DER, PER, XER Certificate Size Study October 2005
Bulk Sizes • Five encoding rule sets were targeted – DER, aligned PER, unaligned PER, XER, Canonical XER • Bulk sizes range from 445 bytes to 18040 bytes – Not surprisingly, unaligned PER is always smallest and XER is always the largest
Original Profiles DER Aligned PER Unaligned PER XER Canonical XER CA PKCs - #1 1001 830 775 16781 12458 CA PKCs - #2 999 830 778 16645 12420 CA PKCs - #3 URI Pointer 910 742 697 16619 12272 CA PKCs - #4 Both 1041 869 805 17279 12830 Cross-Certificate PKCs - #1 1074 891 830 17884 13235 Cross-Certificate PKCs - #2 1083 899 841 18040 13411 EE PKCs - #1 845 721 672 10934 8772 EE PKCs - #2 890 759 707 11657 9295 EE PKCs - #3 840 720 672 10663 8587 EE PKCs - #4 875 754 701 11006 8836 EE PKCs - #5 782 672 624 9441 7855 EE PKCs - #6 759 654 610 9013 7517 EE PKCs - #7 763 654 611 9409 7815 EE PKCs - #8 765 660 616 9063 7567 EE PKCs - #9 770 662 618 9479 7885 EE PKCs - #10 768 660 616 9317 7765 EE PKCs - #11 URI Pointer 725 611 575 10720 8542 EE PKCs - #12 Both 789 753 699 11412 9124 OCSP Responder PKCs - #1 659 547 522 10027 8012 OCSP Responder PKCs - #2 659 551 526 9877 7968 Root CA PKCs - #1 559 470 447 8476 6845 Root CA PKCs - #2 548 466 445 7948 6505
Modified Profiles DER Aligned PER Unaligned PER XER Canonical XER CA PKCs - #1 1057 886 826 17346 12883 CA PKCs - #2 1005 843 791 16498 12277 Cross-Certificate PKCs - #1 1089 916 854 16930 12743 Cross-Certificate PKCs - #2 1067 897 843 16716 12575 OCSP Responder PKCs - #1 630 528 502 9696 7747 OCSP Responder PKCs - #2 602 512 488 8734 7069 Root CA PKCs - #1 573 485 464 8686 6923 Root CA PKCs - #2 574 493 470 8175 6608
Certificate Structure Certificate : : = SEQUENCE { tbs. Certificate TBSCertificate, signature. Algorithm. Identifier, signature BIT STRING } TBSCertificate : : = SEQUENCE { version [0] Version DEFAULT v 1, serial. Number Certificate. Serial. Number, signature Algorithm. Identifier, issuer Name, validity Validity, subject Name, subject. Public. Key. Info Subject. Public. Key. Info, issuer. Unique. ID [1] IMPLICIT Unique. Identifier OPTIONAL, -- If present, version MUST be v 2 or v 3 subject. Unique. ID [2] IMPLICIT Unique. Identifier OPTIONAL, -- If present, version MUST be v 2 or v 3 extensions [3] Extensions OPTIONAL -- If present, version MUST be v 3 -- }
DER Sample 30 87: SEQUENCE { 31 11: SET { 30 9: SEQUENCE { 06 3: OBJECT IDENTIFIER country. Name (2 5 4 6) 13 2: Printable. String 'US' : } : } 31 24: SET { 30 22: SEQUENCE { 06 3: OBJECT IDENTIFIER organization. Name (2 5 4 10) 13 15: Printable. String 'U. S. Government' : } : } 31 12: SET { 30 10: SEQUENCE { 06 3: OBJECT IDENTIFIER organizational. Unit. Name (2 5 4 11) 13 3: Printable. String 'Do. D' : } : } 31 12: SET { 30 10: SEQUENCE { 06 3: OBJECT IDENTIFIER organizational. Unit. Name (2 5 4 11) 13 3: Printable. String 'KMI' : } : } 31 18: SET { 30 16: SEQUENCE { 06 3: OBJECT IDENTIFIER common. Name (2 5 4 3) 13 9: Printable. String 'Root-Name' : } • Issuer name takes 89 bytes to encode • Easy to read in a Hex editor • Familiar tag-length-value • Free tools are available for troubleshooting
