[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Antwort: Re: Antwort: Re: one more SCEP draft 19, getNextCA question

To: Arkadius Litwinczuk <arkadius.litwinczuk@xxxxxx>
Subject: Re: Antwort: Re: Antwort: Re: one more SCEP draft 19, getNextCA question
From: max pritikin <pritikin@xxxxxxxxx>
Date: Wed, 14 Oct 2009 10:54:27 -0500
Authentication-results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none
Cc: scep@xxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pritikin@xxxxxxxxx; l=14044; q=dns/txt; s=sjiport05001; t=1255535675; x=1256745275; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20max=20pritikin=20<pritikin@xxxxxxxxx>|Subject: =20Re:=20Antwort:=20Re:=20Antwort:=20Re:=20one=20more=20S CEP=20draft=2019,=20getNextCA=20question|Date:=20Wed,=201 4=20Oct=202009=2010:54:27=20-0500|Message-Id:=20<019F5305 -625D-4E50-88C3-E5B38F4EAC76@xxxxxxxxx>|To:=20Arkadius=20 Litwinczuk=20<arkadius.litwinczuk@xxxxxx>|Cc:=20scep@vpnc .org|Mime-Version:=201.0=20(Apple=20Message=20framework =20v936)|Content-Transfer-Encoding:=20quoted-printable |In-Reply-To:=20<OF4B78540C.272DD483-ONC125764F.004B3FA8- C125764F.004D22A9@xxxxxx>|References:=20<OF4B78540C.272DD 483-ONC125764F.004B3FA8-C125764F.004D22A9@xxxxxx>; bh=xYeZDT2KDtlUrVG3+NraRdSWptY0xuZWGP23FyELuZA=; b=XZvqrm3sn3Eew57DkPpz/W9gJDDd5+FjKmGPwiwK5zZClNr2s5O1RV8n 1ZQBcwq8Dvq7ytPx7Qkh8Gy2GhV2J03tvopJ2xllu8e59dSXCfUv3gQjA VOGgHq+r16RRUxOnfVFXdohCm6xGZY+RZbd3KHoomqb3u4zjBNbexfqEG w=;
In-reply-to: <OF4B78540C.272DD483-ONC125764F.004B3FA8-C125764F.004D22A9@xxxxxx>
List-archive: <http://www.vpnc.org/scep/mail-archive/>
List-id: <scep.vpnc.org>
List-unsubscribe: <mailto:scep-request@vpnc.org?body=unsubscribe>
References: <OF4B78540C.272DD483-ONC125764F.004B3FA8-C125764F.004D22A9@xxxxxx>
Sender: owner-scep@xxxxxxxxxxxxx



On Oct 14, 2009, at 9:02 AM, Arkadius Litwinczuk wrote:

Hi Max,
thanks for the quick response. First of all what is "RA Mode" foryou?

When the SCEP server is running in 'ra mode' it uses an RA certificate(see Section 2.1.3). I agree this could be clearer and will look athow to add text about this.

I was thinking about the problem and a nice solution would be aextended key usage attribute that could be used for the SCEPcertificate which would indicate that this certificate is actuallyallowed to sign a getNextCA message. Any thoughts on this ?

"Clients MUST verify the authorization of the RA certificates. Theauthorization mechanism is specified by the CA administrator and isout of scope for this document."

I don't think we can specify the exact mechanism for thisauthorization at this point. I agree that this is a weak point.

Now back to the original problem I think the response how it isdefined now pointing to the getCA responses is simply wrong. Itpoints to a response that has no signers so it's useless to carryany important data that needs to be protected from manipulation.Because the response needs to be a CertRep or an own response. Thisresponse since it's signed data requires a valid SCEP PKCS#7envelope with messageType and transactionID and so on and a PKCS#7with the next CA as the payload. So yes there are the missingfields, but these only need to be defined for a getNextCA responseto make it work. There is no need for a Nonce or Transaction ID sothey can be simply set to zero. So wouldn't it be the best way todefine the missing fields for the getNextCA response as a validsigned SCEP pkiMessage type?

4.6.1 says "The response consists of a SignedData PKCS#7 [RFC2315],signed by the current CA (or RA) signing key. The response consists ofa SignedData PKCS#7 [RFC2315], signed by the current CA (or RA)signing key." So this is a signed response.

Where "The content of the SignedData PKCS#7 [RFC2315] is a degeneratecertificates-only Signed-data message containing ...". So the signedresponse contains this unsigned degenerate certificates-only datamessage. There is no need to include transaction attributes; since the"messageType" is known by context, and the pkiStatus is known since'reject' or 'pending' don't make sense in this context.


- max


Kind regards,

Arkadius






max pritikin <pritikin@xxxxxxxxx>
12.10.2009 20:50

An
max pritikin <pritikin@xxxxxxxxx>
Kopie
Arkadius Litwinczuk <arkadius.litwinczuk@xxxxxx>
Thema
Re: Antwort: Re: one more SCEP draft 19, getNextCA question





Arkadius,

fyi-
With the clarity of a monday morning I've gone back and looked at our
reference implementation and reviewed the document in this area. I

think the original text may have been more confusing but moreaccurate.


