Enabling revocation for billions of consumers
Download
1 / 28

Enabling Revocation for Billions of Consumers - PowerPoint PPT Presentation


  • 108 Views
  • Uploaded on

Enabling Revocation for Billions of Consumers. Kelvin Yiu [email protected] Microsoft Corporation. Agenda. Why X.509 Revocation is Difficult Lessons Learned Enabling Revocation – The Hard Questions X.509 Revocation in Windows Vista Best Practices.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Enabling Revocation for Billions of Consumers' - omer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Agenda
Agenda

  • Why X.509 Revocation is Difficult

  • Lessons Learned

  • Enabling Revocation – The Hard Questions

  • X.509 Revocation in Windows Vista

  • Best Practices


The consumer grandma understands this right
The ConsumerGrandma Understands This Right?

  • Hmmmm?

  • Despite popular legislation, you cannot legislate comprehension by end users

  • What do all of these fields mean to me?

  • certifcatePolicies are for lawyers, not consumers or end users


Why is revocation so difficult multitude of application scenarios requirements
Why is Revocation So Difficult?Multitude of Application Scenarios & Requirements

  • Client scenarios

    • SSL server authentication (Internet Explorer)

    • Smart card logon

    • Outlook S/MIME

    • Code signature verification (Authenticode)

      • Install time vs load time

    • Wireless, RAS

  • Server scenarios

    • Smart card logon (DC)

    • IIS SSL client authentication

    • Radius


Why is revocation so difficult multitude of locations and connectivity options
Why is Revocation So Difficult?Multitude of Locations and Connectivity Options

Business Partner

Main Office

Wireless Network

LAN

LAN

Internet

  • A certificate may be validated anywhere using any connectivity option:

    • LAN

    • VPN

    • RPC over HTTP

    • Extranet

    • Private network

    • No connectivity

Branch Office

Remote User

LAN


Why is revocation so difficult peak bandwidth
Why is Revocation So Difficult?Peak Bandwidth = $$$

Source: VeriSign (RSA 2005)

  • Usage mostly due to code signing CRLs (90%+)

  • Wide variance in bandwidth use

    • Highest use is Monday morning

    • High fixed cost to handle peak bandwidth

  • Client side retry logic means service degenerate quickly

  • OCSP generally uses less bandwidth than CRLs, but not always


Lessons learned enabling revocation in internet explorer
Lessons LearnedEnabling Revocation in Internet Explorer

  • First tried enabling SSL revocation in IE 3.02

    • SSL sometimes grinds to a halt

    • IE 3.02 didn’t ship with revocation enabled

  • Threat - is the risk worth the pain?

    • $50 credit card liability

    • No real protection from phishing scams

    • Will users be bothered to report key compromise?

  • What is tolerable for the average consumer?


Lessons learned outlook 2000 s mime deployments
Lessons LearnedOutlook 2000 S/MIME Deployments

  • Users complained Outlook often hangs when revocation checking is enabled

    • Lesson learned: 90s per URL timeout is too long. Will do 15s but let the retrieval finish in the background

    • Lesson 2 learned: 15s is still too long, but shorter timeout increases % retrieval failure

  • What were the causes?

    • Outlook blocks until signature validation completes

      • Outlook 2003 performs validation on background thread

    • Operational errors (offline server, CRL not published)

    • Multiple URLs in the CDP (Internet vs Intranet)


Lessons learned enabling revocation for authenticode
Lessons LearnedEnabling Revocation for Authenticode

  • Enabled revocation checking for ActiveX download as a critical security update

    • Had to make revocation error non-fatal to present regression

  • Caused problems for scenarios that validate signature at load time

    • Developers did not understand network implication of calling verify signature API

    • Some anti-virus products performs self integrity checks periodically

    • Machines in private network cannot download CRL


Lessons learned misbehaving proxies
Lessons LearnedMisbehaving Proxies

  • Unreliable caching semantics in HTTP 1.0

    • “expires” header assumes synchronous clocks

    • Windows sets “Pragma: no-cache” to avoid retrieving stale CRLs

  • Auto-proxy does not always return active proxies

    • Clients would fail randomly because a random proxy is selected from the list

  • Incorrect proxy configuration (wininet.dll vs winhttp.dll)

  • Proxy access policy

    • Not all users have Internet access

    • Users but not machines have access


Enabling revocation by default the hard questions
Enabling Revocation by DefaultThe Hard Questions

  • Is the benefit worth the infrastructure and user costs?

