Hello all, My colleague Andre and I recently became aware of this problem and we explored a new solution to it. Please find our analysis below.
For a formatted version of this message with images inline, please find it available at: https://research.kudelskisecurity.com/2020/11/16/a-solution-to-the-dangerous-delegated-responder-certificate-problem/ === Issue of the Dangerous Delegated OCSP Responder Certificate 1. Introduction In this memo, we address the issue of the "Dangerous Delegated OCSP Responder Certificate" [1]. We propose a new solution, different from the original solution suggested in the Mozilla Dev Security Policy (mdsp) mailing list. This proposed solution addresses compliance issues, security risks, feasibility, time to implement and practicability (e.g. operational aspects) as well as negative financial consequences. For the feasibility, please consider the Proof of Concept provided in [2]. This memo is structured as follows. First, section 2 below describes and compares the two solutions. Then, section 3 analyzes them by providing an extensive list of potential concerns and discussing each of them in detail. To illustrate the analysis further, a complete set of diagrams is available at [3]. 2. Description of the initial situation and the two solutions 2.1. Initial situation Image: https://raw.githubusercontent.com/kudelskisecurity/dangerous-ocsp-delegated-responder-cert-poc/master/img/initial_situation_diagram.jpg Figure 1: Initial situation - 4-level hierarchy In Figure 1, SICA contains the problematic id-kp-ocspSigning Extended Key Usage (EKU). The goal is to reach a situation where the EE certificate can be verified up to the root CA in a chain where this EKU extension is not present anymore. Indeed, the mere presence of this EKU makes SICA a delegated OCSP responder on behalf of ICA. If SICA was intended to be an issuing CA and not an OCSP responder, there is the security risk that SICA signs an OCSP response for any sibling certificate on behalf of ICA. This is a huge security concern if siblings are not operated by the same company/entity. This risk can impact all the Sub-CA companies having certificates under ICA. Hence, it is important that all the direct children certificates of ICA that have this problem are neutralized. In addition to the security risk, there is also a compliance issue that is introduced because the Baseline Requirements [4] state that OCSP responders must also have the id-pkix-ocsp-nocheck extension in addition to the EKU. 2.2. Original solution Image: https://raw.githubusercontent.com/kudelskisecurity/dangerous-ocsp-delegated-responder-cert-poc/master/img/original_solution_diagram.jpg Figure 2: Original solution - 4-level hierarchy The original solution addresses the issue in the following way (see Figure 2): (i) a new SICA2 certificate is issued. It is signed by ICA and is based on a new key pair; (ii) the old SICA certificate is revoked and, very importantly for security reasons, its associated private key is destroyed during an audited ceremony; (iii) new EE2 certificates are issued by SICA2. 2.3. New solution Image: https://raw.githubusercontent.com/kudelskisecurity/dangerous-ocsp-delegated-responder-cert-poc/master/img/new_solution_diagram.jpg Figure 3: New solution - 4-level hierarchy The new solution addresses the issue as illustrated in Figure 3, which can be summarized as follows: (i) RCA issues a new ICA2 certificate, using a new DN and a new key pair; (ii) RCA revokes the old ICA; (iii) ICA2 issues a new SICA2 certificate, which reuses the same SICA DN and key pair but does not contain the OCSP problematic EKU; (iv) SICA is also revoked. Since the same DN and key pair are reused for SICA2, the EE certificate is still valid. Also, the new SICA2 cannot be involved in any OCSP response, in any context at all (removal of the problematic EKU). The old SICA cannot be involved in any OCSP response either, in any context at all (it does not validate with regard to the new ICA2 and ICA is revoked). Finally, no third party, which would not have properly done the job of properly renewing a problematic SICA certificate, can do any harm to any other company (the old validation branch is not available anymore by the revocation of ICA). 2.4. Differences between the 2 solutions 2.4.1. 3-level vs 4-level hierarchy The original solution works in both a 3-level hierarchy and 4-level hierarchy. The new solution works only in a 4-level (or more) hierarchy because that hierarchy allows for the parent of the affected certificate to be revoked because it is not a trust anchor. Therefore, no third party can be affected because nobody trusts that chain anymore. This is impossible to achieve in the 3-level hierarchy because the parent of the affected certificate is a trust anchor and cannot be revoked. 2.4.2. Risk surface However, each solution induces a different risk surface. On the one hand, the new solution involves only one entity/company, the CA that issued the affected certificate. That CA must properly revoke its ICA certificate and regenerate a new one. The only risk is that they do not properly revoke the certificate that issued affected certificates. On the other hand, the original solution requires destruction of private keys during audited ceremonies by all Sub-CAs concerned by the issue, independently. This means that a single Sub-CA failing to do so puts all the other Sub-CAs at risk. The resulting risk is the sum of the risks of each independent Sub-CA to fail to properly destroy its private key. That risk quickly increases as the number of independent Sub-CAs grows. Moreover, as the risk surface of a Sub-CA is usually larger than that of a CA since dealing with PKI is not its core activity but a technology it exploits, the situation is worsen. Because of this exposure, the new solution has a smaller risk surface than the original solution. 2.4.3. Simplicity of the solution The new solution is implemented using standard PKI procedures such as CRLs for revocation. A CRL is a simple and effective method to revoke a certificate and is industry battle-tested. On the other hand, the original solution relies on key destruction ceremonies, which are complicated to implement and cannot ultimately prove that the risk is zero. 2.4.4. Time to implement Since the original solution relies on key destruction ceremonies, it requires heavyweight coordination. Additionally, the number of end-entity certificates that need to be revoked can be huge for some CAs. For this reason, the time to implement the solution can be significantly longer. The new solution can be implemented at a higher level in the hierarchy and does not require key destruction ceremonies. It requires revoking only a few certificates using simple CRLs. On top of that, only a few certificates need to be regenerated, thus considerably reducing the time required to implement compared to the original solution. 