| draft-ietf-lamps-ocsp-nonce-02.txt | draft-ietf-lamps-ocsp-nonce-03.txt | |||
|---|---|---|---|---|
| LAMPS M. Sahni, Ed. | LAMPS M. Sahni, Ed. | |||
| Internet-Draft Palo Alto Networks | Internet-Draft Palo Alto Networks | |||
| Updates: 6960 (if approved) May 15, 2020 | Updates: 6960 (if approved) August 14, 2020 | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: November 16, 2020 | Expires: February 15, 2021 | |||
| OCSP Nonce Extension | OCSP Nonce Extension | |||
| draft-ietf-lamps-ocsp-nonce-02 | draft-ietf-lamps-ocsp-nonce-03 | |||
| Abstract | Abstract | |||
| This document specifies the updated format of the Nonce extension in | This document specifies the updated format of the Nonce extension in | |||
| Online Certificate Status Protocol (OCSP) request and response | Online Certificate Status Protocol (OCSP) request and response | |||
| messages. OCSP is used to check the status of a certificate and the | messages. OCSP is used to check the status of a certificate and the | |||
| Nonce extension is used in the OCSP request and response messages to | Nonce extension is used in the OCSP request and response messages to | |||
| avoid replay attacks. This document updates the RFC 6960 | avoid replay attacks. This document updates the RFC 6960 | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 16, 2020. | This Internet-Draft will expire on February 15, 2021. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2020 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 18 ¶ | skipping to change at page 2, line 18 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 | 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. OCSP Extensions . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. OCSP Extensions . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2.1. Nonce Extension . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. Nonce Extension . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 4 | 3.1. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.2. Nonce Collision . . . . . . . . . . . . . . . . . . . . . 4 | 3.2. Nonce Collision . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Changes to Appendix B. of RFC 6960 . . . . . . . . . . . . . 4 | 5. Changes to Appendix B. of RFC 6960 . . . . . . . . . . . . . 4 | |||
| 5.1. Changes to Appendix B.1. OCSP in ASN.1 - 1998 Syntax . . 4 | 5.1. Changes to Appendix B.1. OCSP in ASN.1 - 1998 Syntax . . 5 | |||
| 5.2. Changes to Appendix B.2 OCSP in ASN.1 - 2008 Syntax . . . 5 | 5.2. Changes to Appendix B.2 OCSP in ASN.1 - 2008 Syntax . . . 5 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 5 | 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| This document updates the usage and format of the Nonce extension | This document updates the usage and format of the Nonce extension | |||
| used in OCSP request and response messages. This extension was | used in OCSP request and response messages. This extension was | |||
| previously defined in section 4.1.1 of [RFC6960]. The [RFC6960] does | previously defined in section 4.1.1 of [RFC6960]. The [RFC6960] does | |||
| not mention any minimum and maximum length of the nonce extension. | not mention any minimum and maximum length of the nonce extension. | |||
| Due to not having an upper or lower limit of the length of the Nonce | Due to not having an upper or lower limit of the length of the Nonce | |||
| extension, the OCSP responders that follow [RFC6960] may be | extension, the OCSP responders that follow [RFC6960] may be | |||
| skipping to change at page 3, line 10 ¶ | skipping to change at page 3, line 10 ¶ | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 2. OCSP Extensions | 2. OCSP Extensions | |||
| The message format for the OCSP request and response is defined in | The message format for the OCSP request and response is defined in | |||
| the [RFC6960]. It also defines the standard extensions for OCSP | the [RFC6960]. It also defines the standard extensions for OCSP | |||
| messages based on the extension model employed in X.509 version 3 | messages based on the extension model employed in X.509 version 3 | |||
| certificates (see [RFC5280]). Following is the list of standard | certificates (see [RFC5280]). The following is a list of standard | |||
| extensions that can be used in the OCSP messages by the OCSP | extensions that can be used in the OCSP messages by the OCSP | |||
| responder and OCSP client. | responder and OCSP client. | |||
| * Nonce | * Nonce | |||
| * CRL References | * CRL References | |||
| * Acceptable Response Types | * Acceptable Response Types | |||
| * Archive Cutoff | * Archive Cutoff | |||
| * CRL Entry Extensions | * CRL Entry Extensions | |||
| * Service Locator | * Service Locator | |||
| * Preferred Signature Algorithms | * Preferred Signature Algorithms | |||
| * Extended Response Definition | * Extended Response Definition | |||
| This document only specifies the new format for Nonce extension and | This document only specifies the new format for Nonce extension and | |||
| does not change the specification of any of the other standard | does not change the specification of any of the other standard | |||
| extensions. | extensions. | |||
| 2.1. Nonce Extension | 2.1. Nonce Extension | |||
| This section updates the Section 4.4.1 of [RFC6960] which describes | This section replaces the entirety of the Section 4.4.1 of [RFC6960] | |||
| the OCSP Nonce extension. | which describes the OCSP Nonce extension. | |||
| The nonce cryptographically binds a request and a response to prevent | The nonce cryptographically binds a request and a response to prevent | |||
| replay attacks. The nonce is included as one of the | replay attacks. The nonce is included as one of the | |||
| requestExtensions in requests, while in responses it would be | requestExtensions in requests, while in responses it would be | |||
| included as one of the responseExtensions. In both the request and | included as one of the responseExtensions. In both the request and | |||
| the response, the nonce will be identified by the object identifier | the response, the nonce will be identified by the object identifier | |||