  • Should online revocation be required for all applications?

    • OS boot and signature validation makes this challenging

    • What is the expect behavior when working offline?

  • What is the expected behavior for mobile users?

    • How does a laptop in a hotel room contact the intranet (LDAP) URL for CRLs? Should VPN be required?

    • When is failure an acceptable option?

  • Will users tolerate reduced performance and reliability?

  • What is the reasonable level of assurance for consumers?


Enabling revocation by default what problem does revocation really solve
Enabling Revocation by DefaultWhat Problem does Revocation Really Solve?

  • Revocation is an attempt at a perfect solution in an imperfect world

    • Imperfect CA identity validation procedures

    • Key compromise

  • How often are key compromise reported to the CA?

    • Can take days or weeks for info to propagate

  • HTTPS protects users from untrustworthy networks

    • WiFi hotspots, neighbor

    • Pharming attacks

  • Works well when protecting users from key/certificates that were compromised in the past


Our goals for windows vista enabling revocation for billions of consumers
Our Goals for Windows VistaEnabling Revocation for Billions of Consumers

  • “It just works”

    • Good defaults but not optimized for all scenarios

    • Can be fine tuned with custom policy

  • Balance between threat mitigation and user experience

  • Minimize peak bandwidth usage for network operators and CAs

  • Enterprise managed tolerance on revocation freshness

    • Network connectivity issues, infrastructure failures necessitate the need for “emergency mode” to ignore all offline and stale revocation errors

  • IE7 on Windows Vista revocation enabled by default!


Revocation in windows vista taking revocation to the next level
Revocation in Windows VistaTaking Revocation to the Next Level

  • OCSP client

    • Supports the light weight OCSP profile

  • TLS “Stapling” extensions

    • IE7 on Windows Vista and IIS7

  • HTTP 1.1 caching proxies

  • Randomized pre-fetch to take advantage of overlapping validity periods in OCSP or CRL

  • Flush CRLs and OCSPs from memory caches via certutil.exe

  • OCSP responder in “Longhorn” Server


Revocation in windows vista how tls stapling scales
Revocation in Windows VistaHow TLS “Stapling” Scales

Contoso

Public Certification Authority

Internet

  • Grandma connects to https://www.contoso.com

  • Contoso pre-fetches the OCSP response for its certificate

Grandma


Revocation in windows vista how tls stapling scales1
Revocation in Windows VistaHow TLS “Stapling” Scales

Contoso

Public Certification Authority

Internet

  • Contoso returns its certificate chain and the OCSP response in the TLS handshake

  • Stapling reduces load on the CA to # of servers, not clients

Grandma


Revocation in windows vista crl vs ocsp
Revocation in Windows VistaCRL vs OCSP

  • Windows will always prefer cached objects or a “stapled” OCSP response

  • If network retrieval is required, then OCSP is preferred if both AIA and CDP are present

    • Try all OCSP URLs, then CDP URLs

  • Windows will switch to CRLs if:

    • The number of OCSP responds retrieved for an issuer exceeds 50 (configurable in the registry)

    • Configured by group policy

  • Network timeout is still 15 seconds per URL


Revocation in windows vista how pre fetch works
Revocation in Windows VistaHow Pre-Fetch Works

  • In the background, client selects a random time between next expected publication time and expiration

    • Expected publication time computed from fetch time + max-age


Revocation in windows vista why pre fetch is valuable
Revocation in Windows VistaWhy Pre-Fetch is Valuable