PER Samples 00000015 00000031 00000047 00000063 00000079 0501 1120 6 E 74 040 B 526 F 0355 0 F 55 0103 0520 6 F 74 0406 2 E 53 5504 034 B 2 D 4 E 0420 2 E 20 0 B 05 4 D 49 616 D 0255 476 F 2003 0103 65 5301 7665 446 F 5504 0355 726 E 4401 030 B 040 A 6 D 65 0355 2009 . . . US. . U. S. Governme nt. . U. . Do. D. . U. . KMI. . U. . Root-Name • Issuer name takes 73 bytes to encode using aligned PER; unaligned reduces this slightly (~68 bytes) • Both aligned (above) and unaligned (below) PER are more difficult to read than DER • No tag values and often no length values • Unaligned requires parsing of individual bits • Decoding requires knowledge of structure • What would be signed in unaligned scenario? 00000013 00000029 00000045 00000061 00000077 1828 5079 0008 2103 B 3 B 0 081 A A 820 3021 02 AB 4 C 00 0 FAA BA 9 A E 411 F 7 F 6 CBCB 1 AA 8 2058 2103 89 BE 2008 9736 4808 1 AA 8 2018 5109 EDCA . . 081 A 76 DC 1 AA 8 A 5 BF A 820 BBBA 2058 7 F 45 . (. . . 0!. . L. . Py. . v. . . . X!. . . X !. . 6 H. . Q. . E
XER Sample <issuer> <rdn. Sequence> <Relative. Distinguished. Name> <Attribute. Type. And. Value> <type>2. 5. 4. 6</type> <value> <Directory. String> <printable. String>US</printable. String> </Directory. String></value> </Attribute. Type. And. Value> </Relative. Distinguished. Name> <Relative. Distinguished. Name> <Attribute. Type. And. Value> <type>2. 5. 4. 10</type> <value> <Directory. String> <printable. String>U. S. Government</printable. String> </Directory. String></value> </Attribute. Type. And. Value> </Relative. Distinguished. Name> <Relative. Distinguished. Name> <Attribute. Type. And. Value> <type>2. 5. 4. 11</type> <value> <Directory. String> <printable. String>Do. D</printable. String> </Directory. String></value> </Attribute. Type. And. Value> • Issuer name takes 1651 </Relative. Distinguished. Name> <Relative. Distinguished. Name> bytes <Attribute. Type. And. Value> <type>2. 5. 4. 11</type> <value> • Canonical XER reduces <Directory. String> this to 1114 bytes <printable. String>KMI</printable. String> </Directory. String></value> </Attribute. Type. And. Value> • Signature field produced in </Relative. Distinguished. Name> <Relative. Distinguished. Name> XER is not an XML digital <Attribute. Type. And. Value> signature <type>2. 5. 4. 3</type> <value> <Directory. String> <printable. String>Root-Name</printable. String> </Directory. String></value> </Attribute. Type. And. Value> </Relative. Distinguished. Name> </rdn. Sequence> </issuer>
Notes • PER and XER are not canonical – Canonical XER was also tested but not compared to C 14 N • We used unaltered ASN. 1 files from the relevant specs – It’s possible that PER results could be made smaller if ASN. 1 definitions were modified to capitalize on PER strengths – XER could be made smaller by using smaller field names or otherwise altering the ASN. 1 to change the nature of the output • Compression may be worth considering (see next two slides – sizes using Burrows/Wheeler via bzip 2 program and savings vs. original) – Alternative compression algorithms may offer better results • XER does not feature WC 3 -compliant XML Digital Signatures – Apache-based XML DISG implementation used to generate sample does not currently support ECDSA – Using an XML Digital Signature around the TBSCertificate structure reduced default XER signature from ~2200 bytes to ~900 bytes
