Скачать презентацию Certificate Validation and the Online Certificate Status Protocol Скачать презентацию Certificate Validation and the Online Certificate Status Protocol

5b6e5967460d9ce929b81281a6cdb115.ppt

  • Количество слайдов: 29

Certificate Validation and the Online Certificate Status Protocol Peter Williams Practices Architect CACR Information Certificate Validation and the Online Certificate Status Protocol Peter Williams Practices Architect CACR Information Security Workshop Wednesday, June 9, 1999 - 11: 00 AM

Certificate Validation Should u Be Easy to use u Be Scaleable u Be Cost Certificate Validation Should u Be Easy to use u Be Scaleable u Be Cost effective Which Standards Deliver?

Standards Influencers u Product Support, particularly browser adoption u Standards Status CRL, CDP -- Standards Influencers u Product Support, particularly browser adoption u Standards Status CRL, CDP -- PKIX u OCSP, CRTs -- OCSP u u Early Successes & Momentum

Standards / Technologies u Certificate Revocation Lists (CRLs) u CRL Distribution Points (CRL-DP) u Standards / Technologies u Certificate Revocation Lists (CRLs) u CRL Distribution Points (CRL-DP) u Online Certificate Status Protocol (OCSP) u Certificate Revocation Trees (CRTs)

Characteristics u Technology Approaches u Product Support u Applicability to E-Commerce Applications Characteristics u Technology Approaches u Product Support u Applicability to E-Commerce Applications

Certificate Revocation List u u u “Black List” of Revoked Certificates -- a negative Certificate Revocation List u u u “Black List” of Revoked Certificates -- a negative file A Signed List Each Entry: u u u Serial Number of Certificate Time of Revocation (e. g. Jan 15 th, 1997 at 10: 05 a. m. ) Other information (entry extensions) optional u e. g. Reason for revocation 76 5 2 19 24 Signature

Certificate Revocation List ? CRL CA System/CRL Sever Cert SSL Cert ? CRL CA Certificate Revocation List ? CRL CA System/CRL Sever Cert SSL Cert ? CRL CA System/CRL Sever

What else is in a CRL? u Issuer Name u Engineering Dept. , Vali. What else is in a CRL? u Issuer Name u Engineering Dept. , Vali. Cert Inc. , Mountain View, US u Time of Issuance (this. Update) u Time “at or before which new information will be available” (next. Update) u Other Optional Information

CRLs - Pros and Cons u Application Checking Process u Compatibility With Legacy Software CRLs - Pros and Cons u Application Checking Process u Compatibility With Legacy Software u Ability to Cache u Size -- Storage, Network Bandwidth u Requirement to Cache

CRL Distribution Points u A clever mechanism to break up a CRL into smaller CRL Distribution Points u A clever mechanism to break up a CRL into smaller chunks u Some similarity to hashing- as in sorting, not cryptography SIG SIG

CRL Distribution Points u Revocation Data is split into multiple buckets u Each bucket CRL Distribution Points u Revocation Data is split into multiple buckets u Each bucket is a “mini” CRL u Every certificate contains data that allows applications to determine which bucket to look at to check validity. u May be more than one

CRL Distribution Points -Pros and Cons u Application Checking Process u Can be cached CRL Distribution Points -Pros and Cons u Application Checking Process u Can be cached u Requirement to be cached ameliorated u Reduces the size problem with CRLs u Bucket for a certificate is fixed when it is issued u Somewhat higher implementation complexity -- potential need to check multiple buckets

OCSP u Online Certificate Status Protocol u An “online” mechanism u Simple Client-Server model OCSP u Online Certificate Status Protocol u An “online” mechanism u Simple Client-Server model u Certificate accepting application (Client) asks OCSP Responder (Server) for a certificate’s status u Server responds with yes (with time of revocation, reason for revocation), or no. The response is signed.

