DER, PER, XER Certificate Size Study - PowerPoint PPT Presentation
Title:
DER, PER, XER Certificate Size Study
Description:
{ 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 13 2: PrintableString 'US' 31 24: SET ... Slim Jim. November 2005. 7299. 6068. 415. 432. 506. OCSP Responder ... – PowerPoint PPT presentation
Number of Views:63
Avg rating:3.0/5.0
Title: DER, PER, XER Certificate Size Study
1
DER, PER, XER Certificate Size Study
- October 2005
2
Bulk Sizes
- Five encoding rule sets were targeted
- DER, aligned PER, unaligned PER, XER, Canonical
XER - Bulk sizes range from 445 bytes to 18040 bytes
- Not surprisingly, unaligned PER is always
smallest and XER is always the largest
3
Original Profiles DER Aligned PER Unaligned PER XER Canonical XER
CA PKCs - 1 1001 830 775 16781 12458
CA PKCs - 2 999 830 778 16645 12420
CA PKCs - 3 URI Pointer 910 742 697 16619 12272
CA PKCs - 4 Both 1041 869 805 17279 12830
Cross-Certificate PKCs - 1 1074 891 830 17884 13235
Cross-Certificate PKCs - 2 1083 899 841 18040 13411
EE PKCs - 1 845 721 672 10934 8772
EE PKCs - 2 890 759 707 11657 9295
EE PKCs - 3 840 720 672 10663 8587
EE PKCs - 4 875 754 701 11006 8836
EE PKCs - 5 782 672 624 9441 7855
EE PKCs - 6 759 654 610 9013 7517
EE PKCs - 7 763 654 611 9409 7815
EE PKCs - 8 765 660 616 9063 7567
EE PKCs - 9 770 662 618 9479 7885
EE PKCs - 10 768 660 616 9317 7765
EE PKCs - 11 URI Pointer 725 611 575 10720 8542
EE PKCs - 12 Both 789 753 699 11412 9124
OCSP Responder PKCs - 1 659 547 522 10027 8012
OCSP Responder PKCs - 2 659 551 526 9877 7968
Root CA PKCs - 1 559 470 447 8476 6845
Root CA PKCs - 2 548 466 445 7948 6505
4
Modified Profiles DER Aligned PER Unaligned PER XER Canonical XER
CA PKCs - 1 1057 886 826 17346 12883
CA PKCs - 2 1005 843 791 16498 12277
Cross-Certificate PKCs - 1 1089 916 854 16930 12743
Cross-Certificate PKCs - 2 1067 897 843 16716 12575
OCSP Responder PKCs - 1 630 528 502 9696 7747
OCSP Responder PKCs - 2 602 512 488 8734 7069
Root CA PKCs - 1 573 485 464 8686 6923
Root CA PKCs - 2 574 493 470 8175 6608
5
Certificate Structure
- Certificate SEQUENCE
- tbsCertificate TBSCertificate,
- signatureAlgorithm AlgorithmIdentifier,
- signature BIT STRING
- TBSCertificate SEQUENCE
- version 0 Version DEFAULT v1,
- serialNumber CertificateSerialNumber,
- signature AlgorithmIdentifier,
- issuer Name,
- validity Validity,
- subject Name,
- subjectPublicKeyInfo SubjectPublicKeyInfo,
- issuerUniqueID 1 IMPLICIT
UniqueIdentifier OPTIONAL, - -- If present, version
MUST be v2 or v3 - subjectUniqueID 2 IMPLICIT
UniqueIdentifier OPTIONAL, - -- If present, version
MUST be v2 or v3 - extensions 3 Extensions OPTIONAL
- -- If present, version
MUST be v3 --
6
DER Sample
- 30 87 SEQUENCE
- 31 11 SET
- 30 9 SEQUENCE
- 06 3 OBJECT IDENTIFIER countryName
(2 5 4 6) - 13 2 PrintableString 'US'
- 31 24 SET
- 30 22 SEQUENCE
- 06 3 OBJECT IDENTIFIER
organizationName (2 5 4 10) - 13 15 PrintableString 'U.S.
