[pkix] Proposal for OCSP vulnerability
Koichi Sugimoto <koichi.sugimoto@globalsign.co.jp> Tue, 04 November 2014 10:08 UTC
Return-Path: <koichi.sugimoto@globalsign.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9D0E1A6F8F for <pkix@ietfa.amsl.com>; Tue, 4 Nov 2014 02:08:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q42rcUqPstG1 for <pkix@ietfa.amsl.com>; Tue, 4 Nov 2014 02:08:45 -0800 (PST)
Received: from mail-lb0-x22f.google.com (mail-lb0-x22f.google.com [IPv6:2a00:1450:4010:c04::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DBFE1A1A2E for <pkix@ietf.org>; Tue, 4 Nov 2014 02:08:44 -0800 (PST)
Received: by mail-lb0-f175.google.com with SMTP id n15so2779364lbi.20 for <pkix@ietf.org>; Tue, 04 Nov 2014 02:08:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=globalsign.co.jp; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=p+20bhoecezjn0Wa2DIpDFXjzXlTuTTmgtsf6WH/pRc=; b=LUKiBenVuNjQYVk8s82EsEejfGTcqlukdvTLydLLBZmPtP84aIUjdPQvW1fRVDWqb+ rxD/65JVeliKhHytibFjD57NlhQa++fsOLfrRxkYoS1OoI/bjybUVlFNBqZ3hyqVgAhF POi/MYq9OM9uBXqh2twGnF1xNeGVAJbPXYxes=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=p+20bhoecezjn0Wa2DIpDFXjzXlTuTTmgtsf6WH/pRc=; b=BHERLwJhJ4H2BaY1Ewwk9nHDtmA5+fE85LyGNk/IqikYtUiW9+KiTZU14tIAiVCKpf n80VV5rmNBzxdv+g5AMQRVj/O1tDfN2wqXfYj5R8oswnpk68glHh4VpDbezKxSTGdxCQ w0Vo+qZ+llG/Ms+8I6G4W0L+XW+5s72eqnh/iN+cgKCbMPTV5De30LGxBT6401FSeV8d 3MDRv1lmW97yNgo7VTFDQZq34gFvsfGN/BTBo4deOa3iN5oTxLiDCGvxGLLuGFbs82Dl eMXhLnOCLMZjlGv9vauGhr/bxA+3RhsHDRl4jrlbt1iJzVFAJnYl5bmz5UniY5KYk4Wg r2rQ==
X-Gm-Message-State: ALoCoQn2MtJCBpj7hXoZsCbNQ42vHez+jPHz5o7k81mtrHHuYMNSGLj8IOIMnmfgzBDOGeDxEP7H
MIME-Version: 1.0
X-Received: by 10.112.57.227 with SMTP id l3mr57636040lbq.68.1415095719470; Tue, 04 Nov 2014 02:08:39 -0800 (PST)
Received: by 10.25.155.1 with HTTP; Tue, 4 Nov 2014 02:08:39 -0800 (PST)
Date: Tue, 04 Nov 2014 19:08:39 +0900
Message-ID: <CAMAj_wHT+CDG9kygaO5CR_4E97B9ETFD1T7rW3n7VCh3FpCcTQ@mail.gmail.com>
From: Koichi Sugimoto <koichi.sugimoto@globalsign.co.jp>
To: "pkix@ietf.org" <pkix@ietf.org>
Content-Type: multipart/alternative; boundary="001a11345a00aec2a4050705a512"
Archived-At: http://mailarchive.ietf.org/arch/msg/pkix/JwOCr0K17FgmwOrqfeCbWJPrOZc
Subject: [pkix] Proposal for OCSP vulnerability
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Nov 2014 10:08:48 -0000
Hello. I am considering about vulnerability of OCSP. Do you have any ideas for the following? Introduction: OCSP is a vulnerable protocol because client can send OCSP request WITHOUT digital signature, on the other hand, server has to send back the corresponding response WITH digital signature. OCSP server has to generate digital signature every time creating OCSP response if OCSP caching scheme cannot be applicable. This kind of biased processing between client and server would make server load becomes high, it makes easy for attacker to force OCSP server down as DOS. Indeed OCSP caching described in RFC 5019 can reduce the load of OCSP server, but, OCSP responses for non-issued certificates cannot be cached, if the attacker generates random serial number and put it in the OCSP request, such caching logic will be collapsed. This proposal is one of the solutions to cope with this kind of attack. Overview of idea: If client (relying party) sends actual certificate to be validated, then, it has signature created by the CA. By validating the signature, OCSP responder knows whether the certificate was acutally issued by the CA or not. The number of certificates is limited, the OCSP responder can cache the all ocsp responses (if no nonce). If the OCSP responder does not know the status of the certificate, the OCSP responder can conclude such certificate was unreasonably issued or missed from CA. On the other hand, the client only needs to know the status of certificate that owned by the client. In this way, if OCSP is defined by existing of actual certificate, DOS attack like above can be avoidable. Validating certificate signature also need public key operation, we can introduce more light operation like cryptographic hash algorithm. Detailed example for proposal: [X.509 V3 extension] strictCollationExtension = any collation value generated by CA. ex) strictCollationExtension = HASH( certificateSerialNumber || secretValue owned by CA) , where || means concatenation operation. [Precondition] Client to send OCSP request has EE certificate to be validated. [Client responsibility] Client has to send OCSP request with strictCollationExtension value if it needs OCSP response even for unreasonable certificate. Such extension value should be embedded into OCSP request extension. [OCSP server responsibility] OCSP server has to send back the corresponding OCSP response by collating the extension value. If the extension value matches the calculated value, OCSP server has to send strict status value good/revoked/unknown. If the extension value does not match to calculated value, OCSP server can send error such as malformedRequest / unauthorized. Consideration on server side: OCSP server can cache (even pre-generate) OCSP responses for known certificates. Even if the target certificate information was not in the database, the number of such certificates seems to small, the operation load must not high. After creating OCSP response(s), such information can be cached. Matching operation for the strictCollationExtension is very light, the load of OCSP server is low. If the extension value does not match to the calculated value, the OCSP server does not need to sign the response, the load is also low. Consideration on client side: If client received signed response, by validating the signature, client knows whether the response is reliable or not. If the response is reliable, the client can judge the actual certificate staus including unreasonable certificate. If the client received unsigned response such as malformedRequest / unauthorized, the response was either from unauthorized OCSP responder or the strictCollationExtension value was invalid (may be hacked by some attacker). Regards, Koichi Sugimoto.
- [pkix] Proposal for OCSP vulnerability Koichi Sugimoto
- Re: [pkix] Proposal for OCSP vulnerability Dr. Massimiliano Pala