Monday, March 30, 2015

CRL vs OCSP vs OCSP Stapling

Certificate Revocation is used within PKI (Public Key Infrastructure) to instruct the client that the certificate can no longer be trusted. This is required in scenarios where the private key has been compromised.

Revocation Verification Methods:
  1. CRL
  2. OCSP
  3. OCSP Stapling

CRL (Certificate Revocation List) was first released to provide the CA with the ability to revoke certificates, however due to limitations with this method it was superseded by OCSP.

CRL (Certificate Revocation Lists) contains a list of certificate serial numbers that have been revoked by the CA. The client then checks the serial number from the certificate against the serial numbers within the list.

Revoked Certificates:

Serial Number ‎40 3a 89 a6 df 4c fc ab
Revocation date ‎Wednesday, ‎20 ‎January ‎2016 6:07:47 PM
CRL Reason Code Affiliation Changed (3)

Serial Number ‎37 7a e3 b0 9d 40 e5 42
Revocation date ‎‎Friday, ‎2 ‎October ‎2015 6:23:22 PM
CRL Reason Code Key Compromise (1)
To instruct the client on where to find the CRL, a CRL distribution point is embedded within each certificate by the Certificate Authority (CA)

The main disadvantages to CRL are:
  1. Creates a overhead, as the client has to search through the bunch of revocation list. In some cases this can be 1000's of lines.
  2. CRLs are updated periodically every 5-14 days. Potentially leaving the attack surface open until the next CRL update.
  3. The CRL is not checked for OV (Organization Validation) or DV (Domain Validation) based certificates. Checked for EV (Extended Validation) certificates.
  4. If the client is unable to download the CRL then by default the client will trust the certificate.

Online Certificate Status Protocol (OCSP) was created as an alternative to the Certificate Revocation List (CRL) protocol. Both protocols are used to check whether an SSL Certificate has been revoked.

The CRL protocol requires the browser to download potentially large amounts of SSL Certificate revocation information. The problem with the CRL protocol is that it can increase the time spent completing the SSL negotiation.

The OCSP protocol does not require the browser to spend time downloading and then searching a list for certificate information. With OCSP, the browser simply posts a query and receives a response from an OCSP responder (a CA’s server that specifically listens for and responds to OCSP requests) about the revocation status of a certificate.

OCSP removes many of the disadvantages of CRL by allowing the client to check the certificate status for a single certificate.

The OCSP process in shown below,
  1. Client receives certificate.
  2. Client sends OCSP Request to a OCSP Responder (over HTTP) with the certificates serial number.
  3. OCSP Responder replies with a certificate status of either Good, Revoked or Unknown
Response verify OK
0x45A5D24B5E9VA0DB2BFA4E4D699C8C2bF: good
        This Update: Oct 30 05:30:30 2012 GMT
        Next Update: Nov  6 05:30:30 2012 GMT
The main advantage to OCSP is that because the client can query the status of a single certificate, rather then having to download and parse an entire list there is much less overhead on the client and network.

However the main disadvantages to OCSP are,

  1. OCSP Requests are sent for each certificate. Because of this there can be a huge over head on the OCSP Responder (i.e the CA) for high traffic websites.
  2. If the private key was comprised the attacker would need to leverage a MITM attack to intercept and pose as the server. Because most browsers slienty ignore OCSP if the protocol times out OCSP can still not be considered a 100% reliable method for mitigating HTTPS server key comprises.
  3. The OCSP is not enforced for OV (Organization Validation) or DV (Domain Validation) based certificates. Checked for EV (Extended Validation) certificates.
OCSP Stapling:

OCSP stapling can be used to enhance the OCSP protocol by letting the Web server be more proactive in improving the client experience. OCSP stapling allows the web server to query the OCSP responder directly and then cache the response. This cached response is then delivered with the TLS/SSL handshake via the Certificate Status Request extension response, ensuring that the browser gets the same response performance for the certificate status as it does for the website content.

OCSP Stapling resolves the overhead issues with OCSP and CRL by having the certificate holder periodically performing the OCSP Request. The OCSP Response is signed by the CA to ensure that it has not been modified before being sent back to the client.

The main disadvantages with OCSP Stapling are,

  1. Only supported within TLS 1.2.
  2. It is still not supported by many browsers . This results in either the OCSP validity method not being used or standard OCSP being used instead.

Leave your comment below

No comments:

Post a Comment