DER Aligned PER Unaligned PER XER Canonical XER CA PKCs - #1 923 781 950 2222 2081 CA PKCs - #2 931 812 923 2251 2106 CA PKCs - #3 URI Pointer 858 725 839 2181 2018 CA PKCs - #4 Both 964 819 967 2269 2146 Cross-Certificate PKCs - #1 967 831 1013 2382 2239 Cross-Certificate PKCs - #2 1001 836 994 2379 2245 EE PKCs - #1 825 720 809 1803 1697 EE PKCs - #2 810 732 787 1833 1697 EE PKCs - #3 878 769 859 1885 1795 EE PKCs - #4 840 749 828 1831 1741 EE PKCs - #5 876 787 863 1838 1741 EE PKCs - #6 832 723 809 1870 1757 EE PKCs - #7 803 723 759 1784 1687 EE PKCs - #8 815 680 746 1853 1735 EE PKCs - #9 819 726 787 1800 1699 EE PKCs - #10 815 719 799 1850 1733 EE PKCs - #11 URI Pointer 742 619 717 1706 1608 EE PKCs - #12 Both 847 743 841 1851 1722 OCSP Responder PKCs - #1 686 580 612 1576 1497 OCSP Responder PKCs - #2 634 577 614 1654 1557 Root CA PKCs - #1 597 526 590 1407 1307 Root CA PKCs - #2 557 504 570 1385 1292
DER Aligned PER Unaligned PER XER Canonical XER CA PKCs - #1 7. 79% saved 5. 90% saved -22. 58% saved 86. 76% saved 83. 30% saved CA PKCs - #2 6. 81% saved 2. 17% saved -18. 64% saved 86. 48% saved 83. 04% saved CA PKCs - #3 URI Pointer 5. 71% saved 2. 29% saved -20. 37% saved 86. 88% saved 83. 56% saved CA PKCs - #4 Both 7. 40% saved 5. 75% saved -20. 12% saved 86. 87% saved 83. 27% saved Cross-Certificate PKCs - #1 9. 96% saved 6. 73% saved -22. 05% saved 86. 68% saved 83. 08% saved Cross-Certificate PKCs - #2 7. 57% saved 7. 01% saved -18. 19% saved 86. 81% saved 83. 26% saved EE PKCs - #1 2. 37% saved 0. 14% saved -20. 39% saved 83. 51% saved 80. 65% saved EE PKCs - #2 -5. 47% saved -10. 91% saved -27. 76% saved 80. 33% saved 78. 15% saved EE PKCs - #3 1. 35% saved -1. 32% saved -21. 50% saved 83. 83% saved 80. 69% saved EE PKCs - #4 0. 00% saved -4. 03% saved -23. 21% saved 82. 83% saved 79. 73% saved EE PKCs - #5 -0. 11% saved -4. 38% saved -23. 11% saved 83. 30% saved 80. 30% saved EE PKCs - #6 -6. 39% saved -7. 59% saved -29. 65% saved 80. 19% saved 77. 63% saved EE PKCs - #7 -5. 80% saved -10. 55% saved -24. 43% saved 80. 21% saved 77. 56% saved EE PKCs - #8 -6. 82% saved -3. 98% saved -22. 09% saved 80. 31% saved 77. 80% saved EE PKCs - #9 -7. 06% saved -10. 00% saved -27. 76% saved 80. 14% saved 77. 55% saved EE PKCs - #10 -5. 84% saved -8. 61% saved -29. 29% saved 80. 48% saved 78. 02% saved EE PKCs - #11 URI Pointer -2. 34% saved -1. 31% saved -24. 70% saved 84. 09% saved 81. 18% saved EE PKCs - #12 Both 3. 64% saved 1. 33% saved -20. 31% saved 83. 78% saved 81. 13% saved OCSP Responder PKCs - #1 -4. 10% saved -6. 03% saved -17. 24% saved 84. 28% saved 81. 32% saved OCSP Responder PKCs - #2 3. 79% saved -4. 72% saved -16. 73% saved 83. 25% saved 80. 46% saved Root CA PKCs - #1 -6. 80% saved -11. 91% saved -31. 99% saved 83. 40% saved 80. 91% saved Root CA PKCs - #2 -1. 64% saved -8. 15% saved -28. 09% saved 82. 57% saved 80. 14% saved
Slim Jim November 2005
Certificate Name Root CA PKCs - 1 Root CA PKCs - 2 Root CA PKCs - 3 Root CA PKCs - 4 CA PKCs - 1 CA PKCs - 2 CA PKCs - 3 CA PKCs - 4 CA PKCs - 5 Cross-Certificate PKCs – 1 Cross-Certificate PKCs – 2 Cross-Certificate PKCs – 3 Cross-Certificate PKCs – 4 OCSP Responder PKCs – 1 DER Aligned PER Unaligned PER Canonical XER 507 431 414 6050 7281 483 414 395 5686 6845 463 397 385 5500 6611 431 381 368 5133 6103 832 710 661 8593 10486 790 680 633 8127 9930 617 530 498 6759 8176 602 519 490 6603 7951 496 423 404 5944 7161 952 808 756 10538 13427 803 675 640 9428 12043 782 666 632 9280 11834 639 553 524 6922 8386 506 432 415 6068 7299
Infrastructure Summary • • DER: 431 through 952 bytes Aligned PER: 381 through 808 bytes Unaligned PER: 368 through 756 bytes Canonical and non-canonical XER: BIG
EE Variations • 7 Name forms X 4 profiles – Subject field w/ dc name – Subject field empty w/ one each of the following in subject alternate name field • • • other. Name RFC 822 Name DNSName IPv 4 name IPv 6 name URI
