1 / 12

RFC 2511 BIS (CRMF)

RFC 2511 BIS (CRMF). Jim Schaad Soaring Hawk Security. Proof of Possession (POP). Provide evidence that the following two conditions are met I have use of the private key My identity is <your name here> Owner of key can always produce a false POP for somebody else. POP - Methods.

nixie
Télécharger la présentation

RFC 2511 BIS (CRMF)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RFC 2511 BIS (CRMF) Jim Schaad Soaring Hawk Security

  2. Proof of Possession (POP) • Provide evidence that the following two conditions are met • I have use of the private key • My identity is <your name here> • Owner of key can always produce a false POP for somebody else

  3. POP - Methods • Document defines 6 different methods for POP • Signature Based • Surrender of private key • Direct (Challenge Response) • Indirect (Decrypt Certificate) • Key Agreement HMAC • RA Asserts POP is completed

  4. POP - Sign • Sign • Public Key • Identity Statement • Satisfies the POP requirement

  5. POP – Surrender Private Key • Encrypt private key for the CA/RA • Proves key possession only. • Allows for theft of POP proof. • Sufficient to do? • ECA(private key, identity statement) • Encrypted structure currently not specified. • CMS? Other? Content?

  6. POP – Direct/Indirect • Receive EEE(value) • Decrypt and return value • Shows use of key • Does not show identity • Does it need to be fixed – if so how?

  7. POP – DH-HMAC • Produce a shared secret with CA/RA • HMAC the request with derived key • Send result with enrollment message • Proves use of private key • Proves identity sometimes • Need to ensure identity is in the hashed value at all times

  8. Blocking Issues • POP issues as previously noted • DH-MAC needs to be extended for other key – provide algorithm and value • Protocol Encryption Key Control • Specifies key, but not any algorithms

  9. Blocking Issues • Reg Token and Authenticator control • Can’t do binary in UTF8 string • Type has changed but not OID since RFC 2511 • Reg Token algorithm undefined if computed • Need better distinguishing text

  10. Blocking Issues • Archival • Key Gen parameter structure not defined • Key Gen parameter structure not encrypted • Encryption key not specified • CA? RA? User’s? • Discovery of encryption algorithms to use

  11. Blocking Issues • RegInfo Control overloads the use of ‘%’ • Name?Value%[Name?Value%]* • %xx if % and ? Not be used as delimiters

  12. Questions

More Related