  • TLS “Stapling” does not return CRLs for intermediate CA certificates

  • Works with both OCSP and CRL

  • Supports LDAP URLs too with nextPublishTime

  • Useful on server scenarios too

    • Pre-fetches CRLs on domain controllers for smart card logon

  • Pre-fetched URLs that are not used during the next cycle will be removed from pre-fetch list


Revocation in windows vista http 1 1 proxy support
Revocation in Windows VistaHTTP 1.1 proxy support

  • Reduces load on the CA to # of proxies, not clients

  • Caches HTTP GETs, can be configured to cache dynamic content, HTTP POSTs but not LDAP

  • “ETag” allows “conditional” GETS

    • allows clients and proxies to query the origin server for freshness without downloading object

  • “Max-age” specifies the length of time proxies can return cached object on its own

    • Helps enable pre-fetch functionality in proxies

  • Retrieval of stale object will force all proxies to revalidate with origin server


Revocation in Windows VistaHTTP 1.1 proxy support

Revocation

Service

A

Internet

B

C

HTTP 1.1

Caching Proxy

  • A requests CRL on 2/1/2005, 8:00am

  • Revocation services sends the following headers in the HTTP response:

  • HTTP/1.1 200 OK

  • Content-Length: 1653

  • Date: Sun, 01 Feb 2005 08:00:00GMT

  • Content-Type: application/pkix-crl

  • Last-Modified: Sun, 01 Feb 2005 00:00:00 GMT

  • ETag: "39a0-28d-4029bce7”

  • Expires: Sat, 07 Feb 2005 23:59:59 GMT

  • Cache-Control: Max-age = 86400


Revocation in Windows VistaHTTP 1.1 proxy support

Revocation

Service

  • HTTP Proxy caches CRL and returns it to A

A

Internet

B

C

HTTP 1.1

Caching Proxy

4. B requests the same CRL an hour later. Since the proxy cached the CRL for less than 1 day, the proxy can return its cached copy to B without revalidating with the revocation service


Revocation in Windows VistaHTTP 1.1 proxy support

Revocation

Service

5. C requests the same CRL 2 days later. Since it is more than 1 day since the proxy validated with the revocation service, it sends a conditional GET to the service

A

Internet

B

C

GET http://...

If-None-Match: "39a0-28d-4029bce7"

HTTP 1.1

Caching Proxy

  • Revocation service returns only updated headers to proxy since the CRL was not updated

  • HTTP/1.1 304 Not Modified

  • Date: Tue, 03 Feb 2005 9:00:00GMT

  • ETag: "39a0-28d-4029bce7“

  • Cache-Control: Max-age = 86400


Revocation best practices industry call to action
Revocation Best PracticesIndustry Call to Action

  • Use HTTP, not LDAP

    • Set Etag, and cache-control: max-age

  • Keep it simple - 1 OCSP URL and 1 CDP URL accessible everywhere

  • Use overlapping validity period

  • max-age should be less than overlap period

    • Can be shorter for long lived CRLs

  • Support the light weight OCSP profile for high volume environments

    • Pre-generate OCSP response if security requirements permits

    • Don’t use nonce since it is not cachable

  • Ensure new browser / server supports stapling

  • Push for stapling in updated protocols


Questions comments
Questions / Comments?



Other pki enhancements in vista
Other PKI Enhancements in Vista

  • Path validations improvements

    • Reject certs with unrecognized critical extensions

    • Fixed a number of issues around Qualified Subordination

      • Self-issued certificates

      • inhibitAnyPolicy extension

      • Apply name constraints to all certificates below constraining certificate (not just end entity)

    • Cross-Certificate discovery using Subject Information Access extension

  • ECC and SHA2 support


Other pki enhancements in vista1
Other PKI Enhancements in Vista

  • Improved diagnostics support

    • PKI applications are hard to troubleshoot

      • Not enough information

      • Too many moving parts

        • Network or proxy problem?

        • Bad information in certificate?

        • Application vs platform problem?

    • Extensive diagnostic information about path validation failures

      • Information in structured in XML designed for automated post-processing and troubleshooting

      • Integrated with new Windows Event Viewer

    • No changes needed for legacy applications


ad