Government' - 31 12 SET
- 30 10 SEQUENCE
- 06 3 OBJECT IDENTIFIER
organizationalUnitName (2 5 4 11) - 13 3 PrintableString 'DoD'
- Issuer name takes 89 bytes to encode
- Easy to read in a Hex editor
- Familiar tag-length-value
- Free tools are available for troubleshooting
7
PER Samples
- 00000015 0501 0355 0406 0420 0255 5301 0355 040A
...U... .US..U.. - 00000031 1120 0F55 2E53 2E20 476F 7665 726E 6D65
. .U.S. Governme - 00000047 6E74 0103 5504 0B05 2003 446F 4401 0355
nt..U... .DoD..U - 00000063 040B 0520 034B 4D49 0103 5504 030B 2009
... .KMI..U... . - 00000079 526F 6F74 2D4E 616D 65
Root-Name
- Issuer name takes 73 bytes to encode using
aligned PER unaligned reduces this slightly (68
bytes) - Both aligned (above) and unaligned (below) PER
are more difficult to read than DER - No tag values and often no length values
- Unaligned requires parsing of individual bits
- Decoding requires knowledge of structure
- What would be signed in unaligned scenario?
00000013 1828 081A A820 3021 02AB 4C00 081A A820
.(... 0!..L.... 00000029 5079 0FAA BA9A E411
F7F6 CBCB 76DC BBBA Py..........v... 00000045
0008 1AA8 2058 2103 89BE 2008 1AA8 2058 ....
X!... ... X 00000061 2103 9736 4808 1AA8 2018
5109 A5BF 7F45 !..6H... .Q....E 00000077 B3B0
EDCA ....
8
XER Sample
lt/AttributeTypeAndValuegt
lt/RelativeDistinguishedNamegt
ltRelativeDistinguishedNamegt
ltAttributeTypeAndValuegt
lttypegt2.5.4.11lt/typegt
ltvaluegt ltDirectoryStringgt ltprintableStringgtKMIlt
/printableStringgt lt/DirectoryStringgtlt/valuegt
lt/AttributeTypeAndValuegt
lt/RelativeDistinguishedNamegt
ltRelativeDistinguishedNamegt
ltAttributeTypeAndValuegt
lttypegt2.5.4.3lt/typegt
ltvaluegt ltDirectoryStringgt ltprintableStringgtRoot
-Namelt/printableStringgt lt/DirectoryStringgtlt/valuegt
lt/AttributeTypeAndValuegt
lt/RelativeDistinguishedNamegt
lt/rdnSequencegt lt/issuergt
- ltissuergt
- ltrdnSequencegt
- ltRelativeDistinguishedNamegt
- ltAttributeTypeAndValuegt
- lttypegt2.5.4.6lt/typegt
- ltvaluegt
- ltDirectoryStringgt
- ltprintableStringgtUSlt/printableStringgt
- lt/DirectoryStringgtlt/valuegt
- lt/AttributeTypeAndValuegt
- lt/RelativeDistinguishedNamegt
- ltRelativeDistinguishedNamegt
- ltAttributeTypeAndValuegt
- lttypegt2.5.4.10lt/typegt
- ltvaluegt
- ltDirectoryStringgt
- ltprintableStringgtU.S. Governmentlt/printableStri
nggt - lt/DirectoryStringgtlt/valuegt
- lt/AttributeTypeAndValuegt
- Issuer name takes 1651 bytes
- Canonical XER reduces this to 1114 bytes
- Signature field produced in XER is not an XML
digital signature
9
Notes
- PER and XER are not canonical
- Canonical XER was also tested but not compared to
C14N - We used unaltered ASN.1 files from the relevant
specs - Its possible that PER results could be made
smaller if ASN.1 definitions were modified to
capitalize on PER strengths - XER could be made smaller by using smaller field
names or otherwise altering the ASN.1 to change
the nature of the output - Compression may be worth considering (see next
two slides sizes using Burrows/Wheeler via
bzip2 program and savings vs. original) - Alternative compression algorithms may offer
better results - XER does not feature WC3-compliant XML Digital
Signatures - Apache-based XML DISG implementation used to
generate sample does not currently support ECDSA - Using an XML Digital Signature around the
TBSCertificate structure reduced default XER
signature from 2200 bytes to 900 bytes
10
DER Aligned PER Unaligned PER XER Canonical XER
CA PKCs - 1 923 781 950 2222 2081
CA PKCs - 2 931 812 923 2251 2106
