Randomized Validity

From Dogtag
Jump to: navigation, search

Introduction

Randomizing validity is one of the methods allowing to add entropy to certificates in order to make it more difficult attacks on cryptographic hashes. RFC 4270 (written by P. Hoffman and B. Schneier) provides three suggestions to reduce the likelihood of hash-based attacks:

  • making part of the certificate serial number unpredictable to the attacker
  • adding a randomly chosen component to the identity
  • making the validity dates unpredictable to the attacker by skewing each one forwards or backwards


CA's profile framework is based on plug-ins. One type of the plug-ins is responsible for setting defaults and verifying constraints for in the process of populating validity. Simple replacement of validity plug-in in a profile with new one randomizing validity allows to generate certificates with randomized validity when using enrollment with modified profile.


Process of profile editing in order to replace validity plug-in is described below.

Managing Certificate Profiles

Typical certificate profile configuration includes section configuring ValidityDefault and ValidityConstraint plug-ins.

Sample below shows default configuration included in caUserCert profile (caUserCert.cfg):

ValidityDefault plug-in configuration in caUserCert.cfg:
. . .
policyset.userCertSet.2.default.class_id=validityDefaultImpl
policyset.userCertSet.2.default.name=Validity Default
policyset.userCertSet.2.default.params.range=180
policyset.userCertSet.2.default.params.startTime=0
. . .
ValidityConstraint plug-in configuration in caUserCert.cfg:
. . .
policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
policyset.userCertSet.2.constraint.name=Validity Constraint
policyset.userCertSet.2.constraint.params.notAfterCheck=false
policyset.userCertSet.2.constraint.params.notBeforeCheck=false
policyset.userCertSet.2.constraint.params.notBeforeGracePeriod=0
policyset.userCertSet.2.constraint.params.range=365
. . .


Profile needs to be disabled to initiate profile editing.

Here are sample steps:

  • Selecting caUserCert profile (Manual User Dual-Use Certificate Enrollment)


Disabling Profile


  • Disabling caUserCert profile (Manual User Dual-Use Certificate Enrollment):


Disabling Profile


Editing Certificate Profiles

Disabled profile can be edited.

Here are sample steps:

  • Selecting caUserCert profile for editing


Editing Profile


  • Editing caUserCert profile


Editing Profile


Review Current Validity Configuration

Review current validity configuration before replacing it with randomized validity plug-in.

Here are sample steps:

  • Check current validity defaults


Review Validity


  • Check current validity constraints


Review Validity


Delete Validity

Delete current validity plug-in.

Here are sample steps:

  • Select current validity plug-in


Delete Validity


  • Confirm validity plug-in removal


Delete Validity


  • Check if validity plug-in was deleted.


Delete Validity


Add Randomized Validity

Add randomized validity plug-in.

Here are sample steps:

  • Press add button in profile editor


Add Randomized Validity


  • Select "Randomized Validity Default" and "Validity Constraint"


Add Randomized Validity


  • Enter "Policy ID"


Add Randomized Validity


  • Update "Validity Default" configuration


Add Randomized Validity


  • Update "Validity Constraint" configuration and save configuration updates


Add Randomized Validity


  • Check new randomized validity plug-in


Add Randomized Validity


  • Select caUserCert profile (Manual User Dual-Use Certificate Enrollment)


Approve Profile


  • Approve update caUserCert profile (Manual User Dual-Use Certificate Enrollment)


Approve Profile


New Randomized Validity Plug-in Configuration

Sample below shows updated caUserCert profile configuration including randomized validity plug-in;

policyset.userCertSet.2.default.class_id=randomizedValidityDefaultImpl
policyset.userCertSet.2.default.name=Randomized Validity Default
policyset.userCertSet.2.default.params.notBeforeRandomBits=10
policyset.userCertSet.2.default.params.range=180
policyset.userCertSet.2.default.params.startTime=0
policyset.userCertSet.2.default.params.startTimeRandomBits=10

Test Randomized Validity

Test randomized validity using "Manual User Dual-Use Certificate Enrollment" and tailing debug log as shown below:

tail -f debug | grep -e RandomizedValidityDefault -e Validity -e validity -e 'From:' -e 'To:'
. . .
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault: populate start
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault randomSecs  numBits=10  secs=67  maxSecs=1023
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault populate  notBefore           = Thu May 16 19:25:45 EDT 2013
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault populate  notBeforeRandomized = Thu May 16 19:24:38 EDT 2013
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault populate  notBeforeMax        = Thu May 16 19:08:42 EDT 2013
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault randomSecs  numBits=10  secs=905  maxSecs=1023
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault populate  notAfter            = Tue Nov 12 18:25:45 EST 2013
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault populate  notAfterRandomized  = Tue Nov 12 18:40:50 EST 2013
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault populate  notAfterMax         = Tue Nov 12 18:42:48 EST 2013
[16/May/2013:19:25:45][http-bio-8443-exec-15]: RandomizedValidityDefault: populate end
  Validity: [From: Thu May 16 19:24:38 EDT 2013,
               To: Tue Nov 12 18:40:50 EST 2013]
. . .