Homework #8 Solutions Brian A. LaMacchia [email protected] [email protected] Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #8Homework #8SolutionsSolutions

Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com

Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 22

Question 1 – Fun w/ Question 1 – Fun w/ RevocationRevocation VeriSign’s RSASecureServer.crl. VeriSign’s RSASecureServer.crl.

As of 3am Wed., Feb. 22: As of 3am Wed., Feb. 22: Valid from 2/22/06 to 3/8/06Valid from 2/22/06 to 3/8/06 515,243 bytes in size515,243 bytes in size 14,714 entries14,714 entries

Assume that all of the certs Assume that all of the certs listed on the CRL were issued listed on the CRL were issued within the past 12 months.within the past 12 months.

VeriSign claims to have about VeriSign claims to have about 500,000 sites with “Secure 500,000 sites with “Secure Server IDs”, so assume that’s Server IDs”, so assume that’s the universe from which 14,714 the universe from which 14,714 certs have been revoked. certs have been revoked.


Question 1aQuestion 1a Assume 200,000,000 users who Assume 200,000,000 users who

will negotiate an SSL/TLS will negotiate an SSL/TLS session with at least one of the session with at least one of the 500,000 sites over the next two 500,000 sites over the next two weeks. weeks.

On average, how much On average, how much bandwidth is VeriSign going to bandwidth is VeriSign going to use use per dayper day distributing the distributing the RSASecureServer CRL? RSASecureServer CRL? You may assume user requests for You may assume user requests for

CRLs are evenly distributed CRLs are evenly distributed throughout the CRL’s two-week throughout the CRL’s two-week validity period.validity period.


Question 1aQuestion 1a 200M users, CRLs last 14 days, 200M users, CRLs last 14 days,

so on average 1/14so on average 1/14thth of the of the users will have to download the users will have to download the CRL each day.CRL each day.

200M/14 = 14.285714M 200M/14 = 14.285714M downloads/daydownloads/day

515,243 bytes/download515,243 bytes/download ~7.360x10~7.360x101212 bytes of bytes of

bandwidth bandwidth per dayper day


Question 1bQuestion 1b

Assume there also exists an Assume there also exists an OCSP responder for the same OCSP responder for the same datadata

If the average size of an OCSP If the average size of an OCSP request/response message pair request/response message pair is 3KB, how many OCSP is 3KB, how many OCSP responses would the average responses would the average user have to request from the user have to request from the VeriSign OCSP responder per VeriSign OCSP responder per day in order to generate the day in order to generate the same about of bandwidth usage same about of bandwidth usage as the CRL downloading you as the CRL downloading you calculated in Question 1(a)?calculated in Question 1(a)?



~7.360x10~7.360x101212 bytes of bandwidth bytes of bandwidth per dayper day

/ 3KB/OCSP request/response / 3KB/OCSP request/response pairpair

2.453x102.453x1099 OCSP round-trips OCSP round-trips / 200,000,000 users/ 200,000,000 users ~12.267 OCSP ~12.267 OCSP

requests/user/dayrequests/user/day


Question 1cQuestion 1c

USG wants to issue a cert to USG wants to issue a cert to each of 60 million passport each of 60 million passport holders.holders.

VeriSign is experiencing about a VeriSign is experiencing about a 3% revocation rate; assume 3% revocation rate; assume that the same rate would apply that the same rate would apply for these certs. for these certs.

Approximately how big would Approximately how big would the CRL be for the personal the CRL be for the personal certs issued by the US certs issued by the US Government?Government? You may assume that each CRL You may assume that each CRL

entry requires 35 bytes of storage entry requires 35 bytes of storage when ASN.1 encoded. when ASN.1 encoded.


Question 1cQuestion 1c

60 million passport holders * 3% 60 million passport holders * 3% revocation rate revocation rate 1.8 million 1.8 million revoked certs at any one time.revoked certs at any one time.

1.8 million * 35 bytes/entry1.8 million * 35 bytes/entry 63x10 63x106 6 bytes in the CRLbytes in the CRL


Question 2Question 2

Design a certificate enrollment Design a certificate enrollment protocol for enrolling each user protocol for enrolling each user for two certificatesfor two certificates Leverage the user’s Kerberos Leverage the user’s Kerberos

credentials to authenticate the credentials to authenticate the certificate requests to the CA. certificate requests to the CA.

You can choose whether users You can choose whether users enroll for both signing and enroll for both signing and encryption certificates encryption certificates simultaneously (in one execution simultaneously (in one execution of the protocol) or sequentially (in of the protocol) or sequentially (in two executions of the protocol). two executions of the protocol).



Assume client generates all Assume client generates all keyskeys Signature key pair: KSignature key pair: KSpubSpub, K, KSprivSpriv

Encryption key pair: KEncryption key pair: KEpubEpub, K, KEprivEpriv

The enrollment protocol has to The enrollment protocol has to provide:provide: Authentication of the clientAuthentication of the client Proof-of-possession of the Proof-of-possession of the

corresponding private keyscorresponding private keys


Question 2 – Solution 1Question 2 – Solution 1

Client uses Kerberos to obtain a Client uses Kerberos to obtain a ticket for the CA. Assume the ticket for the CA. Assume the ticket contains shared secret ticket contains shared secret KKC,CAC,CA..

For each key, client forms a For each key, client forms a self-signed “certificate request” self-signed “certificate request” message (e.g. PKCS#10) that message (e.g. PKCS#10) that contains the public key and contains the public key and identifying informationidentifying information CertReqS = {KCertReqS = {KSpubSpub, Username}K, Username}KSPrivSPriv

CertReqE = {KCertReqE = {KEpubEpub, Username}K, Username}KEprivEpriv

Only works if KOnly works if KEprivEpriv can also sign! can also sign!



Client sends the cert requests Client sends the cert requests to the CA encrypted with the to the CA encrypted with the Kerberos shared secretKerberos shared secret

CCCA: {CertReqS, CA: {CertReqS, CertReqE}KCertReqE}KC,CAC,CA

CA decrypts the message CA decrypts the message (which authenticates that it (which authenticates that it came from C)came from C)

CA verifies the signatures on CA verifies the signatures on CertReqS and CertReqE, CertReqS and CertReqE, yielding proof-of-possession of yielding proof-of-possession of the corresponding private keysthe corresponding private keys


Question 2 – Solution 1Question 2 – Solution 1 CA compares the username CA compares the username

inside the requests with the inside the requests with the identity associated with the identity associated with the Kerberos key KKerberos key KC,CAC,CA

CA issues certs CertS and CertE CA issues certs CertS and CertE binding the keys to the binding the keys to the username (or whatever identity username (or whatever identity information he wants to be in information he wants to be in the certs).the certs). CertS = {KCertS = {KSPubSPub, username}K, username}KCAprivCApriv

CertE = {KCertE = {KEPubEPub, username}K, username}KCAprivCApriv

CA sends the certs back to the CA sends the certs back to the client (unencrypted).client (unencrypted).



What if you can’t sign with the What if you can’t sign with the encryption key?encryption key? If C can only encrypt, how do you If C can only encrypt, how do you

do proof-of-possession?do proof-of-possession? Method 1: add a challenge Method 1: add a challenge

response round (but that adds response round (but that adds round-trips)round-trips)

Method 2: encrypt the cert in the Method 2: encrypt the cert in the replyreply



Client uses Kerberos to obtain a Client uses Kerberos to obtain a ticket for the CA. Assume the ticket for the CA. Assume the ticket contains shared secret ticket contains shared secret KKC,CAC,CA..

For each key, client forms a For each key, client forms a “certificate request” message “certificate request” message (e.g. PKCS#10) that contains (e.g. PKCS#10) that contains the public key and identifying the public key and identifying information. information. Only CertReqS is Only CertReqS is signed.signed. CertReqS = {KCertReqS = {KSpubSpub, Username}K, Username}KSPrivSPriv

CertReqE = {KCertReqE = {KEpubEpub, Username} , Username} unsignedunsigned Could also sign with KCould also sign with KSPrivSPriv



Client sends the cert requests Client sends the cert requests to the CA encrypted with the to the CA encrypted with the Kerberos shared secretKerberos shared secret

CCCA: {CertReqS, CA: {CertReqS, CertReqE}KCertReqE}KC,CAC,CA

CA decrypts the message CA decrypts the message (which authenticates that it (which authenticates that it came from C)came from C)

CA verifies the signatures on CA verifies the signatures on CertReqS, yielding proof-of-CertReqS, yielding proof-of-possession for the signature possession for the signature keykey