CA PKCs - 3 URI Pointer 858 725 839 2181 2018
CA PKCs - 4 Both 964 819 967 2269 2146
Cross-Certificate PKCs - 1 967 831 1013 2382 2239
Cross-Certificate PKCs - 2 1001 836 994 2379 2245
EE PKCs - 1 825 720 809 1803 1697
EE PKCs - 2 810 732 787 1833 1697
EE PKCs - 3 878 769 859 1885 1795
EE PKCs - 4 840 749 828 1831 1741
EE PKCs - 5 876 787 863 1838 1741
EE PKCs - 6 832 723 809 1870 1757
EE PKCs - 7 803 723 759 1784 1687
EE PKCs - 8 815 680 746 1853 1735
EE PKCs - 9 819 726 787 1800 1699
EE PKCs - 10 815 719 799 1850 1733
EE PKCs - 11 URI Pointer 742 619 717 1706 1608
EE PKCs - 12 Both 847 743 841 1851 1722
OCSP Responder PKCs - 1 686 580 612 1576 1497
OCSP Responder PKCs - 2 634 577 614 1654 1557
Root CA PKCs - 1 597 526 590 1407 1307
Root CA PKCs - 2 557 504 570 1385 1292
11
DER Aligned PER Unaligned PER XER Canonical XER
CA PKCs - 1 7.79 saved 5.90 saved -22.58 saved 86.76 saved 83.30 saved
CA PKCs - 2 6.81 saved 2.17 saved -18.64 saved 86.48 saved 83.04 saved
CA PKCs - 3 URI Pointer 5.71 saved 2.29 saved -20.37 saved 86.88 saved 83.56 saved
CA PKCs - 4 Both 7.40 saved 5.75 saved -20.12 saved 86.87 saved 83.27 saved
Cross-Certificate PKCs - 1 9.96 saved 6.73 saved -22.05 saved 86.68 saved 83.08 saved
Cross-Certificate PKCs - 2 7.57 saved 7.01 saved -18.19 saved 86.81 saved 83.26 saved
EE PKCs - 1 2.37 saved 0.14 saved -20.39 saved 83.51 saved 80.65 saved
EE PKCs - 2 -5.47 saved -10.91 saved -27.76 saved 80.33 saved 78.15 saved
EE PKCs - 3 1.35 saved -1.32 saved -21.50 saved 83.83 saved 80.69 saved
EE PKCs - 4 0.00 saved -4.03 saved -23.21 saved 82.83 saved 79.73 saved
EE PKCs - 5 -0.11 saved -4.38 saved -23.11 saved 83.30 saved 80.30 saved
EE PKCs - 6 -6.39 saved -7.59 saved -29.65 saved 80.19 saved 77.63 saved
EE PKCs - 7 -5.80 saved -10.55 saved -24.43 saved 80.21 saved 77.56 saved
EE PKCs - 8 -6.82 saved -3.98 saved -22.09 saved 80.31 saved 77.80 saved
EE PKCs - 9 -7.06 saved -10.00 saved -27.76 saved 80.14 saved 77.55 saved
EE PKCs - 10 -5.84 saved -8.61 saved -29.29 saved 80.48 saved 78.02 saved
EE PKCs - 11 URI Pointer -2.34 saved -1.31 saved -24.70 saved 84.09 saved 81.18 saved
EE PKCs - 12 Both 3.64 saved 1.33 saved -20.31 saved 83.78 saved 81.13 saved
OCSP Responder PKCs - 1 -4.10 saved -6.03 saved -17.24 saved 84.28 saved 81.32 saved
OCSP Responder PKCs - 2 3.79 saved -4.72 saved -16.73 saved 83.25 saved 80.46 saved
Root CA PKCs - 1 -6.80 saved -11.91 saved -31.99 saved 83.40 saved 80.91 saved
Root CA PKCs - 2 -1.64 saved -8.15 saved -28.09 saved 82.57 saved 80.14 saved
12
Slim Jim
- November 2005
13
Certificate Name DER Aligned PER Unaligned PER Canonical XER XER
Root CA PKCs - 1 507 431 414 6050 7281
Root CA PKCs - 2 483 414 395 5686 6845
Root CA PKCs - 3 463 397 385 5500 6611
Root CA PKCs - 4 431 381 368 5133 6103
CA PKCs - 1 832 710 661 8593 10486
CA PKCs - 2 790 680 633 8127 9930
CA PKCs - 3 617 530 498 6759 8176
CA PKCs - 4 602 519 490 6603 7951
CA PKCs - 5 496 423 404 5944 7161
Cross-Certificate PKCs 1 952 808 756 10538 13427
Cross-Certificate PKCs 2 803 675 640 9428 12043
Cross-Certificate PKCs 3 782 666 632 9280 11834
Cross-Certificate PKCs 4 639 553 524 6922 8386
OCSP Responder PKCs 1 506 432 415 6068 7299
14
Infrastructure Summary
- DER 431 through 952 bytes
- Aligned PER 381 through 808 bytes
- Unaligned PER 368 through 756 bytes
- Canonical and non-canonical XER BIG
15
EE Variations
- 7 Name forms X 4 profiles
- Subject field w/ dc name
- Subject field empty w/ one each of the following
in subject alternate name field - otherName
- RFC822Name
- DNSName
- IPv4 name
