. Issuing Distribution Point: Information where to download / access the CRL. Freshest CRL: If a complete CRL is presented, extension points to current delta CRL. Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 8

9 CRLEntry Fields: usercertificate: Serial number of certificate revocationdate: Time stamp of revocation CRLEntryExtensions: Optional extensions CRLEntryExtensions (all flagged as non-critical): Reason Code: Reason of revocation Hold Instruction Code: Certificate temporarily revoked Invalidity Date: Time stamp of invalidity Certificate Issuer: Information about issuer Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/2016 9

10 Revocation reasons according to PKIX CRLReason ::= ENUMERATED { unspecified (0), keycompromise (1), cacompromise (2), affiliationchanged (3), superseded (4), cessationofoperation (5), certificatehold (6), -- value 7 is not used removefromcrl (8), -- only for delta CRLs privilegewithdrawn (9), aacompromise (10) } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

11 ASN.1 definition of a CRL CertificateList ::= SEQUENCE { tbscertlist TBSCertList, signaturealgorithm AlgorithmIdentifier, signaturevalue BIT STRING } TBSCertList ::= SEQUENCE { version Version OPTIONAL, -- if present, MUST be v2 signature AlgorithmIdentifier, issuer Name, thisupdate Time, nextupdate Time OPTIONAL, revokedcertificates SEQUENCE OF SEQUENCE { usercertificate CertificateSerialNumber, revocationdate Time, crlentryextensions Extensions OPTIONAL -- if present, MUST be v2 } OPTIONAL, crlextensions [0] EXPLICIT Extensions OPTIONAL -- if present, MUST be v2 } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

12 Contents Certificate Revocation Lists (CRL) Online Certificate Status Protocol (OCSP) Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

13 Online / real time status information Common protocol: OCSP (Online Certificate Status Protocol) Client requests status information about a certificate at an OCSP responder OCSP response is signed Sample run: Outlook X Is Harald Baier's certificate valid? Trustcenter valid / invalid OCSP- Responder Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

14 OCSP RFC 2560 Client server architecture Clients: Requests of status of certificates to OCSP responder => OCSP request Online connection to the server OCSP responder: Answer is digitally signed => OCSP response Extended Key Usage in OCSP responder certificate: OCSPSigning Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

15 OCSP: Properties Three values of status given by OCSP responder: good Certificate is not revoked revoked Certificate is revoked unknown Certificate is not known to responder Signed response may be used as evidence. Validation of responder signature: Validity period of OCSP responder certificates is short. Status information on base of a CRL Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

16 ASN.1 definition of an OCSP request OCSPRequest ::= SEQUENCE { tbsrequest TBSRequest, optionalsignature [0] EXPLICIT Signature OPTIONAL } TBSRequest ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, requestorname [1] EXPLICIT GeneralName OPTIONAL, requestlist SEQUENCE OF Request, requestextensions [2] EXPLICIT Extensions OPTIONAL } Request ::= SEQUENCE { reqcert CertID, singlerequestextensions [0] EXPLICIT Extensions OPTIONAL } CertID ::= SEQUENCE { hashalgorithm AlgorithmIdentifier, issuernamehash OCTET STRING, -- Hash of Issuer's DN issuerkeyhash OCTET STRING, -- Hash of Issuers public key serialnumber CertificateSerialNumber } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

17 ASN.1 definition of an OCSP response (1/2) BasicOCSPResponse ::= SEQUENCE { tbsresponsedata ResponseData, signaturealgorithm AlgorithmIdentifier, signature BIT STRING, certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL} ResponseData ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, responderid ResponderID, producedat GeneralizedTime, responses SEQUENCE OF SingleResponse, responseextensions [1] EXPLICIT Extensions OPTIONAL } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/

18 ASN.1 definition of an OCSP response (2/2) SingleResponse ::= SEQUENCE { certid CertID, certstatus CertStatus, thisupdate GeneralizedTime, nextupdate [0] EXPLICIT GeneralizedTime OPTIONAL, singleextensions [1] EXPLICIT Extensions OPTIONAL } CertStatus ::= CHOICE { good [0] IMPLICIT NULL, revoked [1] IMPLICIT RevokedInfo, unknown [2] IMPLICIT UnknownInfo } RevokedInfo ::= SEQUENCE { revocationtime generalizedtime, revocationreason [0] EXPLICIT CRLReason OPTIONAL } Buchmann (Baier) Security Protocols and Infrastructures h_da, Winter Term 2015/