| id-pkix-ocsp-nonce, while the extnValue is the value of the nonce. | id-pkix-ocsp-nonce, while the extnValue is the value of the nonce. | |||
| If Nonce extension is present then the length of nonce MUST be at | If Nonce extension is present then the length of nonce MUST be at | |||
| least 1 octet and can be up to 32 octets. | least 1 octet and can be up to 32 octets. | |||
| A server MUST reject any OCSP request having a Nonce extension with | A server MUST reject any OCSP request having a Nonce extension with | |||
| length of more than 32 octets with the malformedRequest | length of more than 32 octets with the malformedRequest | |||
| OCSPResponseStatus as described in section 4.2.1 of [RFC6960] | OCSPResponseStatus as described in section 4.2.1 of [RFC6960] | |||
| The minimum nonce length of 1 octet is defined to provide the | The value of the nonce MUST be generated using a cryptographically | |||
| backward compatibility with clients following [RFC6960]. However the | strong pseudorandom number generator. The OCSP clients SHOULD use a | |||
| newer OCSP clients MUST use length of at least 16 octets for Nonce | length of 32 octets for the Nonce extension. The minimum nonce | |||
| extension and the value of the nonce MUST be generated using a | length of 1 octet is defined to provide the backward compatibility | |||
| cryptographically strong pseudorandom number generator. | with older clients following [RFC6960] however, the newer OCSP | |||
| clients MUST use a length of at least 16 octets for Nonce extension. | ||||
| The OCSP responder MAY choose to ignore Nonce extension for the | ||||
| requests where length of the Nonce extension is less than 16 octets. | ||||
| id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } | ||||
| id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } | ||||
| Nonce ::= OCTET STRING(SIZE(1..32)) | Nonce ::= OCTET STRING(SIZE(1..32)) | |||
| 3. Security Considerations | 3. Security Considerations | |||
| The security considerations of OCSP, in general, are described in the | The security considerations of OCSP, in general, are described in the | |||
| [RFC6960]. The Nonce extension is used to avoid replay attacks | [RFC6960]. The Nonce extension is used to avoid replay attacks | |||
| during the interval in which the previous OCSP response for a | during the interval in which the previous OCSP response for a | |||
| certificate is not expired but the responder has a changed status for | certificate is not expired but the responder has a changed status for | |||
| that certificate. Including client's Nonce value in the OCSP | that certificate. Including client's Nonce value in the OCSP | |||
| response makes sure that the response is the latest response from the | response makes sure that the response is the latest response from the | |||
| server and not an old copy. | server and not an old copy. | |||
| 3.1. Replay Attack | 3.1. Replay Attack | |||
| The Nonce extension is used to avoid replay attacks. Since the OCSP | The Nonce extension is used to avoid replay attacks. Since the OCSP | |||
| responder may choose to not send the Nonce extension in the OCSP | responder may choose to not send the Nonce extension in the OCSP | |||
| response even if the client has sent the Nonce extension in the | response even if the client has sent the Nonce extension in the | |||
| request [RFC5019], a man in the middle (MITM) entity can intercept | request [RFC5019], an on-path attacker can intercept the OCSP request | |||
| the OCSP request and respond with an earlier response from the server | and respond with an earlier response from the server without the | |||
| without the Nonce extension. This can be mitigated by the server | Nonce extension. This can be mitigated by configuring the server to | |||
| using a closer nextUpdate value in the OCSP response. | use a short time interval between thisUpdate and nextUpdate fields in | |||
| the OCSP response. | ||||
| 3.2. Nonce Collision | 3.2. Nonce Collision | |||
| If the value of the nonce used by a client is not random enough, then | If the value of the nonce used by a client in OCSP request is not | |||
| an attacker may prefetch responses with the predicted nonce and can | random enough, then an attacker may prefetch responses with the | |||
| replay them, thus defeating the purpose of using nonce. Therefore | predicted nonce and can replay them, thus defeating the purpose of | |||
| the client MUST use a nonce value that contains cryptographically | using nonce. Therefore the value of Nonce extension in the OCSP | |||
| strong randomness and is freshly generated. Also if the length of | request MUST contain cryptographically strong randomness and MUST be | |||
| the nonce is very small e.g. 1 octet then an attacker can prefetch | freshly generated at the time of creating the OCSP request. Also if | |||
| responses with all the possible values of the nonce and replay a | the length of the nonce extension is too small e.g. 1 octet then an | |||
| matching nonce. A client SHOULD use 32 octets for the nonce length. | on-path attacker can prefetch responses with all the possible values | |||
| of the nonce and replay a matching nonce. | ||||
| 4. IANA Considerations | 4. IANA Considerations | |||
| This document does not call for any IANA actions. | This document does not call for any IANA actions. | |||
| 5. Changes to Appendix B. of RFC 6960 | 5. Changes to Appendix B. of RFC 6960 | |||
| This section updates the ASN.1 definitions of the OCSP Nonce | This section updates the ASN.1 definitions of the OCSP Nonce | |||
| extension in the Appendix B.1 and Appendix B.2 of the [RFC6960] The | extension in the Appendix B.1 and Appendix B.2 of the [RFC6960] The | |||
| Appendix B.1 defines OCSP using ASN.1 - 1998 Syntax and Appendix B.2 | Appendix B.1 defines OCSP using ASN.1 - 1998 Syntax and Appendix B.2 | |||
| End of changes. 11 change blocks. | ||||
| 26 lines changed or deleted | 34 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||