1 / 19

DER, PER, XER Certificate Size Study

DER, PER, XER Certificate Size Study. October 2005. Bulk Sizes. Five encoding rule sets were targeted DER, aligned PER, unaligned PER, XER, Canonical XER Bulk sizes range from 445 bytes to 18040 bytes Not surprisingly, unaligned PER is always smallest and XER is always the largest.

candie
Download Presentation

DER, PER, XER Certificate Size Study

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DER, PER, XER Certificate Size Study October 2005

  2. Bulk Sizes • Five encoding rule sets were targeted • DER, aligned PER, unaligned PER, XER, Canonical XER • Bulk sizes range from 445 bytes to 18040 bytes • Not surprisingly, unaligned PER is always smallest and XER is always the largest

  3. Certificate Structure Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING } TBSCertificate ::= SEQUENCE { version [0] Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions [3] Extensions OPTIONAL -- If present, version MUST be v3 -- }

  4. DER Sample • Issuer name takes 89 bytes to encode • Easy to read in a Hex editor • Familiar tag-length-value • Free tools are available for troubleshooting 30 87: SEQUENCE { 31 11: SET { 30 9: SEQUENCE { 06 3: OBJECT IDENTIFIER countryName (2 5 4 6) 13 2: PrintableString 'US' : } : } 31 24: SET { 30 22: SEQUENCE { 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10) 13 15: PrintableString 'U.S. Government' : } : } 31 12: SET { 30 10: SEQUENCE { 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 13 3: PrintableString 'DoD' : } : } 31 12: SET { 30 10: SEQUENCE { 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11) 13 3: PrintableString 'KMI' : } : } 31 18: SET { 30 16: SEQUENCE { 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 13 9: PrintableString 'Root-Name' : } : } : }

  5. PER Samples 00000015 0501 0355 0406 0420 0255 5301 0355 040A ...U... .US..U.. 00000031 1120 0F55 2E53 2E20 476F 7665 726E 6D65 . .U.S. Governme 00000047 6E74 0103 5504 0B05 2003 446F 4401 0355 nt..U... .DoD..U 00000063 040B 0520 034B 4D49 0103 5504 030B 2009 ... .KMI..U... . 00000079 526F 6F74 2D4E 616D 65 Root-Name • Issuer name takes 73 bytes to encode using aligned PER; unaligned reduces this slightly (~68 bytes) • Both aligned (above) and unaligned (below) PER are more difficult to read than DER • No tag values and often no length values • Unaligned requires parsing of individual bits • Decoding requires knowledge of structure • What would be signed in unaligned scenario? 00000013 1828 081A A820 3021 02AB 4C00 081A A820 .(... 0!..L.... 00000029 5079 0FAA BA9A E411 F7F6 CBCB 76DC BBBA Py..........v... 00000045 0008 1AA8 2058 2103 89BE 2008 1AA8 2058 .... X!... ... X 00000061 2103 9736 4808 1AA8 2018 5109 A5BF 7F45 !..6H... .Q....E 00000077 B3B0 EDCA ....

  6. XER Sample </AttributeTypeAndValue> </RelativeDistinguishedName> <RelativeDistinguishedName> <AttributeTypeAndValue> <type>2.5.4.11</type> <value> <DirectoryString> <printableString>KMI</printableString> </DirectoryString></value> </AttributeTypeAndValue> </RelativeDistinguishedName> <RelativeDistinguishedName> <AttributeTypeAndValue> <type>2.5.4.3</type> <value> <DirectoryString> <printableString>Root-Name</printableString> </DirectoryString></value> </AttributeTypeAndValue> </RelativeDistinguishedName> </rdnSequence> </issuer> • Issuer name takes 1651 bytes • Canonical XER reduces this to 1114 bytes • Signature field produced in XER is not an XML digital signature <issuer> <rdnSequence> <RelativeDistinguishedName> <AttributeTypeAndValue> <type>2.5.4.6</type> <value> <DirectoryString> <printableString>US</printableString> </DirectoryString></value> </AttributeTypeAndValue> </RelativeDistinguishedName> <RelativeDistinguishedName> <AttributeTypeAndValue> <type>2.5.4.10</type> <value> <DirectoryString> <printableString>U.S. Government</printableString> </DirectoryString></value> </AttributeTypeAndValue> </RelativeDistinguishedName> <RelativeDistinguishedName> <AttributeTypeAndValue> <type>2.5.4.11</type> <value> <DirectoryString> <printableString>DoD</printableString> </DirectoryString></value>

  7. Notes • PER and XER are not canonical • Canonical XER was also tested but not compared to C14N • We used unaltered ASN.1 files from the relevant specs • It’s possible that PER results could be made smaller if ASN.1 definitions were modified to capitalize on PER strengths • XER could be made smaller by using smaller field names or otherwise altering the ASN.1 to change the nature of the output • Compression may be worth considering (see next two slides – sizes using Burrows/Wheeler via bzip2 program and savings vs. original) • Alternative compression algorithms may offer better results • XER does not feature WC3-compliant XML Digital Signatures • Apache-based XML DISG implementation used to generate sample does not currently support ECDSA • Using an XML Digital Signature around the TBSCertificate structure reduced default XER signature from ~2200 bytes to ~900 bytes

  8. Slim Jim November 2005

  9. Infrastructure Summary • DER: 431 through 952 bytes • Aligned PER: 381 through 808 bytes • Unaligned PER: 368 through 756 bytes • Canonical and non-canonical XER: BIG

  10. EE Variations • 7 Name forms X 4 profiles • Subject field w/ dc name • Subject field empty w/ one each of the following in subject alternate name field • otherName • RFC822Name • DNSName • IPv4 name • IPv6 name • URI

  11. EE Summary • DER: 596 through 837 bytes • Aligned PER: 518 through 727 bytes • Unaligned PER: 488 through 676 bytes • Canonical and non-canonical XER: BIG

More Related