In particular it is difficult to respond with a CertRep since a
CertRep MUST include the following attributes:

• the transactionID attribute copied from therequest we are

responding to
                • a messageType attribute set to CertRep
                • a senderNonce attribute

• a recipientNonce attribute copied from thesenderNonce from the

request we are responding to.
                • a pkiStatus set to the status of the reply.

But a CerReq was not used to initiate this response and thus the
transactionID, and senderNonce are unknown.

- max

On Oct 9, 2009, at 11:34 AM, max pritikin wrote:

>
> On Oct 8, 2009, at 7:11 AM, Arkadius Litwinczuk wrote:
>
>>
>> Hi Max,
>>
>> alright I try to clarify my question. In 5.2.1.1.1and 5.2.1.1.2 the
>> getCA responses are not in anyway secured, and are also not
>> encapsulated in a SCEP pkiMessage, that requires transaction id and
>> messageType and so on.
>
> Agreed.
>

>> The return message for getNextCA on the other hand has to besigned,

>
> Agreed.
>
>> else you could simply accept any certificate as a trusted
>> certificate so this can't be right. The whole idea is to have a
>> secure manner to get the nextCA certificate to a client, and not
>> being required to install it manually. At least that is what I'm
>> hopping for.  So the response message is in fact different from a
>> getCA response or it should be, it has a pkcs#7 envelope with all
>> required SCEP fields doesn't it ?
>
> The response is defined in 4.6.1:
>
>> The response consists of a SignedData PKCS#7 [RFC2315], signed by
>> the current CA (or RA) signing key.
>>
>> Clients MUST validate the signature on the the SignedData PKCS#7
>> [RFC2315] before accepting any of its contents.
>>
>> The content of the SignedData PKCS#7 [RFC2315] is a degenerate
>> certificates-only Signed-data message containing the new CA
>> certificate and any new RA certificates, as defined in Section
>> 5.2.1.1.2, to be used when the current CA certificate expires.
>>
>
> I neglected to point out this layering in my initial response below.
>
>> in 3.1.1.2 :
>> The messageType attribute specifies the type of operation
>> performed  by the transaction.  This attribute MUST be included in
>> all PKI messages.
>>
>> So in my opinion there should be a messageType defined for
>> getNextCA to stay correct, it is a full signed SCEP pkiMessage
>> envelope for signed data, in fact the most important data at all.
>
> It looks like the text of 4.6.1 should directly reference 3.2.2
> (CertRep) instead of referencing 5.2.1.1.2. The resulting first
> three paragraphs would look like:
> "The response consists of a SignedData PKCS#7 [RFC2315], signed by
> the current CA (or RA) signing key.
>
> Clients MUST validate the signature on the the SignedData PKCS#7
> [RFC2315] before accepting any of its contents.
>
> The content of the SignedData PKCS#7 [RFC2315] is a CertRep as
> defined in Section 3.2.2, containing the new CA certificate and
> optional RA certificates to be used when the current CA certificate
> expires."
>
> I think this is clearer. Does it make sense to you as well?
>
>> But also I would like to explain a problem or better vulnerability
>> at this point.
>> In a normal setup you would have the root certificate securely
>> distributed (mostly during the setup), the RA certificate this
>> would be the SCEP server certificate, would be send as signer
>> certificate in the message. The client can verify this certificate
>> against the root since it issued it and verifies it's trusted. So
>> far so good, but other certificates signed by the same CA are also
>> valid. If the attacker has a valid certificate issued by the same
>> CA he could spoof the connection, and inject a rogue CA.
>> If the setup has a 1st level root CA and lets say 2nd level Server
>> CA and user CA, the problem is the same, the RA certificate would
>> be most likely issued by the server CA .
>> The only way how to really secure this would be to sign the new
>> root CA with the old root CA. Or in this case sign the SCEM message
>> with the old root CA. This and a little more complex is also
>> described in the CMP protocol.
>> The problem is now that a root CA should not be used for digital
>> signature. Regardless this is only a policy problem and would be
>> great if it could be optionally required to sign this nextCA
>> message by the old CA. To really have a secure distribution for the
>> next root CA.
>
> I agree and recommend only using RA mode for all SCEP servers. Thus
> the RA cert is used instead of the CA cert. See Section 8.2.
>
> - max
>
>>
>> Let me know your thoughts on this.
>>
>> Kind regards,
>>
>> Arkadius
>>
>>
>>
>>
>>
>>
>>
>> max pritikin <pritikin@xxxxxxxxx>
>> Gesendet von: owner-scep@xxxxxxxxxxxxx
>> 08.10.2009 02:42
>>
>> An
>> Arkadius Litwinczuk <arkadius.litwinczuk@xxxxxx>
>> Kopie
>> scep@xxxxxxxx
>> Thema
>> Re: one more SCEP draft 19, getNextCA question
>>
>>
>>
>>
>>
>>
>>
>> Arkadius,
>>
>> On Oct 7, 2009, at 6:29 AM, Arkadius Litwinczuk wrote:
>>
>> >
>> > Hi Max,
>> >
>> > I have an other question regarding the getNextCA operation. We
>> > cleared the MIME type but,
>>
>> The current draft text indicates "application/x-x509-next-ca-cert"
>> but
>> the figure erroneously indicated the wrong mime type. I've updated
>> this for the next draft.
>>

