OCSP Hash Algorithm Independence - PowerPoint PPT Presentation

About This Presentation
Title:

OCSP Hash Algorithm Independence

Description:

Analysis into IETF security protocols. Hash algorithm independence ... Request Independence Okay. Two parts make use of a hash function: Signature ::= SEQUENCE ... – PowerPoint PPT presentation

Number of Views:87
Avg rating:3.0/5.0
Slides: 11
Provided by: RussHo4
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: OCSP Hash Algorithm Independence


1
OCSP Hash Algorithm Independence
  • Russ Housley
  • 2 November 2005

2
Bellovin / Rescorla Analysis
  • Bellovin and Rescorla gave a presentation at the
    IETF 63 Hash BOF
  • Analysis into IETF security protocols
  • Hash algorithm independence
  • Ease of transition to new hash functions
  • Many protocols were found wanting
  • They did not look at OCSP, so I did

3
Request Independence Okay
  • Two parts make use of a hash function
  • Signature SEQUENCE
  • signatureAlgorithm AlgorithmIdentifier,
  • signature BIT STRING,
  • certs 0 EXPLICIT SEQUENCE OF Certificate
    OPTIONAL
  • CertID SEQUENCE
  • hashAlgorithm AlgorithmIdentifier,
  • issuerNameHash OCTET STRING,
  • issuerKeyHash OCTET STRING,
  • serialNumber CertificateSerialNumber

4
Request Transition Concerns
  • What hash function / signature algorithm is the
    OCSP Responder permitted to use?
  • If Request is signed, could expect the same on to
    be used by the OCSP Responder
  • If Request is not signed, could expect the same
    hash function to be used, but there is no hint
    about the signature function
  • Better if the Request listed the acceptable hash
    functions and signature algorithms

5
What about the Responder?
  • How does the requestor know which hash functions
    and signature algorithms are supported by the
    OCSP Responder?
  • Three options
  • Add optional query / response
  • Requestor can ask, and then cache the answer
  • OCSP Responder Certificate
  • Similar to SMIMECapabilities extension
  • Assume Requestor configuration
  • Fine for some deployments, but not others

6
Basic OCSP Response (1 of 2)
  • Two parts look fine in their use of a hash
    function
  • BasicOCSPResponse SEQUENCE
  • tbsResponseData ResponseData,
  • signatureAlgorithm AlgorithmIdentifier,
  • signature BIT STRING,
  • certs 0 EXPLICIT SEQUENCE OF Certificate
  • OPTIONAL
  • SingleResponse SEQUENCE
  • certID CertID,
  • ...

7
Basic OCSP Response (2 of 2)
  • One place where only SHA-1 can be used
  • ResponderID CHOICE
  • byName 1 Name,
  • byKey 2 KeyHash
  • KeyHash OCTET STRING
  • -- SHA-1 hash of responder's public key
  • -- (excluding the tag and length fields)

8
Proposed Way Forward (1 of 2)
  • Define a non-critical requestExtension that
    indicates the hash functions and signature
    algorithms that are acceptable
  • Define a version 2 of the OCSP Basic Response
    that includes something like
  • ResponderKeyHash SEQUENCE
  • hashAlgorithm AlgorithmIdentifier,
  • responderKeyHash OCTET STRING

9
Proposed Way Forward (2 of 2)
  • Select the preferred mechanism for the Requestor
    to discover the Responders capabilities, and
    include it in the specification
  • All three choices may have uses
  • Add optional query / response
  • Requestor can ask, and then cache the answer
  • OCSP Responder Certificate
  • Similar to SMIMECapabilities extension
  • Assume Requestor configuration
  • Fine for some deployments, but not others

10
Conclusion
  • Need to perform Bellovin / Rescorla analysis on
    all of the PKIX protocols
  • Volunteers are needed to look at others
Write a Comment
User Comments (0)
About PowerShow.com