OCSP Model Cert SSL OCSP Validation Server (Secure) Cert OCSP Validation Server (Secure) OCSP Model Cert SSL OCSP Validation Server (Secure) Cert OCSP Validation Server (Secure)

OCSP Pros and Cons u u u u Application Checking Process Up-to-Date Information Small OCSP Pros and Cons u u u u Application Checking Process Up-to-Date Information Small Response Size Response may be Cached Responder needs to sign each response Responder key is online => must be in a secure site, introduces vulnerabilities Availability of service more limited

Certificate Revocation Trees u Mechanism of revocation checking based on Merkle trees u An Certificate Revocation Trees u Mechanism of revocation checking based on Merkle trees u An on-line or off-line mechanism u Client asks server if a certificate is valid u Server provides a pre-signed piece of data, that client uses to decide if certificate is valid. u u OCSP: RSA Signature, CRTs: Merkle Signature OCSP: Signature on certificate, CRTs: Signature on range of certificates

The CRT Approach Proof Cert Proof Validation Engine (Enterprise Server or Global Service) Cert The CRT Approach Proof Cert Proof Validation Engine (Enterprise Server or Global Service) Cert

Certificate Revocation Trees 0 -R 0 N 0, 0 R 0 -R 1 N Certificate Revocation Trees 0 -R 0 N 0, 0 R 0 -R 1 N 0, 1 R 1 -R 2 N 0, 2 R 2 -R 3 N 0, 3 R 3 -R 4 N 0, 4 R 4 -R 5 N 0, 5 R 5 -R 6 N 0, 6 R 6 -Inf N 0, 7 N 1, 0 N 2, 0 N 1, 1 N 3, 0 Admin. Info Signature ? N 3, 0 N 1, 2 N 2, 1 N 1, 3

CRT Pros and Cons u u u u Size of responses much smaller than CRT Pros and Cons u u u u Size of responses much smaller than CDP/CRL but larger than OCSP responses No need to sign every response More secure (private key is not online) More scalable (each responder can support more clients) Not fully up to date (15 second latencies) Response may be cached Can combine data from multiple CA s

Product Support Product Support

Applicability to E-Commerce CRLs u Size u of Environment is Small Intranets v/s Extranets Applicability to E-Commerce CRLs u Size u of Environment is Small Intranets v/s Extranets or large commerce systems u Frequent Updates not required “regular” communication v/s mission-critical EDI u Security environment not super-sensitive u u Legacy application already support CRLs u Caching u not a problem Desktop versus a smart card

Applicability to E-Commerce CRL Distribution Points u Desktop Applications versus a smart card. u Applicability to E-Commerce CRL Distribution Points u Desktop Applications versus a smart card. u Updates frequent but not “online” u Mission critical Email/EDI, but not bond-purchase or stockpurchase. u Much greater scalability and performance than CRLs but no business requirement to be online u Windows, Entrust applications

Applicability to E-Commerce OCSP u Application MUST have data up to the last second Applicability to E-Commerce OCSP u Application MUST have data up to the last second u Application IS online u Application in a contained but large community where operation centers are manageable u Bond purchases from the FOMC by treasury desks at Money Center Banks

Applicability to E-Commerce CRTs u Application is used in small or large communities or Applicability to E-Commerce CRTs u Application is used in small or large communities or open Internet u Secure Email, Brokerage u Application may be used from desktop or Internet appliances u Secure Email, Brokerage u Application u may be online or offline Secure Email u Application needs security up to the minute but not up to the second. u Consumer Stock Brokerage but not FOMC trades

Which One(s) will win? u The bottom-line: u Off-line & On-line Applications Low security Which One(s) will win? u The bottom-line: u Off-line & On-line Applications Low security and high security applications Incompatibilities w/ product support u u

Some Predictions u CRLs will be supplanted by CRL Distribution Points in a majority Some Predictions u CRLs will be supplanted by CRL Distribution Points in a majority of applications over time u Most E-Commerce applications that need online approaches will use OCSP with high-performance add-ons like CRTs u total cost of ownership versus benefit of reduction of security risk

Does It Matter? u End-user software will need to support all major standards u Does It Matter? u End-user software will need to support all major standards u u Used in widely differing security environments Used with different types of certificates Used in very different E-Commerce situations Outsourcing Validation Services Far More Effective u u Standards Translation Cost Apportionment Service Quality, Guarantees & Insurance Ease of Set-Up

Vali. Cert, Inc. Corporate Partners Vali. Cert, Inc. Corporate Partners

Summary u 4 major approaches u CRLs, CRL DPs, OCSP -- RSA & CRT Summary u 4 major approaches u CRLs, CRL DPs, OCSP -- RSA & CRT u One Size Does Not Fit All --Need for multiple approaches & interoperability. u Outsourcing the services may be more effective at addressing the underlying problems