1 / 28

Enabling Revocation for Billions of Consumers

Enabling Revocation for Billions of Consumers. Kelvin Yiu kelviny@microsoft.com Microsoft Corporation. Agenda. Why X.509 Revocation is Difficult Lessons Learned Enabling Revocation – The Hard Questions X.509 Revocation in Windows Vista Best Practices.

omer
Download Presentation

Enabling Revocation for Billions of Consumers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enabling Revocation for Billions of Consumers Kelvin Yiu kelviny@microsoft.com Microsoft Corporation

  2. Agenda • Why X.509 Revocation is Difficult • Lessons Learned • Enabling Revocation – The Hard Questions • X.509 Revocation in Windows Vista • Best Practices

  3. The ConsumerGrandma Understands This Right? • Hmmmm? • Despite popular legislation, you cannot legislate comprehension by end users • What do all of these fields mean to me? • certifcatePolicies are for lawyers, not consumers or end users

  4. Why is Revocation So Difficult?Multitude of Application Scenarios & Requirements • Client scenarios • SSL server authentication (Internet Explorer) • Smart card logon • Outlook S/MIME • Code signature verification (Authenticode) • Install time vs load time • Wireless, RAS • Server scenarios • Smart card logon (DC) • IIS SSL client authentication • Radius

  5. Why is Revocation So Difficult?Multitude of Locations and Connectivity Options Business Partner Main Office Wireless Network LAN LAN Internet • A certificate may be validated anywhere using any connectivity option: • LAN • VPN • RPC over HTTP • Extranet • Private network • No connectivity Branch Office Remote User LAN

  6. Why is Revocation So Difficult?Peak Bandwidth = $$$ Source: VeriSign (RSA 2005) • Usage mostly due to code signing CRLs (90%+) • Wide variance in bandwidth use • Highest use is Monday morning • High fixed cost to handle peak bandwidth • Client side retry logic means service degenerate quickly • OCSP generally uses less bandwidth than CRLs, but not always

  7. Lessons LearnedEnabling Revocation in Internet Explorer • First tried enabling SSL revocation in IE 3.02 • SSL sometimes grinds to a halt • IE 3.02 didn’t ship with revocation enabled • Threat - is the risk worth the pain? • $50 credit card liability • No real protection from phishing scams • Will users be bothered to report key compromise? • What is tolerable for the average consumer?

  8. Lessons LearnedOutlook 2000 S/MIME Deployments • Users complained Outlook often hangs when revocation checking is enabled • Lesson learned: 90s per URL timeout is too long. Will do 15s but let the retrieval finish in the background • Lesson 2 learned: 15s is still too long, but shorter timeout increases % retrieval failure • What were the causes? • Outlook blocks until signature validation completes • Outlook 2003 performs validation on background thread • Operational errors (offline server, CRL not published) • Multiple URLs in the CDP (Internet vs Intranet)

  9. Lessons LearnedEnabling Revocation for Authenticode • Enabled revocation checking for ActiveX download as a critical security update • Had to make revocation error non-fatal to present regression • Caused problems for scenarios that validate signature at load time • Developers did not understand network implication of calling verify signature API • Some anti-virus products performs self integrity checks periodically • Machines in private network cannot download CRL

  10. Lessons LearnedMisbehaving Proxies • Unreliable caching semantics in HTTP 1.0 • “expires” header assumes synchronous clocks • Windows sets “Pragma: no-cache” to avoid retrieving stale CRLs • Auto-proxy does not always return active proxies • Clients would fail randomly because a random proxy is selected from the list • Incorrect proxy configuration (wininet.dll vs winhttp.dll) • Proxy access policy • Not all users have Internet access • Users but not machines have access

  11. Enabling Revocation by DefaultThe Hard Questions • Is the benefit worth the infrastructure and user costs? • Should online revocation be required for all applications? • OS boot and signature validation makes this challenging • What is the expect behavior when working offline? • What is the expected behavior for mobile users? • How does a laptop in a hotel room contact the intranet (LDAP) URL for CRLs? Should VPN be required? • When is failure an acceptable option? • Will users tolerate reduced performance and reliability? • What is the reasonable level of assurance for consumers?

  12. Enabling Revocation by DefaultWhat Problem does Revocation Really Solve? • Revocation is an attempt at a perfect solution in an imperfect world • Imperfect CA identity validation procedures • Key compromise • How often are key compromise reported to the CA? • Can take days or weeks for info to propagate • HTTPS protects users from untrustworthy networks • WiFi hotspots, neighbor • Pharming attacks • Works well when protecting users from key/certificates that were compromised in the past

  13. Our Goals for Windows VistaEnabling Revocation for Billions of Consumers • “It just works” • Good defaults but not optimized for all scenarios • Can be fine tuned with custom policy • Balance between threat mitigation and user experience • Minimize peak bandwidth usage for network operators and CAs • Enterprise managed tolerance on revocation freshness • Network connectivity issues, infrastructure failures necessitate the need for “emergency mode” to ignore all offline and stale revocation errors • IE7 on Windows Vista revocation enabled by default!

