Re: [pkix] Proposal for OCSP vulnerability
"Dr. Massimiliano Pala" <massimiliano.pala@gmail.com> Tue, 11 November 2014 02:36 UTC
Return-Path: <massimiliano.pala@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 880F11AD481 for <pkix@ietfa.amsl.com>; Mon, 10 Nov 2014 18:36:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HK_NAME_FM_DR=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hzJr20cmOp2L for <pkix@ietfa.amsl.com>; Mon, 10 Nov 2014 18:36:13 -0800 (PST)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 804761AD47B for <pkix@ietf.org>; Mon, 10 Nov 2014 18:36:12 -0800 (PST)
Received: by mail-wi0-f180.google.com with SMTP id hi2so295588wib.1 for <pkix@ietf.org>; Mon, 10 Nov 2014 18:36:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type; bh=urVakJZ8KqIKjkNU/3M9wc77KirrJ8pyXpeEtdF9DZE=; b=gMKFYVdDBVZWxAJQRwgdwW2A+otPncmDlqohebJkjruMCeaO24U610cCd2FbO3o7SU 6WL2phm8Xkh4H6F+I7j+VeFnz1sZqVvcr6VFkl/d3Aib4RFSis2noC77TRkSIYURhwL3 HUTeXSWiR9JhxtuTNJxkOsHx9M79NMvk0JyCnEBknC3Zs3XEU2psxtGnkK3B2SljcrLg omKwXYQhzdEVZFwP8fnuVA/9LC84dhQz0cz0wo4fub6nujNBcijtkuL4wJv8g8MUyHGb Rwc5/dZcAtNvthLRt8L9pxF70uESPeUs7wyXOD8R7wacBBufO5R1aRl2vHgc0gcOmRqc YDjg==
X-Received: by 10.180.104.2 with SMTP id ga2mr36575552wib.64.1415673371305; Mon, 10 Nov 2014 18:36:11 -0800 (PST)
Received: from iMassi.local ([2001:67c:1231:998:2daf:6f04:992b:d693]) by mx.google.com with ESMTPSA id u8sm25411991wjq.1.2014.11.10.18.36.08 for <pkix@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 10 Nov 2014 18:36:10 -0800 (PST)
Message-ID: <54617616.1070103@gmail.com>
Date: Mon, 10 Nov 2014 16:36:06 -1000
From: "Dr. Massimiliano Pala" <massimiliano.pala@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: pkix@ietf.org
References: <CAMAj_wHT+CDG9kygaO5CR_4E97B9ETFD1T7rW3n7VCh3FpCcTQ@mail.gmail.com>
In-Reply-To: <CAMAj_wHT+CDG9kygaO5CR_4E97B9ETFD1T7rW3n7VCh3FpCcTQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------000003030905070701070709"
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/JHYsETzsG6MSLPyE1XIy7M-cRYg
Subject: Re: [pkix] Proposal for OCSP vulnerability
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Nov 2014 02:36:15 -0000
Hi Koichi, all, Personally I do not consider this to be a real issue. Indeed, although it is true that there might be a lack of symmetry about signatures in requests and responses, most of today's OCSP responses are pre-computed and provided via CDNs. Also, other mechanisms are being deployed (OCSP stapling) that reduce the dependency over the OCSP server. Additionally, other proposals exists that would provide OCSP over other transport mechanisms (like DNS). Just my 2 cents... Cheers, Max On 11/4/14, 12:08 AM, Koichi Sugimoto wrote: > Hello. > > I am considering about vulnerability of OCSP. > Do you have any ideas for the following? > > > Introduction: > > OCSP is a vulnerable protocol because client can send OCSP request > WITHOUT digital signature, on the other hand, server has to send back > the corresponding response WITH digital signature. > OCSP server has to generate digital signature every time creating OCSP > response if OCSP caching scheme cannot be applicable. > This kind of biased processing between client and server would make > server load becomes high, it makes easy for attacker to force OCSP > server down as DOS. > Indeed OCSP caching described in RFC 5019 can reduce the load of OCSP > server, but, OCSP responses for non-issued certificates cannot be > cached, if the attacker generates random serial number and put it in > the OCSP request, such caching logic will be collapsed. > This proposal is one of the solutions to cope with this kind of attack. > > > Overview of idea: > > If client (relying party) sends actual certificate to be validated, > then, it has signature created by the CA. > By validating the signature, OCSP responder knows whether the > certificate was acutally issued by the CA or not. > The number of certificates is limited, the OCSP responder can cache > the all ocsp responses (if no nonce). > If the OCSP responder does not know the status of the certificate, the > OCSP responder can conclude such certificate was unreasonably issued > or missed from CA. > On the other hand, the client only needs to know the status of > certificate that owned by the client. > In this way, if OCSP is defined by existing of actual certificate, DOS > attack like above can be avoidable. > Validating certificate signature also need public key operation, we > can introduce more light operation like cryptographic hash algorithm. > > > Detailed example for proposal: > > [X.509 V3 extension] > strictCollationExtension = any collation value generated by CA. > ex) strictCollationExtension = HASH( certificateSerialNumber || > secretValue owned by CA) > , where || means concatenation operation. > > [Precondition] > Client to send OCSP request has EE certificate to be validated. > > [Client responsibility] > Client has to send OCSP request with strictCollationExtension value if > it needs OCSP response even for unreasonable certificate. > Such extension value should be embedded into OCSP request extension. > > [OCSP server responsibility] > OCSP server has to send back the corresponding OCSP response by > collating the extension value. > If the extension value matches the calculated value, OCSP server has > to send strict status value good/revoked/unknown. > If the extension value does not match to calculated value, OCSP server > can send error such as malformedRequest / unauthorized. > > > Consideration on server side: > > OCSP server can cache (even pre-generate) OCSP responses for known > certificates. > Even if the target certificate information was not in the database, > the number of such certificates seems to small, the operation load > must not high. After creating OCSP response(s), such information can > be cached. > > Matching operation for the strictCollationExtension is very light, the > load of OCSP server is low. > > If the extension value does not match to the calculated value, the > OCSP server does not need to sign the response, the load is also low. > > > Consideration on client side: > > If client received signed response, by validating the signature, > client knows whether the response is reliable or not. > If the response is reliable, the client can judge the actual > certificate staus including unreasonable certificate. > If the client received unsigned response such as malformedRequest / > unauthorized, the response was either from unauthorized OCSP responder > or the strictCollationExtension value was invalid (may be hacked by > some attacker). > > > Regards, > Koichi Sugimoto. > > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Proposal for OCSP vulnerability Koichi Sugimoto
- Re: [pkix] Proposal for OCSP vulnerability Dr. Massimiliano Pala