This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 22
Question 1 – Fun w/ Question 1 – Fun w/ RevocationRevocation VeriSign’s RSASecureServer.crl. VeriSign’s RSASecureServer.crl.
As of 3am Wed., Feb. 22: As of 3am Wed., Feb. 22: Valid from 2/22/06 to 3/8/06Valid from 2/22/06 to 3/8/06 515,243 bytes in size515,243 bytes in size 14,714 entries14,714 entries
Assume that all of the certs Assume that all of the certs listed on the CRL were issued listed on the CRL were issued within the past 12 months.within the past 12 months.
VeriSign claims to have about VeriSign claims to have about 500,000 sites with “Secure 500,000 sites with “Secure Server IDs”, so assume that’s Server IDs”, so assume that’s the universe from which 14,714 the universe from which 14,714 certs have been revoked. certs have been revoked.
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 33
Question 1aQuestion 1a Assume 200,000,000 users who Assume 200,000,000 users who
will negotiate an SSL/TLS will negotiate an SSL/TLS session with at least one of the session with at least one of the 500,000 sites over the next two 500,000 sites over the next two weeks. weeks.
On average, how much On average, how much bandwidth is VeriSign going to bandwidth is VeriSign going to use use per dayper day distributing the distributing the RSASecureServer CRL? RSASecureServer CRL? You may assume user requests for You may assume user requests for
CRLs are evenly distributed CRLs are evenly distributed throughout the CRL’s two-week throughout the CRL’s two-week validity period.validity period.
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 44
Question 1aQuestion 1a 200M users, CRLs last 14 days, 200M users, CRLs last 14 days,
so on average 1/14so on average 1/14thth of the of the users will have to download the users will have to download the CRL each day.CRL each day.
515,243 bytes/download515,243 bytes/download ~7.360x10~7.360x101212 bytes of bytes of
bandwidth bandwidth per dayper day
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 55
Question 1bQuestion 1b
Assume there also exists an Assume there also exists an OCSP responder for the same OCSP responder for the same datadata
If the average size of an OCSP If the average size of an OCSP request/response message pair request/response message pair is 3KB, how many OCSP is 3KB, how many OCSP responses would the average responses would the average user have to request from the user have to request from the VeriSign OCSP responder per VeriSign OCSP responder per day in order to generate the day in order to generate the same about of bandwidth usage same about of bandwidth usage as the CRL downloading you as the CRL downloading you calculated in Question 1(a)?calculated in Question 1(a)?
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 66
Question 1bQuestion 1b
~7.360x10~7.360x101212 bytes of bandwidth bytes of bandwidth per dayper day
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 77
Question 1cQuestion 1c
USG wants to issue a cert to USG wants to issue a cert to each of 60 million passport each of 60 million passport holders.holders.
VeriSign is experiencing about a VeriSign is experiencing about a 3% revocation rate; assume 3% revocation rate; assume that the same rate would apply that the same rate would apply for these certs. for these certs.
Approximately how big would Approximately how big would the CRL be for the personal the CRL be for the personal certs issued by the US certs issued by the US Government?Government? You may assume that each CRL You may assume that each CRL
entry requires 35 bytes of storage entry requires 35 bytes of storage when ASN.1 encoded. when ASN.1 encoded.
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 88
Question 1cQuestion 1c
60 million passport holders * 3% 60 million passport holders * 3% revocation rate revocation rate 1.8 million 1.8 million revoked certs at any one time.revoked certs at any one time.
1.8 million * 35 bytes/entry1.8 million * 35 bytes/entry 63x10 63x106 6 bytes in the CRLbytes in the CRL
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 99
Question 2Question 2
Design a certificate enrollment Design a certificate enrollment protocol for enrolling each user protocol for enrolling each user for two certificatesfor two certificates Leverage the user’s Kerberos Leverage the user’s Kerberos
credentials to authenticate the credentials to authenticate the certificate requests to the CA. certificate requests to the CA.
You can choose whether users You can choose whether users enroll for both signing and enroll for both signing and encryption certificates encryption certificates simultaneously (in one execution simultaneously (in one execution of the protocol) or sequentially (in of the protocol) or sequentially (in two executions of the protocol). two executions of the protocol).
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1010
Question 2Question 2
Assume client generates all Assume client generates all keyskeys Signature key pair: KSignature key pair: KSpubSpub, K, KSprivSpriv
The enrollment protocol has to The enrollment protocol has to provide:provide: Authentication of the clientAuthentication of the client Proof-of-possession of the Proof-of-possession of the
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1111
Question 2 – Solution 1Question 2 – Solution 1
Client uses Kerberos to obtain a Client uses Kerberos to obtain a ticket for the CA. Assume the ticket for the CA. Assume the ticket contains shared secret ticket contains shared secret KKC,CAC,CA..
For each key, client forms a For each key, client forms a self-signed “certificate request” self-signed “certificate request” message (e.g. PKCS#10) that message (e.g. PKCS#10) that contains the public key and contains the public key and identifying informationidentifying information CertReqS = {KCertReqS = {KSpubSpub, Username}K, Username}KSPrivSPriv
Only works if KOnly works if KEprivEpriv can also sign! can also sign!
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1212
Question 2 – Solution 1Question 2 – Solution 1
Client sends the cert requests Client sends the cert requests to the CA encrypted with the to the CA encrypted with the Kerberos shared secretKerberos shared secret
CA decrypts the message CA decrypts the message (which authenticates that it (which authenticates that it came from C)came from C)
CA verifies the signatures on CA verifies the signatures on CertReqS and CertReqE, CertReqS and CertReqE, yielding proof-of-possession of yielding proof-of-possession of the corresponding private keysthe corresponding private keys
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1313
Question 2 – Solution 1Question 2 – Solution 1 CA compares the username CA compares the username
inside the requests with the inside the requests with the identity associated with the identity associated with the Kerberos key KKerberos key KC,CAC,CA
CA issues certs CertS and CertE CA issues certs CertS and CertE binding the keys to the binding the keys to the username (or whatever identity username (or whatever identity information he wants to be in information he wants to be in the certs).the certs). CertS = {KCertS = {KSPubSPub, username}K, username}KCAprivCApriv
CA sends the certs back to the CA sends the certs back to the client (unencrypted).client (unencrypted).
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1414
Question 1 – Solution 2Question 1 – Solution 2
What if you can’t sign with the What if you can’t sign with the encryption key?encryption key? If C can only encrypt, how do you If C can only encrypt, how do you
do proof-of-possession?do proof-of-possession? Method 1: add a challenge Method 1: add a challenge
response round (but that adds response round (but that adds round-trips)round-trips)
Method 2: encrypt the cert in the Method 2: encrypt the cert in the replyreply
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1515
Question 2 – Solution 2Question 2 – Solution 2
Client uses Kerberos to obtain a Client uses Kerberos to obtain a ticket for the CA. Assume the ticket for the CA. Assume the ticket contains shared secret ticket contains shared secret KKC,CAC,CA..
For each key, client forms a For each key, client forms a “certificate request” message “certificate request” message (e.g. PKCS#10) that contains (e.g. PKCS#10) that contains the public key and identifying the public key and identifying information. information. Only CertReqS is Only CertReqS is signed.signed. CertReqS = {KCertReqS = {KSpubSpub, Username}K, Username}KSPrivSPriv
CertReqE = {KCertReqE = {KEpubEpub, Username} , Username} unsignedunsigned Could also sign with KCould also sign with KSPrivSPriv
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1616
Question 2 – Solution 2Question 2 – Solution 2
Client sends the cert requests Client sends the cert requests to the CA encrypted with the to the CA encrypted with the Kerberos shared secretKerberos shared secret
CA decrypts the message CA decrypts the message (which authenticates that it (which authenticates that it came from C)came from C)
CA verifies the signatures on CA verifies the signatures on CertReqS, yielding proof-of-CertReqS, yielding proof-of-possession for the signature possession for the signature keykey
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1717
Question 2 – Solution 2Question 2 – Solution 2 CA verifies identity infoCA verifies identity info CA issues certs CertS and CertE CA issues certs CertS and CertE
CA sends the certs back to the CA sends the certs back to the client; CertS can go client; CertS can go unencrypted but at least CertE unencrypted but at least CertE is encrypted to Kis encrypted to KEPubEPub
CACAC: CertS, {CertE}KC: CertS, {CertE}KEPubEPub
Client has to decrypt with KClient has to decrypt with KEPrivEPriv to obtain CertE, thus proving to obtain CertE, thus proving possession in order to use the possession in order to use the cert.cert.
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1818
Question 3Question 3
Modify the protocol you design Modify the protocol you design in Question 2 to include a key in Question 2 to include a key escrow feature for the escrow feature for the encryption key pair. encryption key pair.
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 1919
Question 3Question 3
With client-side key gen, just With client-side key gen, just need to send the encryption need to send the encryption private key along with the private key along with the encryption cert requestencryption cert request
CA verifies that KCA verifies that KEPrivEPriv and K and KEPubEPub (in CertReqE) match(in CertReqE) match Only issues CertE if they verifyOnly issues CertE if they verify No additional POP required, since No additional POP required, since
the server sees the private keythe server sees the private key
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2020
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2121
Question 4aQuestion 4a
Assume that t1 < t2 < t3 < t4. Assume that t1 < t2 < t3 < t4. Make the end-entity certificates Make the end-entity certificates validate at times t3 < t < t4 validate at times t3 < t < t4 without re-issuing.without re-issuing.
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2222
Question 4aQuestion 4a
Certificate Rollover
Issuer Name: Root
Subject Name: CA
Subj. Public Key: K2
Validity: (t3,t4)
Signed with key KR
Issuer Name: CA
Subject Name: EE
Subj. Public Key: KE
Validity: (t1,t4)
Signed with key K1
Issuer Name: Root
Subject Name: Root
Subj. Public Key: KR
Validity: (t1,t4)
Signed with key KR
Issuer Name: CA
Subject Name: CA
Subj. Public Key: K1
Validity: (t3,t4)
Signed with key K2
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2323
Question 4bQuestion 4b
Assume that t1 < t3 < t2 < t4. Assume that t1 < t3 < t2 < t4. For the period of time t3 < t < For the period of time t3 < t < t2 end entity certificate should t2 end entity certificate should be able to chain-validate under be able to chain-validate under both the old and new both the old and new intermediate certificates. intermediate certificates.
February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 2424