CRLite: When Industry & Academia Collide Thyla van der Merwe - - PowerPoint PPT Presentation

CRLite: When Industry & Academia Collide

Real World Crypto 9 January 2020 Thyla van der Merwe

l

Trust TLS PKI

= +

l

PKI

Root CA Intermediate CA Intermediate CA

signature signature signature

TLS

l

MITM Impersonate TLS TLS

> 500 000 private keys compromised!

l

PKI

Root CA Intermediate CA Intermediate CA

signature signature signature

TLS revocation Owner requests → CA produces public, verifiable attestation that the certificate should no longer be trusted. Is this a revoked certificate?

l

Revocation is important!

Current Methods CRLs and OCSP Future Methods CRLite

fuv

Revocation is broken!

Implementing CRLite In Firefox

l

Revocation is important!

Current Methods CRLs and OCSP Future Methods CRLite

fuv

Revocation is broken!

Implementing CRLite In Firefox

CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers. Larisch et al. IEEE S&P 2017

Building the thing! Where are we now? Are we done yet?

Current Methods

CRLs OCSP

serial number serial number serial number serial number serial number

CA signature

URL

10 days?

CA

OCSP responder

URL

OCSP request OCSP response

CA signature

OCSP

CA

OCSP responder

URL

OCSP request OCSP response

CA signature

O C S P r e s p

• n

s e a few days?

l

Fail-open vs Fail-closed

Current Methods

CRLs OCSP

serial number serial number serial number serial number serial number

CA signature

URL

10 days?

CA

OCSP responder

URL

OCSP request OCSP response

CA signature

OCSP

CA

OCSP responder

URL

OCSP request OCSP response

CA signature

O C S P r e s p

• n

s e

Must-Staple

a few days?

l

Fail-open Delays

200 ms

Privacy concerns

Evolving... OneCRL Size?? CRLite CRLSets

Bloom Filters

Certificate Ecosystem

Use a data structure that supports queries for the finite set

• f unexpired certificates.

Bloom Filters

1 1 1 1

m = 12 k = 4 Let’s put data item d in the filter: Compute h_1(d) = 4 → set bit in index 4 to 1. Compute h_2(d) = 11 → set bit in index 11 to 1. Compute h_3(d) = 9 → set bit in index 9 to 1. Compute h_4(d) = 2 → set bit in index 2 to 1.

Bloom Filters

1 1 1 1 1 1 1

m = 12 k = 4 Let’s put data item d in the filter: Compute h_1(d) = 4 → set bit in index 4 to 1. Compute h_2(d) = 11 → set bit in index 11 to 1. Compute h_3(d) = 9 → set bit in index 9 to 1. Compute h_4(d) = 2 → set bit in index 2 to 1. Add another item d’?

Bloom Filters

1 1 1 1 1 1 1

m = 12 k = 4 Is d* in the filter? If any of the h_i(d*) values is 0 then DEFINITELY NOT in the filter. If all of the h_i(d*) values are 1 then MAYBE in the filter. So maybe it’s a legitimate insertion, maybe it’s not.

Bloom Filters

1 1 1 1 1 1 1

m = 12 k = 4 Will have false positives → rate p determined by m, k, occupancy.

Bloom Filters

Say we want to store R U. R is the set of revoked certificates, and U is the finite set of unexpired certificates. R S = U. But there will be false positives!

Cascading Bloom Filters

Say we want to store R U. R is the set of revoked certificates, and U is the finite set of unexpired certificates. R S = U. Store those in another bloom filter.

Cascading Bloom Filters

BF1

R

But there are going to be false positives Elements of S that shouldn’t be in BF1!

Cascading Bloom Filters

BF1

R

But there are going to be false positives

BF2

But there are going to be false positives

Cascading Bloom Filters

BF1

R

But there are going to be false positives

BF2

But there are going to be false positives Elements of R that shouldn’t be in BF2!

BF1

But there are going to be false positives

BF2

But there are going to be false positives no false positives*

Cascading Bloom Filters

BFx

* for a constrained, finite set

But there are going to be false positives But there are going to be false positives no false positives

Cascading Bloom Filters

R

If d* in not in BF1, then definitely not in R. If d* is in BF1, then we don’t know. If d* in BF1 but not in BF2, then in R. If d* is in BF1 and BF2, then we don’t know. If d* in BF1 and BF2 but not in BF3, then definitely not in R. If d* is all three, then in R. 3 levels

But there are going to be false positives But there are going to be false positives no false positives

Cascading Bloom Filters

R

Starting at i = 1, keep going until u not in BF_i.

• If i is odd, u not in R.
• If i is even, u in R.

If u in all BF_i, look at number of levels, l. Is u in U in R?

• If l is odd, u in R.
• If l is even, u not in R.

But there are going to be false positives But there are going to be false positives no false positives

Cascading Bloom Filters

R

Starting at i = 1, keep going until u not in BF_i.

• If i is odd, u not in R.
• If i is even, u in R.

If u in all BF_i, look at number of levels, l. Is u in U in R?

• If l is odd, u in R.
• If l is even, u not in R.

not in R in BF2? in R in BF3? in BF1? not in R in R Y Y Y N N N

Cascading Bloom Filters

Want the minimum possible size… Bloom filter minimized: k = log_2(1/p) and m ≅ 144r log_2(1/p) How do we set for p for filter cascades? Analysis → p_1 for BF_1, p for other BFs r = |R|, s = |S| p_1 = r√p/s p = 0.5 → close to theoretical lower bound Simulations confirm! Size of R dominates, does not grow considerably with S!

CRLite Architecture

CRLite Aggregator

CRLite Architecture

CRLite: A Scalable System for Pushing All TLS Revocations to All Browsers. Larisch et al. IEEE S&P 2017

CRLite Architecture

Implementing CRLite for Firefox

Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.

Principle 4

• CRL-like properties
• Small data sizes (fast to parse)
• Incremental updates
• Scales well
• Builds on useful properties of CT

Building the thing!

Implementing CRLite for Firefox

4 x 95 M 1.4 MB 0.4 MB

Building the thing!

Implementing CRLite for Firefox

Have our OneCRL mechanism for signing and pushing.

4 x 95 M

Building the thing!

0.4 MB 1.4 MB

Implementing CRLite for Firefox

Paper did have a prototype using Firefox → built as a Firefox extension.

Academic Prototype Mozilla Prototype TLS APIs for cert checking

• JavaScript (11.9MB memory)

Native code (C++, Rust, some JS) 10ms to check a cert chain

• includes parsing certs (API

provides unparsed certs) 0.04 ms (check a cert) < 8ms (all Firefox calls to check a chain)

• We check end-entity certs
• Use OneCRL -> intermediates

Building the thing!

Implementing CRLite for Firefox

• 1. Create our aggregator to produce filters
• 2. Write the client-side code for checking filters
• 3. Link up to our Remote Settings infrastructure to push filters

Building the thing!

• 1. Create our aggregator to produce filters
• 2. Write the client-side code for checking filters
• 3. Link up to our Remote Settings infrastructure to push filters

Implementing CRLite for Firefox

Building the thing! > 2B!

S unexpired, valid R unexpired, revoked

• 1. Create our aggregator to produce filters
• 2. Write the client-side code for checking filters
• 3. Link up to our Remote Settings infrastructure to push filters

Implementing CRLite for Firefox

Building the thing! > 2B!

S unexpired, valid R unexpired, revoked

“It’s hard, Thyla, just plain hard.”

• 1. Create our aggregator to produce filters

Implementing CRLite for Firefox

Building the thing!

single high-performance server, large disk

cache size? slow downs Golang timeouts

Implementing CRLite for Firefox

Building the thing!

Implementing CRLite for Firefox

Building the thing!

process CT logs create filters store publish

Implementing CRLite for Firefox

Building the thing!

CPU usage of the Kubernetes cluster for filter generation, each peak is a generation run.

Implementing CRLite for Firefox

Building the thing!

Filter generation times (minutes)

creating R & S cascaded filter generation

Implementing CRLite for Firefox

Building the thing!

• 1. Create our aggregator to produce filters
• 2. Write the client-side code for checking filters
• 3. Link up to our Remote Settings infrastructure to push filters

Implementing CRLite for Firefox

Where are we now?

12-day period in December

289

Implementing CRLite for Firefox

Where are we now?

12-day period in December

median 125 ms

Implementing CRLite for Firefox

Where are we now?

A few technical caveats

• We don’t catch Let’s Encrypt entries in our filter -- currently

don’t have a CRL, but this should change soon

• The client needs to check if using CRLite for revocation is

possible -- if not, resort to OSCP

• So, we’re not fully fail-closed, yet

PROTOTYPE!

Implementing CRLite for Firefox

Are we done yet?

Implementing CRLite for Firefox

Are we done yet?

• Deeper security questions and attack scenarios

○ stress testing, sizing, p values?

• Crypto agility

○ upgrade the hash functions?

• Architecture enhancements
• Performance enhancements

○ smaller delta sizes

As robust as possible!

Implementing CRLite for Firefox

Are we done yet?

Design Build Refine Academia Academia Industry

From Academia to Industry?

• Idea tracks well, and a Firefox extension helped. We like it :-).
• But the paper doesn’t/couldn’t take our existing infrastructure

into account. (In this case, our infrastructure helps).

• Timing - other tools can be harnessed in the solution.

Intern project Further development Working prototype ??? Refinement

Here now...

From Academia to Industry?

• Idea tracks well, and a Firefox extension helped. We like it :-).
• But the paper doesn’t/couldn’t take our existing infrastructure

into account. (In this case, our infrastructure helps).

• Timing - other tools can be harnessed in the solution.

“It’s an excellent solution to a problem we shouldn’t have.”

l

Is this going to help us move towards a more robust Web PKI? The Web PKI is fundamental but it’s fragile.

Academia Industry

Thank Yous and Blog Posts...

★ Thank you!

J.C. Jones, Dana Keeler, Mark Goodwin, Dipen Patel, Benton Case, the CRLite Academic Team, especially Christo Wilson and Dave Levin, as well as other teams, including Tom Shrimpton, David Clayton, Kenny Paterson, Karin Holzhauser, and many more. ★ Released today - our CRLite blog post at https:/ /blog.mozilla.org/security/2020/01/09/crlite-part-1-all

• web-pki-revocations-compressed

★ We’re hiring - https:/ /careers.mozilla.org/position/gh/1959213/