Question 2 – Solution 2Question 2 – Solution 2 CA verifies identity infoCA verifies identity info CA issues certs CertS and CertE CA issues certs CertS and CertE

CertS = {KCertS = {KSPubSPub, username}K, username}KCAprivCApriv

CertE = {KCertE = {KEPubEPub, username}K, username}KCAprivCApriv

CA sends the certs back to the CA sends the certs back to the client; CertS can go client; CertS can go unencrypted but at least CertE unencrypted but at least CertE is encrypted to Kis encrypted to KEPubEPub

CACAC: CertS, {CertE}KC: CertS, {CertE}KEPubEPub

Client has to decrypt with KClient has to decrypt with KEPrivEPriv to obtain CertE, thus proving to obtain CertE, thus proving possession in order to use the possession in order to use the cert.cert.



Modify the protocol you design Modify the protocol you design in Question 2 to include a key in Question 2 to include a key escrow feature for the escrow feature for the encryption key pair. encryption key pair.



With client-side key gen, just With client-side key gen, just need to send the encryption need to send the encryption private key along with the private key along with the encryption cert requestencryption cert request

CCCA: {CertReqS, KCA: {CertReqS, KEPrivEPriv, , CertReqE}KCertReqE}KC,CAC,CA

CA verifies that KCA verifies that KEPrivEPriv and K and KEPubEPub (in CertReqE) match(in CertReqE) match Only issues CertE if they verifyOnly issues CertE if they verify No additional POP required, since No additional POP required, since

the server sees the private keythe server sees the private key


Question 4 – Cert Question 4 – Cert RolloverRollover

Validation Failsdue to key mismatch

Certificate Rollover

Issuer Name: Root

Subject Name: CA

Subj. Public Key: K1

Validity: (t1,t2)

Signed with key KR

Issuer Name: Root

Subject Name: CA


Validity: (t3,t4)

Signed with key KR

Issuer Name: CA

Subject Name: EE

Subj. Public Key: KE

Validity: (t1,t4)

Signed with key K1

Issuer Name: Root

Subject Name: Root

Subj. Public Key: KR

Validity: (t1,t4)

Signed with key KR


Question 4aQuestion 4a

Assume that t1 < t2 < t3 < t4. Assume that t1 < t2 < t3 < t4. Make the end-entity certificates Make the end-entity certificates validate at times t3 < t < t4 validate at times t3 < t < t4 without re-issuing.without re-issuing.


Question 4aQuestion 4a

Certificate Rollover

Issuer Name: Root

Subject Name: CA


Validity: (t3,t4)

Signed with key KR

Issuer Name: CA

Subject Name: EE


Validity: (t1,t4)

Signed with key K1

Issuer Name: Root

Subject Name: Root


Validity: (t1,t4)

Signed with key KR

Issuer Name: CA

Subject Name: CA


Validity: (t3,t4)

Signed with key K2



Assume that t1 < t3 < t2 < t4. Assume that t1 < t3 < t2 < t4. For the period of time t3 < t < For the period of time t3 < t < t2 end entity certificate should t2 end entity certificate should be able to chain-validate under be able to chain-validate under both the old and new both the old and new intermediate certificates. intermediate certificates.



Issuer Name: Root

Subject Name: CA


Validity: (t3,t4)

Signed with key KR

Issuer Name: CA

Subject Name: EE


Validity: (t1,t4)

Signed with key K1

Issuer Name: Root

Subject Name: Root


Validity: (t1,t4)

Signed with key KR

Issuer Name: CA

Subject Name: CA


Validity: (t3,t4)

Signed with key K2

Issuer Name: Root

Subject Name: CA


Validity: (t1,t2)

Signed with key KR

Issuer Name: CA

Subject Name: EE


Validity: (t3,t4)

Issuer Name: Root

Subject Name: Root


Validity: (t1,t4)

Signed with key KR

Issuer Name: CA

Subject Name: CA


Validity: (t3,t2)

Signed with key K1Signed with key K2

Homework #8 Solutions Brian A. LaMacchia [email protected] [email protected] Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Documents

crl slide

bytes of bandwidth

ocsp requestsuserday

crl entry

bytes of storage

rsasecureserver crl

verisign ocsp responder

average user