Autonomous collision attack on OCSP services
📝 Abstract
The paper describes two important design flaws in Online Certificate Status Protocol (OCSP), a protocol widely used in PKI environments for managing digital certificates’ credibility in real time. The flaws significantly reduce the security capabilities of the protocol, and can be exploited by a malicious third party to generate forged signed certificate statuses and, in the worst scenario, forged certificates. Description of the flaws, along with expected exploitation routes, consequences for consuming application layer protocols, and proposed countermeasures, is given.
💡 Analysis
The paper describes two important design flaws in Online Certificate Status Protocol (OCSP), a protocol widely used in PKI environments for managing digital certificates’ credibility in real time. The flaws significantly reduce the security capabilities of the protocol, and can be exploited by a malicious third party to generate forged signed certificate statuses and, in the worst scenario, forged certificates. Description of the flaws, along with expected exploitation routes, consequences for consuming application layer protocols, and proposed countermeasures, is given.
📄 Content
Autonomous collision attack on OCSP services
Ken Ivanov EldoS Corporation Revision 1.0 (August 2016)
Abstract
The paper describes two important design flaws in Online Certificate Status Protocol (OCSP), a protocol
widely used in PKI environments for managing digital certificates’ credibility in real time. The flaws
significantly reduce the security capabilities of the protocol, and can be exploited by a malicious third party
to generate forged signed certificate statuses and, in the worst scenario, forged certificates. Description of the
flaws, along with expected exploitation routes, consequences for consuming application layer protocols, and
proposed countermeasures, is given.
1 Introduction
Online certificate status protocol (OCSP) [1] is one of the two common methods of obtaining up-to-date
digital certificate status information from certification authorities (CA) in modern public key infrastructures
(PKI) (the other is based on certificate revocation lists [2]). An entity willing to obtain the latest update on a
certificate status – such as a web browser or a program that needs to establish the validity of a digital
signature – connects to a dedicated web service maintained by the CA or its affiliated party, called an OCSP
responder, and sends in a request, including an identifier of the certificate in question. The OCSP responder
then provides the requestor with a certificate status record, which includes the certificate identifier, its up-to-
date status as maintained by the CA (‘active’, ‘revoked’ or ‘unknown’), the time of the last status
information update, and when to expect the next update. The status record, called an OCSP response, is
digitally signed with the OCSP responder’s certificate, which certifies its authenticity on behalf of the CA
and makes it a standalone verifiable PKI entity.
OCSP-based validation schemes are widely used in modern PKI infrastructures, particularly with advanced
electronic signatures (CAdES, PAdES, XAdES and ASiC) [3]. Typical OCSP usage scenarios include
straightforward synchronous real-time checks for up-to-date certificate status, e.g. when authenticating a
TLS server, and retrieval of OCSP certificate status records for insertion into long-term electronic signatures.
2 Terms
While we don’t expect the reader to be an expert in PKI, familiarity with basic principles and practical
implementations of X.509-based public key environments will make it easier to understand the impacts the
exploited vulnerabilities may have on the environments. In particular, knowledge and understanding of such
concepts as certificates, certification authorities, world of trust, authentication, revocation, and digital
signatures would contribute much towards understanding the paper. Below we provide definitions for the
main concepts used in the paper; please note that the definitions are not exhaustive, and only cover the
aspects of the corresponding essences relevant to the discussed issues for the sake of simplicity.
Digital certificate (or simply certificate): an electronic document that binds information of a physical or
electronic entity to its cryptographic public key, and certifies it with a digital signature of an authorized
higher-level entity (certification authority). The matching private key remains in the possession of the entity
owning the certificate and, unlike the certificate, is never disclosed to third parties. A digital certificate
typically includes the name or ID of the owner, the purposes for the public key it carries (digital signing, key
exchange, certificate signing, etc.), and its validity period.
Certification authority (CA): a designated entity having a right of issuing digital certificates to other parties
by signing them with its private key. CA is identified by its own digital certificate, which is used by third
parties to validate signatures made by the CA’s private key over the certificates it had issued.
Certificate status: a certificate validity indicator from the authorization perspective (typical values: active,
revoked, and unknown). Certificate statuses are maintained and updated by the CA, and are made available
to third parties via its revocation services.
Certificate chain: a sequence, or sometimes an inverted tree, of certificates where each certificate except the
first one is a CA for the certificate immediately preceding it. The first certificate in the sequence is an end-
entity certificate used for application purposes, and the last certificate is typically a root certificate and a trust
anchor (unconditionally trusted).
Public key infrastructure: a framework consisting of a set of roles, policies, and procedures set up to manage
trust relationships in multi-user environments, and based on features offered by asymmetric cryptography to
enforce dependency and trust links between its members.
Certificate validation: establishing the fact that a particular certificate has authority to
This content is AI-processed based on ArXiv data.