Certificate Name DER Aligned PER Unaligned PER Canonical XER (EE PKCs DN - 1) Subject DN, AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 837 727 674 8315 10091 (EE PKCs DN - 2) Subject DN, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship, 713 615 578 7419 8969 (EE PKCs DN - 3) Subject DN, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 692 601 562 7225 8735 (EE PKCs DN - 4) Subject DN, CP, Clearance, CRLDP, Sponsor, and Citizenship 660 581 543 6922 8336 (EE Other Name - 1) SAN(ON), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 786 678 630 8058 9640 (EE Other Name - 2) SAN(ON), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 663 568 535 7170 8510 (EE Other Name - 3) SAN(ON), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 644 552 520 6968 8276 (EE Other Name - 4) SAN(ON), CP, Clearance, CRLDP, Sponsor, and Citizenship 612 531 501 6673 7877 (EE PKCs RFC - 1) SAN(RFC), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 792 683 633 7852 9370 (EE PKCs RFC - 2) SAN(RFC), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 666 574 536 6956 8256 (EE PKCs RFC - 3) SAN(RFC), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 645 557 522 6746 8014 (EE PKCs RFC - 4) SAN(RFC), CP, Clearance, CRLDP, Sponsor, and Citizenship 613 537 503 6459 7623
Certificate Name DER Aligned PER Unaligned PER Canonical XER (EE PKCs DNS - 1) SAN(DNS), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 777 672 625 7810 9336 (EE PKCs DNS - 2) SAN(DNS), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 655 563 528 6922 8206 (EE PKCs DNS - 3) SAN(DNS), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 635 547 514 6720 7964 (EE PKCs DNS - 4) SAN(DNS), CP, Clearance, CRLDP, Sponsor, and Citizenship 602 527 494 6425 7581 (EE PKCs IPv 4 - 1) SAN(IPv 4), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 770 664 618 7828 9330 (EE PKCs IPv 4 - 2) SAN(IPv 4), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 647 556 522 6924 8216 (EE PKCs IPv 4 - 3) SAN(IPv 4), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 628 541 508 6722 7982 (EE PKCs IPv 4 - 4) SAN(IPv 4), CP, Clearance, CRLDP, Sponsor, and Citizenship 596 518 488 6435 7591 (EE PKCs IPv 4 - 1) SAN(IPv 6), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 782 677 630 7868 9386 (EE PKCs IPv 6 - 2) SAN(IPv 6), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 659 567 534 6964 8272 (EE PKCs IPv 6 - 3) SAN(IPv 6), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 641 552 520 6778 8030
Certificate Name DER Aligned PER Unaligned PER Canonical XER (EE PKCs IPv 6 - 4) SAN(IPv 6), CP, Clearance, CRLDP, Sponsor, and Citizenship 607 531 501 6467 7639 (EE PKCs URI - 1) SAN(URI), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship, Freshest CRL 776 673 624 7890 9416 (EE PKCs URI - 2) SAN(URI), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 653 561 529 6986 8294 (EE PKCs URI - 3) SAN(URI), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 635 548 513 6792 8036 (EE PKCs URI - 4) SAN(URI), CP, Clearance, CRLDP, Sponsor, and Citizenship 603 527 495 6505 7653
EE Summary • • DER: 596 through 837 bytes Aligned PER: 518 through 727 bytes Unaligned PER: 488 through 676 bytes Canonical and non-canonical XER: BIG
Скачать презентацию DER PER XER Certificate Size Study October 2005
b2d9679c51184dea5cc4bbe086172fcb.ppt