>> > the current version also does not specify the SCEP messageTypedoes

>> > it ? Is it CertRep  so the corresponding decimal 3 ?
>>
>> Section 5.2.6.1 references the GetNextCACert response definition in
>> section 4.6.1. This in turn clarifies that the response format is

>> equivalent to the CA and RA certificates response which isdefined in

>> 5.2.1.1.2 which was introduced in 4.1.1.2. A confusing trail but
>> ultimately accurate (I think).
>>
>> There is no indication of the messageType attribute value being set
>> at
>> all; much like how there is none set for GetCACert.
>>
>>
>> > Also I assume that the response
>> >  "Content-Type:application/x-x509-next-ca-certt\n\n"
>> > <BER-encoded SignedData<BER-encoded degenerate PKCS7>>

>> > is also a base64 and DER encoded right? Only to clarify sorryif I

>> > missed something in the draft describing this.
>>
>> As with the GetCACert response (section 4.1.1.2) this would be a
>> binary response without the base64 encoding.
>>
>> Does this help answer your questions?
>>
>> - max
>>
>> >
>> > Kind regards,
>> >
>> > Arkadius
>> >
>> >
>> >
>> > --
>> >
>> > Informationen (einschließlich Pflichtangaben) zu einzelnen,
>> > innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen
>> des
>> > Konzerns Deutsche Bank finden Sie unter http://www.db.com/de/content/pflichtangaben.htm

>> > . Diese E-Mail enthält vertrauliche und/ oder rechtlichgeschützte>> > Informationen. Wenn Sie nicht der richtige Adressat sind oderdiese>> > E-Mail irrtümlich erhalten haben, informieren Sie bitte sofortden

>> > Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren
>> > sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
>> >

>> > Please refer to http://www.db.com/en/content/eu_disclosures.htmfor>> > information (including mandatory corporate particulars) onselected

>> > Deutsche Bank branches and group companies registered or
>> > incorporated in the European Union. This e-mail may contain
>> > confidential and/or privileged information. If you are not the
>> > intended recipient (or have received this e-mail in error) please
>> > notify the sender immediately and delete this e-mail. Any

>> > unauthorized copying, disclosure or distribution of thematerial in

>> > this e-mail is strictly forbidden.
>>
>>
>>
>> --
>>
>> Informationen (einschließlich Pflichtangaben) zu einzelnen,
>> innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen
>> des Konzerns Deutsche Bank finden Sie unter http://www.db.com/de/content/pflichtangaben.htm
>> . Diese E-Mail enthält vertrauliche und/ oder rechtlich geschützte
>> Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
>> E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
>> Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren
>> sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.
>>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
>> information (including mandatory corporate particulars) on selected
>> Deutsche Bank branches and group companies registered or
>> incorporated in the European Union. This e-mail may contain
>> confidential and/or privileged information. If you are not the
>> intended recipient (or have received this e-mail in error) please
>> notify the sender immediately and delete this e-mail. Any
>> unauthorized copying, disclosure or distribution of the material in
>> this e-mail is strictly forbidden.
>



--

Informationen (einschließlich Pflichtangaben) zu einzelnen,innerhalb der EU tätigen Gesellschaften und Zweigniederlassungen desKonzerns Deutsche Bank finden Sie unter http://www.db.com/de/content/pflichtangaben.htm. Diese E-Mail enthält vertrauliche und/ oder rechtlich geschützteInformationen. Wenn Sie nicht der richtige Adressat sind oder dieseE-Mail irrtümlich erhalten haben, informieren Sie bitte sofort denAbsender und vernichten Sie diese E-Mail. Das unerlaubte Kopierensowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

Please refer to http://www.db.com/en/content/eu_disclosures.htm forinformation (including mandatory corporate particulars) on selectedDeutsche Bank branches and group companies registered orincorporated in the European Union. This e-mail may containconfidential and/or privileged information. If you are not theintended recipient (or have received this e-mail in error) pleasenotify the sender immediately and delete this e-mail. Anyunauthorized copying, disclosure or distribution of the material inthis e-mail is strictly forbidden.

References:
- Antwort: Re: Antwort: Re: one more SCEP draft 19, getNextCA question
  - From: Arkadius Litwinczuk

Prev by Date: Antwort: Re: Antwort: Re: one more SCEP draft 19, getNextCA question
Previous by thread: Antwort: Re: Antwort: Re: one more SCEP draft 19, getNextCA question
Index(es):
- Date
- Thread