3. Eliminating security risks and compliance issues Several concerns have been raised in the Mozilla Dev Security Policy [1]. The concerns were two-fold: (i) A compliance issue (violation of a Baseline requirement). (ii) A security risk, allowing a delegated OCSP responder to sign responses for any sibling certificate, even if those siblings are not operated by the same entity. In this section, we go through the raised concerns and address them with respect to the new solution. 3.1. Compliance issue There is a violation of section 4.9.9 of the Baseline Requirements [4]. The proposed solution consists in revoking the affected SICA certificates and issue new ones without the id-kp-OCSPSigning EKU, which solves the compliance issue. 3.2. SICA siblings cannot be sure that the affected certificate is not going to unrevoke itself Image: https://raw.githubusercontent.com/kudelskisecurity/dangerous-ocsp-delegated-responder-cert-poc/master/img/three_level_diagram.jpg Figure 4: 3-level hierarchy issue Assuming a 3-level certificate hierarchy such as the one in Figure 4 (RCA -> ICA -> EE), the concern is the following: if a new ICA2 is issued with the same key pair as ICA, then the private key was not destroyed and still exists. Therefore, it can still be used to sign a valid OCSP response for ICA itself or for any sibling in the certificate hierarchy. Thus, allowing ICA to unrevoke itself. That is also true even if a new RCA2 is created and used to sign the new ICA2 because that would still make ICA valid because RCA is a trust anchor and the only way to “revoke” it is to remove it from trust stores. Contrarily to the 3-level hierarchy were the above concern applies, some affected CAs have a 4-level hierarchy such as the one shown in Figure 3 (RCA -> ICA -> SICA -> EE), where the affected certificate with the id-kp-OCSPSigning EKU is named SICA. Since this is a 4-level hierarchy, the RCA in the 3-level hierarchy is now our ICA in this 4-level-hierarchy. Therefore, it is now possible to revoke the parent of the affected certificate SICA (its parent is ICA). The resulting operation does not require removing a trust anchor, which may take decades until everyone updates their systems, but truly mitigates the security risks immediately. Indeed, even if a malicious person used SICA2’s private key to sign an OCSP response to unrevoke SICA, since its parent (ICA) is also revoked and is not a trust anchor, the attack would not work. 3.3. Private keys may not have been properly destroyed An audited ceremony is not an absolute proof that no other copy of the private key exists. The community would benefit from revoking the parent (ICA) since some non-TLS issuing CAs may be unaudited and may have no other way to mitigate the security risk. 3.4. Offloading the pain to the community Anything other than a key destruction can be perceived as unfair since it may be asking everyone (web browsers, applications, etc.) to change and adapt because someone failed to follow the expectations. It would put more work on the community to fix the problem by modifying how applications perform certificate validation. However, the new solution only requires changes to a small subset of the hierarchy and does not offload the burden to the community. The new solution uses traditional PKI features such as CRLs and does not require the community to make any changes to certification validation checks. 3.5. Feasibility – Proof of Concept We provide a proof-of-concept script written in Python that generates the hierarchy in Figure 3 and test that the unmodified EE certificate is still considered valid under the modified hierarchy using OpenSSL. The code and documentation are available on GitHub [2]. 3.6. Practicability, adherence, and workload for the parties The original solution requires that all Sub-CAs with problematic certificates at the SICA level engage in a very costly re-securization campaign. Non-concerned Sub-CAs have no work to do. In terms of security, it is important to stress that all Sub-CAs (the ones with problematic certificates and the ones without) remain at risk if a single Sub-CA does not do the proper work, or does it badly in terms of security. The new solution requires all Sub-CAs to act, but at a reduced cost, since they must roll only intermediate certificates, which are quite few usually. It has impacts and cost, but clearly lower. And there is no risk for any Sub-CA at all, as the re-securization is managed at the ICA level by the CA. 4. Overall conclusion In this document, a new solution was proposed and compared to the original solution. The feasibility of the new solution was verified by a proof-of-concept that people can use to test for themselves. Both the compliance issue and security risks were analyzed, without leading to any negative impacts while also reducing financial strain for some organizations. Depending on the exact and detailed nature of the hierarchy, the new solution has proven to bring operational advantages and is equivalent or improved with regard to security. We propose the community validate this new solution as well as our conclusions. This analysis reflects the authors knowledge at the time of writing. In case concerns would be missing, the authors are willing to investigate them and complete the analysis. For that purpose, members of the community are encouraged to provide feedback in any form. References [1] "SECURITY RELEVANT FOR CAs: The curious case of the Dangerous Delegated Responder Cert", post by Ryan Sleevi on the Mozilla Dev Security Policy mailing list, https://groups.google.com/g/mozilla.dev.security.policy/c/EzjIkNGfVEE/m/XSfw4tZPBwAJ. [2] Technical feasibility proof of concept, written in Python. Verification is performed using OpenSSL. https://github.com/kudelskisecurity/dangerous-ocsp-delegated-responder-cert-poc [3] Detailed set of diagrams, file "OCSP_Signing_Issue_Figures.pdf". Available here: https://github.com/kudelskisecurity/dangerous-ocsp-delegated-responder-cert-poc/blob/master/doc/OCSP_Signing_Issue_Figures.pdf [4] CA/Browser Forum, "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates", version 1.7.1, August 20th 2020. [5] RFC 6960, Internet Engineering Task Force (IETF), "X.509 Internet Public Key Infrastructure, Online Certificate Status Protocol – OCSP", available at https://tools.ietf.org/html/rfc6960. - Nils, André and the Kudelski Security team _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy