Revocaton protocols of WebPKI and Revocaton Transparency Nikita - - PowerPoint PPT Presentation

revocaton protocols of webpki and revocaton transparency
SMART_READER_LITE
LIVE PREVIEW

Revocaton protocols of WebPKI and Revocaton Transparency Nikita - - PowerPoint PPT Presentation

Aug 11, 2023 265 likes •382 views

Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson Lifecycle of a typical WebPKI certfcate www.liu.se Certificate Certificate Authority Server 1. Issuance www.liu.se Hello 2. Use Certificate

slide-1
SLIDE 1

Revocaton protocols of WebPKI and Revocaton Transparency

Nikita Korzhitskii Niklas Carlsson

slide-2
SLIDE 2

Certificate Authority Server

  • 1. Issuance

Lifecycle of a typical WebPKI certfcate

Client Server

  • 2. Use

Certificate Certificate Hello Key exchange, communication

  • 3. Expiration

Certificate

...

Certificate Name: www.liu.se From: January 1 To: February 30

Client Server

Certificate Hello You shall not pass!

⏰ April, 1st

www.liu.se www.liu.se www.liu.se

slide-3
SLIDE 3

Certificate Authority Revocation status endpoint, R*

Revoking a certfcate

Certificate Certificate Certificate Name: www.liu.se From: January 1 To: February 30 Revocation status found at: R

Client Server

Certificate Hello You shall not pass!

⏰ February, 1st

+ Revocation reason *OCSP and/or CRL

Revocation status endpoint, R*

Is Certificate OK? Revoked

  • 1. Revocation – is a process of invalidating a certificate prior its expiration.
  • 2. Status delivery

Let the private key of the certificate be compromised, and the certificate owner asks the CA to revoke the certificate. Then:

slide-4
SLIDE 4

Certfcate Revocaton List (RFC 5280)*

http://ca.liu.se/revoked.crl [issuer] serial# [date] [reasonCode] 52 liu.se Feb, 4 1 412 liu.se Feb, 9 5 ... CRL date, next update, signature *CRLs are being phased out.

slide-5
SLIDE 5

Online Certfcate Status Protocol (RFC 6960)

Client OCSP responder

Serial#, H(issuerDN), H(issuerKey) http://ocsp.liu.se/ Status, [Revocation Date], [Next update], [Signature]

OCSP ”stapling” (RFC 6066, 6961)

Client Server

Certificate Hello

OCSP responder

Is Certificate OK? Good, Signed status , Signed status

...

slide-6
SLIDE 6

CA Web server Client

CRL

2 1

(a) CRL Web server Client

OCSP

CA

1 2

(b) OCSP

Web server Client CA

2 1

OCSP OCSP OCSP

3

(c) OCSP Stapling Web server Client CA

2 1

OCSP OCSP

(d) OCSP Must-Staple

Steps in the process of checking revocation status with different protocols: (a) with CRLs, the client fetches the (potentially large) CRL after obtaining the certificate in the TLS handshake; (b) with OCSP, the client asks for the revocation status of only the particular certificate; (c) with OCSP Stapling, the server is supposed to prefetch the OCSP response and provide it in the handshake, and if it does not, the client can fetch the OCSP response as in (b); and (d) with OCSP Must-Staple, the server must provide an OCSP response in the handshake or the client will reject the certificate.

Chung et al., Is the Web Ready for OCSP Must-Staple? IMC '18

slide-7
SLIDE 7

Revocaton does not work

  • Liu et al., An End-to-End Measurement of Certfiate Revoiaton in the

Web’s PKI, IMC 2015 – obtaining certfcate status is expensive – most browsers don’t check certfcate status – custom revocaton set (CRLSet by Google) only covers 0.35% of all revocatons

  • Chung et al., Is the Web Ready for OCSP Must-Staple? IMC 2018

– not yet

  • Mass revocatons happen, and their exact scale is unclear

– Zhang et al., Analysis of SSL Certfiate Reissues and Revoiatons in the Wake of Heartbleed, IMC 2014 – htps://arstechnica.com/informaton-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-

certfcates/

Other issues with current revocaton status protocols:

  • Performance (OCSP, CRL)
  • Availability (OCSP, CRL)
  • Replay atacks (OCSP, CRL)
  • Privacy (OCSP)
  • Sof-fails (Browsers ignore failed status requests)
  • Transparency
slide-8
SLIDE 8

Revocaton does not work – Fixes

  • Must-staple
  • Custom revocaton sets (CRLSet, OneCRL, ...)
  • Short validity periods
  • A totally new WebPKI …

– Yu et al., DTKI: a new Formalized PKI with Verifable Trusted Partes, 2016 – Kubilay et al., CertLedger: A new PKI model with Certfcate Transparency based on blockchain, 2019

  • Revocaton Transparency

Possible fxes:

slide-9
SLIDE 9

Revocaton Transparency

  • Broadly, a mechanism for logging (and optonally, delivery) of

revocatons.

  • Could be used to create up-to-date revocaton sets, detect revocaton-

related misbehavior by CAs, immutably preserve revocaton history.

  • Several schemes, standalone or as a part of a new PKI:

– Laurie & Kasper, Revocaton Transparency, Google, 2012 – CertLedger (Kubilay et al., 2019), AKI (Hyun-Jin Kim et al., 2013), DTKI (Yu et al., 2016), CertChain (Chen et al., 2018)

  • Our research goal:
  • Motvate the need for Revocaton Transparency through (an ongoing)

measurement

  • Develop a feasible and low-deployment-cost Revocaton Transparency

scheme on top of existng Certfcate Transparency

  • Compare with other proposals
slide-10
SLIDE 10

www.liu.se Thank you!