Re: [TLS] [pkix] Possible revocation delay issue with TLS stapling

"Yngve N. Pettersen" <yngve@opera.com> Fri, 26 March 2010 21:29 UTC

Return-Path: <yngve@opera.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD71D3A6A70; Fri, 26 Mar 2010 14:29:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.369
X-Spam-Level:
X-Spam-Status: No, score=-4.369 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, J_CHICKENPOX_92=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pgFmjnmNPdXi; Fri, 26 Mar 2010 14:29:48 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 2EC003A67D3; Fri, 26 Mar 2010 14:29:47 -0700 (PDT)
Received: from lessa-ii (dhcp-wireless-open-abg-25-33.meeting.ietf.org [130.129.25.33]) (authenticated bits=0) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o2QLU3Wv014483 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 26 Mar 2010 21:30:07 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: "pkix@ietf.org" <pkix@ietf.org>, "Miller, Timothy J." <tmiller@mitre.org>
References: <op.u95kjftmkvaitl@lessa-ii> <17FD76C1ECD0AB49817637E21809ABF907FAA70D19@IMCMBX2.MITRE.ORG>
Date: Fri, 26 Mar 2010 22:30:08 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve N. Pettersen" <yngve@opera.com>
Organization: Opera Software ASA
Message-ID: <op.u9610i13kvaitl@lessa-ii>
In-Reply-To: <17FD76C1ECD0AB49817637E21809ABF907FAA70D19@IMCMBX2.MITRE.ORG>
User-Agent: Opera Mail/10.50 (Win32)
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] [pkix] Possible revocation delay issue with TLS stapling
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Mar 2010 21:29:49 -0000

On Fri, 26 Mar 2010 13:58:51 +0100, Miller, Timothy J. <tmiller@mitre.org>  
wrote:

> This is already covered in the 2560 Security Note.
>
> """
>    The use of precomputed responses allows replay attacks in which an
>    old (good) response is replayed prior to its expiration date but
>    after the certificate has been revoked. Deployments of OCSP should
>    carefully evaluate the benefit of precomputed responses against the
>    probability of a replay attack and the costs associated with its
>    successful execution.
> """

Similar language is not included in the TLS Extension document  
(RFC4366-bis)

> It's worth noting that this is a general problem, not specific to  
> stapling, and the OCSP service can simply reduce the validity window if  
> replay of stale-but-valid responses is a concern.

Yes, it is general and inherent in the system. However, in the case of  
"stapling" you have a situation where an authorized intermediate may turn  
malicious; we are not dealing with a normal MITM situation. The question  
is how to limit the damage potential?

> Further, clients are also free to reject a stapled OCSP response and  
> fetch their own if they're not happy with the any of the producedAt,  
> thisUpdate, or nextUpdate times.

Yes, that is one of the possibilities

> I'd support broadening the security note, but I don't see a need for a  
> new extension.
>
> Also I'd point out that in many deployments OCSP is typically fed by  
> CRLs anyway, so the determining time factors are set in CRL production  
> not OCSP response production.  IOW, rejecting a stapled response in  
> favor of a new response or CRL is probably equally likely to get you the  
> same result as it is to get you a fresher result.

Having the issuer define the lifetime of stapled OCSP responses based on  
their update policies is IMO better than having the clients setting an  
essentially arbitrary freshness limit. To facilitate a reduced lifetime  
for stapled responses the issuer must either globally reduce the lifetime  
(which probably first require critical stapling support mass), or some way  
for the responder to distinguish the request for a stapling response or a  
normal client request.

>> -----Original Message-----
>> From: pkix-bounces@ietf.org [mailto:pkix-bounces@ietf.org] On Behalf Of
>> Yngve N. Pettersen
>> Sent: Thursday, March 25, 2010 9:15 PM
>> To: pkix@ietf.org
>> Cc: tls@ietf.org
>> Subject: [pkix] Possible revocation delay issue with TLS stapling
>>
>>
>>
>> Hi,
>>
>> While considering aspects of my multiple certificate status suggestions
>> a
>> few days ago I realized that TLS stapling (the TLS Certificate status
>> Extension)of OCSP exacerbates the inherent "delay problem" when a
>> certificate is revoked, depending on how long the OCSP response is
>> valid.
>>
>> A malicious server that have its certificate revoked will still be able
>> to
>> use an old unexpired OCSP response in its stapled status reports to the
>> clients for quite a while after the revocation, since the response will
>> usually be valid for several days.
>>
>> The problem with this delay, which is inherent in the current revocation
>> system, is manageable when clients are requesting the OCSP response
>> directly, since new visitors will be protected when the OCSP responder
>> is
>> updated; old visitors have likely already been attacked.
>>
>> But with stapling the client have to rely on the server to provide a
>> valid
>> and up-to-date OCSP response. A malicious server won't do that, it will
>> continue to use a valid, but obsolete and incorrect status indication.
>>
>> My proposal is to create a new OCSP extension for stapled responses:
>>
>>       - Servers must include this extension in requests to the OCSP
>> responder
>>       - The responder must include this extension in responses
>> requested
>> this way, and must issue them with a shorter validity time, probably
>> associated with the turnaround for CRL/OCSP updates
>>       - Clients check for the extension in the stapled responses and
>> discard
>> them if they do not have the extension and fetch the revocation
>> information direct instead (OCSP for site, CRL for intermediates)
>>
>> The OCSP responders should be able to prefabricate the responses with
>> the
>> new extension (in addition to the normal responses), and might even be
>> able to map them for GET requests, depending on how predictable the
>> server
>> requests are.
>>
>>
>> Reducing the validity period for stapled OCSP responses will reduce the
>> window of opportunity for a malicious server operator. We can never
>> completely eliminate a revocation delay, but we should be able to reduce
>> it as much as possible.
>>
>> Adding this will require updates of servers, OCSP responders and
>> clients,
>> and can possibly be associated with my proposed update for Multiple OCSP
>> stapling.
>>
>> I would also suggest that the TLS WG RFC4366-bis draft add an entry in
>> the
>> CertificateStatus security considerations about this issue. My
>> suggestion
>> (as a starting point) would be something like this:
>>
>> "Certificate status entries have a validity period. A server can
>> continue
>> to send the entry to clients as long as the entry is valid, even if the
>> server's certificate has been revoked since the entry was originally
>> created, according to a direct and up-to-date query to the issuer's
>> repository."
>>
>> --
>> Sincerely,
>> Yngve N. Pettersen
>>
>> ********************************************************************
>> Senior Developer                     Email: yngve@opera.com
>> Opera Software ASA                   http://www.opera.com/
>> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
>> ********************************************************************
>> _______________________________________________
>> pkix mailing list
>> pkix@ietf.org
>> https://www.ietf.org/mailman/listinfo/pkix
>


-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************