- IPv6 name
- URI
16
Certificate Name DER Aligned PER Unaligned PER Canonical XER XER
(EE PKCs DN - 1) Subject DN, AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 837 727 674 8315 10091
(EE PKCs DN - 2) Subject DN, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship, 713 615 578 7419 8969
(EE PKCs DN - 3) Subject DN, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 692 601 562 7225 8735
(EE PKCs DN - 4) Subject DN, CP, Clearance, CRLDP, Sponsor, and Citizenship 660 581 543 6922 8336
(EE Other Name - 1) SAN(ON), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 786 678 630 8058 9640
(EE Other Name - 2) SAN(ON), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 663 568 535 7170 8510
(EE Other Name - 3) SAN(ON), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 644 552 520 6968 8276
(EE Other Name - 4) SAN(ON), CP, Clearance, CRLDP, Sponsor, and Citizenship 612 531 501 6673 7877
(EE PKCs RFC - 1) SAN(RFC), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 792 683 633 7852 9370
(EE PKCs RFC - 2) SAN(RFC), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 666 574 536 6956 8256
(EE PKCs RFC - 3) SAN(RFC), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 645 557 522 6746 8014
(EE PKCs RFC - 4) SAN(RFC), CP, Clearance, CRLDP, Sponsor, and Citizenship 613 537 503 6459 7623
17
Certificate Name DER Aligned PER Unaligned PER Canonical XER XER
(EE PKCs DNS - 1) SAN(DNS), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 777 672 625 7810 9336
(EE PKCs DNS - 2) SAN(DNS), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 655 563 528 6922 8206
(EE PKCs DNS - 3) SAN(DNS), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 635 547 514 6720 7964
(EE PKCs DNS - 4) SAN(DNS), CP, Clearance, CRLDP, Sponsor, and Citizenship 602 527 494 6425 7581
(EE PKCs IPv4 - 1) SAN(IPv4), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 770 664 618 7828 9330
(EE PKCs IPv4 - 2) SAN(IPv4), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 647 556 522 6924 8216
(EE PKCs IPv4 - 3) SAN(IPv4), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 628 541 508 6722 7982
(EE PKCs IPv4 - 4) SAN(IPv4), CP, Clearance, CRLDP, Sponsor, and Citizenship 596 518 488 6435 7591
(EE PKCs IPv4 - 1) SAN(IPv6), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 782 677 630 7868 9386
(EE PKCs IPv6 - 2) SAN(IPv6), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 659 567 534 6964 8272
(EE PKCs IPv6 - 3) SAN(IPv6), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 641 552 520 6778 8030
18
Certificate Name DER Aligned PER Unaligned PER Canonical XER XER
(EE PKCs IPv6 - 4) SAN(IPv6), CP, Clearance, CRLDP, Sponsor, and Citizenship 607 531 501 6467 7639
(EE PKCs URI - 1) SAN(URI), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship, Freshest CRL 776 673 624 7890 9416
(EE PKCs URI - 2) SAN(URI), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 653 561 529 6986 8294
(EE PKCs URI - 3) SAN(URI), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 635 548 513 6792 8036
(EE PKCs URI - 4) SAN(URI), CP, Clearance, CRLDP, Sponsor, and Citizenship 603 527 495 6505 7653
19
EE Summary
- DER 596 through 837 bytes
- Aligned PER 518 through 727 bytes
- Unaligned PER 488 through 676 bytes
- Canonical and non-canonical XER BIG
Recommended
CrystalGraphics Presentations
![The acceptability of illicit drug use in the Netherlands and Norway: a comparative study [preliminary results] PowerPoint PPT Presentation](https://s3.amazonaws.com/images.powershow.com/8579999.th0.jpg?_=20170308115)