  14. Revocation in Windows VistaTaking Revocation to the Next Level • OCSP client • Supports the light weight OCSP profile • TLS “Stapling” extensions • IE7 on Windows Vista and IIS7 • HTTP 1.1 caching proxies • Randomized pre-fetch to take advantage of overlapping validity periods in OCSP or CRL • Flush CRLs and OCSPs from memory caches via certutil.exe • OCSP responder in “Longhorn” Server

  15. Revocation in Windows VistaHow TLS “Stapling” Scales Contoso Public Certification Authority Internet • Grandma connects to https://www.contoso.com • Contoso pre-fetches the OCSP response for its certificate Grandma

  16. Revocation in Windows VistaHow TLS “Stapling” Scales Contoso Public Certification Authority Internet • Contoso returns its certificate chain and the OCSP response in the TLS handshake • Stapling reduces load on the CA to # of servers, not clients Grandma

  17. Revocation in Windows VistaCRL vs OCSP • Windows will always prefer cached objects or a “stapled” OCSP response • If network retrieval is required, then OCSP is preferred if both AIA and CDP are present • Try all OCSP URLs, then CDP URLs • Windows will switch to CRLs if: • The number of OCSP responds retrieved for an issuer exceeds 50 (configurable in the registry) • Configured by group policy • Network timeout is still 15 seconds per URL

  18. Revocation in Windows VistaHow Pre-Fetch Works • In the background, client selects a random time between next expected publication time and expiration • Expected publication time computed from fetch time + max-age

  19. Revocation in Windows VistaWhy Pre-Fetch is Valuable • TLS “Stapling” does not return CRLs for intermediate CA certificates • Works with both OCSP and CRL • Supports LDAP URLs too with nextPublishTime • Useful on server scenarios too • Pre-fetches CRLs on domain controllers for smart card logon • Pre-fetched URLs that are not used during the next cycle will be removed from pre-fetch list

  20. Revocation in Windows VistaHTTP 1.1 proxy support • Reduces load on the CA to # of proxies, not clients • Caches HTTP GETs, can be configured to cache dynamic content, HTTP POSTs but not LDAP • “ETag” allows “conditional” GETS • allows clients and proxies to query the origin server for freshness without downloading object • “Max-age” specifies the length of time proxies can return cached object on its own • Helps enable pre-fetch functionality in proxies • Retrieval of stale object will force all proxies to revalidate with origin server

  21. Revocation in Windows VistaHTTP 1.1 proxy support Revocation Service A Internet B C HTTP 1.1 Caching Proxy … • A requests CRL on 2/1/2005, 8:00am • Revocation services sends the following headers in the HTTP response: • HTTP/1.1 200 OK • Content-Length: 1653 • Date: Sun, 01 Feb 2005 08:00:00GMT • Content-Type: application/pkix-crl • Last-Modified: Sun, 01 Feb 2005 00:00:00 GMT • ETag: "39a0-28d-4029bce7” • Expires: Sat, 07 Feb 2005 23:59:59 GMT • Cache-Control: Max-age = 86400

  22. Revocation in Windows VistaHTTP 1.1 proxy support Revocation Service • HTTP Proxy caches CRL and returns it to A A Internet B C HTTP 1.1 Caching Proxy … 4. B requests the same CRL an hour later. Since the proxy cached the CRL for less than 1 day, the proxy can return its cached copy to B without revalidating with the revocation service

  23. Revocation in Windows VistaHTTP 1.1 proxy support Revocation Service 5. C requests the same CRL 2 days later. Since it is more than 1 day since the proxy validated with the revocation service, it sends a conditional GET to the service A Internet B C GET http://... If-None-Match: "39a0-28d-4029bce7" HTTP 1.1 Caching Proxy … • Revocation service returns only updated headers to proxy since the CRL was not updated • HTTP/1.1 304 Not Modified • Date: Tue, 03 Feb 2005 9:00:00GMT • ETag: "39a0-28d-4029bce7“ • Cache-Control: Max-age = 86400

  24. Revocation Best PracticesIndustry Call to Action • Use HTTP, not LDAP • Set Etag, and cache-control: max-age • Keep it simple - 1 OCSP URL and 1 CDP URL accessible everywhere • Use overlapping validity period • max-age should be less than overlap period • Can be shorter for long lived CRLs • Support the light weight OCSP profile for high volume environments • Pre-generate OCSP response if security requirements permits • Don’t use nonce since it is not cachable • Ensure new browser / server supports stapling • Push for stapling in updated protocols

  25. Questions / Comments? • Experiment with Windows Vista Beta 2 • Feedback always welcomed • kelviny@microsoft.com

  26. Background Slides

  27. Other PKI Enhancements in Vista • Path validations improvements • Reject certs with unrecognized critical extensions • Fixed a number of issues around Qualified Subordination • Self-issued certificates • inhibitAnyPolicy extension • Apply name constraints to all certificates below constraining certificate (not just end entity) • Cross-Certificate discovery using Subject Information Access extension • ECC and SHA2 support

  28. Other PKI Enhancements in Vista • Improved diagnostics support • PKI applications are hard to troubleshoot • Not enough information • Too many moving parts • Network or proxy problem? • Bad information in certificate? • Application vs platform problem? • Extensive diagnostic information about path validation failures • Information in structured in XML designed for automated post-processing and troubleshooting • Integrated with new Windows Event Viewer • No changes needed for legacy applications

More Related