[lamps] RFC6960: Issue with the OCSP Nonce extension
Mohit Sahni <mohit06jan@gmail.com> Sat, 07 December 2019 20:30 UTC
Return-Path: <mohit06jan@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61F4F120830 for <spasm@ietfa.amsl.com>; Sat, 7 Dec 2019 12:30:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.738
X-Spam-Level:
X-Spam-Status: No, score=-1.738 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6N4Qb5NCmCOk for <spasm@ietfa.amsl.com>; Sat, 7 Dec 2019 12:30:13 -0800 (PST)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C4FC12082E for <spasm@ietf.org>; Sat, 7 Dec 2019 12:30:13 -0800 (PST)
Received: by mail-il1-x129.google.com with SMTP id u16so9288176ilg.10 for <spasm@ietf.org>; Sat, 07 Dec 2019 12:30:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=PkvxCJ+7lMDDuM+bUlnd3jtayPZsK9Pc+c0TVKbRies=; b=pmURJhZsbmqFYvHW+0kNt6eQk1PjEackT+n/NC6aM8IiFG8VsNATGx8+eZvYIE8Mtk Lcopj7YRen1gjTrUxa8NUhLeHV79Am9SGeeidyVk+2d3eYE3VLLjNo6luV1MrFZj71wu IOLa83iey22B0FvJhmZQzk4r8DKiEvmlxFjPGHrotnz9+y7iYt7g05TMczJGwSVlCRlX raxm1tAlf+hnadEe1Mj/pq+cPY+IrpREv+sYPnrNcqhKIX4GN9KCqG2bny2z1cJFbusq CRlQ/QA+LtQ2cq7uR43iKJCJXTZfBk1WjpSv13uulzMSaiu4mkp98NfTrfWwDSAyU2pe Ht8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PkvxCJ+7lMDDuM+bUlnd3jtayPZsK9Pc+c0TVKbRies=; b=mcGCtbHsAuKoywPzAb9RG+AdVWd9sosOIlg3We+hx0IjElx/+D4OYBd4Bx9MVxkKZl fOO5NB9KL+F4B/j6CCUyJWjyFvdT1Yp6LTzKDs9so+exSOM+77WCfonw28XxP7cb4KtQ ejjfj2B35FRb/r26/XwTyWlEFQGx+TRzRe42v+y5jAiv0ZBLRYs1eIkOyGLjQ/ljGisw LdqNWBV3A6Yszx2gpOrLsIPkuVhlTw5aOVjVXmJ3L1j9aKmVqm8Q1dQBwrL7xKCAJTkF F1NCDLQwWwQxVchP6ElUA2hK9ZXRlS0dbTbmrgZe1UE9m4V99aU8rtNMpv45bWFhGdrY Ojiw==
X-Gm-Message-State: APjAAAWuKg7/Q8vxv+9HNvFXfPM35/OlwpzO8/+V2VCoMnpqPx5nlToy Bz8+trbZa917CbUWDgNLITTPM3dRqmysEGSgvepsOah0
X-Google-Smtp-Source: APXvYqyktSzPVFwLMzoAj1kCc+hA6ZG2RWiAW++fa4i5h0jtJUbZy3Ntqr09oEh64hdIONsRn9nzgZijj7VEkfCBEwc=
X-Received: by 2002:a92:d609:: with SMTP id w9mr22250441ilm.46.1575750612742; Sat, 07 Dec 2019 12:30:12 -0800 (PST)
MIME-Version: 1.0
From: Mohit Sahni <mohit06jan@gmail.com>
Date: Sat, 07 Dec 2019 12:30:02 -0800
Message-ID: <CAEpwuw2T6MnC7NDpu9wA2Vzm5vSKaK-Qpp49c096doDub65SkA@mail.gmail.com>
To: spasm@ietf.org
Content-Type: multipart/alternative; boundary="00000000000086f664059923071b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/I-ITGtr48gS9Xm5QruT_I08PcFE>
Subject: [lamps] RFC6960: Issue with the OCSP Nonce extension
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Dec 2019 20:30:15 -0000
Hi All, The section 4.1.1 of the RFC6960 describes the format and ID for the Nonce extension in the OCSP request and response. According to the RFC the nonce will have the identifier id-pkix-ocsp-nonce and the type of the Nonce is an OCTATE STRING. The problem I see is that the RFC does not mention whether the nonce should be of fixed length or should have a maximum length. Due to this reason the current implementations that follow this standard can accept very large OCSP requests and are vulnerable to denial of service attacks and various evasion tricks using the nonce field as a tunnel. Since most of the OCSP requests don't use TLS as transport someone in the path can also modify the HTTP request to inject large nonce thus making the situation worse. I would like to propose that the standard MUST define a maximum length for Nonce or the Nonce MUST be of a defined fixed length. I lean towards proposing the standard to have a maximum value of 256 bytes and minimum value of 1 byte to make it backward compatible. Do you guys think it makes sense and if I should propose a draft for making Nonce length with a maximum of 256 and minimum of 1. Here is the text from section 4.1.1 of RFC6960: The nonce cryptographically binds a request and a response to prevent replay attacks. The nonce is included as one of the requestExtensions in requests, while in responses it would be included as one of the responseExtensions. In both the request and the response, the nonce will be identified by the object identifier id-pkix-ocsp-nonce, while the extnValue is the value of the nonce. id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } Nonce ::= OCTET STRING -Mohit
- [lamps] RFC6960: Issue with the OCSP Nonce extens… Mohit Sahni
- Re: [lamps] RFC6960: Issue with the OCSP Nonce ex… Russ Housley
- Re: [lamps] RFC6960: Issue with the OCSP Nonce ex… Mohit Sahni
- Re: [lamps] RFC6960: Issue with the OCSP Nonce ex… Tomas Gustavsson
- Re: [lamps] RFC6960: Issue with the OCSP Nonce ex… Russ Housley