Hi all. I've been working on an alternative proposal for a serial
number generation scheme, for which I intend to write an I-D and propose
to the LAMPS WG. However, since other folks' proposals are already
flowing, I will share the gist of mine here. Comments welcome!
----- Serial Number Origin Transparency (SNOT ;-) ): Generation -----
1. Let H (meaning "Header"; uint24) be: 0x00DE7E. The 0x00 is the byte
that makes the ASN.1 INTEGER a positive value. 0xDE7E signifies
"DE7Erministic".
2. Let A (meaning "Algorithm"; uint8) be a hash algorithm ID from the
TLS HashAlgorithm registry
(
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18).
3. Let R (meaning "Random"; uint64) be 64-bits of (fresh and
unfiltered!) output from a CSPRNG.
4. Let M (meaning "Magic"; uint64) be the magic constant:
0x0102030405060708
5. Generate the TBSCertificate template with the serial number value set to:
H || A || R || M
6. Let D (meaning "Digest") be the thumbprint of the DER-encoded
TBSCertificate, calculated using the hash algorithm denoted by A.
e.g., D = SHA-256(DER(TBSCertificate))
7. Change the serial number value in the TBSCertificate template to:
H || A || R || TRUNCATE_TO_64BITS(D).
8. Calculate DER(TBSCertificate), then sign it.
----------------------------------------------------------------------
Since this mechanism includes 64-bits of (fresh and unfiltered!) output
from a CSPRNG, it is compatible with today's BRs. The randomness also
ensures that this mechanism doesn't yield multiple certs with the same
serial number (contrary to RFC5280 §4.1.2.2) if the CA signs the exact
same TBSCertificate multiple times using a nondeterministic signature
algorithm.
In terms of preventing certificate forgery (see [1]), which is the thing
that unpredictable serial numbers are designed to prevent, this
mechanism gives CAs two chances to not screw up:
1) if the CA implements this mechanism wrongly but nonetheless does
successfully include 64-bits of (fresh and unfiltered!) output from a
CSPRNG, then the desired level of security is still achieved.
2) or, if the CA correctly implements the deterministic parts of this
mechanism but mishandles the output from their CSPRNG, then the desired
level of security is still achieved (although let me stress that this
would of course not be compliant with today's BRs).
Whilst this mechanism does add complexity for the CA (compared to only
using a CSPRNG to generate serial numbers), I think that the additional
operations on the TBSCertificate are less complicated than most CAs have
already had to deal with to issue CT precertificates and embed SCTs in
certificates.
*** ADVANTAGES OF THIS MECHANISM ***
When implemented correctly by the CA, this mechanism enables the
community to programmatically verify(*) that a certificate is not a
forgery, without having to...
1. trust the CA (to have handled their CSPRNG correctly), or
2. trust the CA's WebTrust/ETSI auditors (to have correctly verified
that the CA has handled their CSPRNG correctly), or
3. trust the CSPRNG algorithm to actually be unpredictable
(Dual_EC_DRBG, anyone?)
This mechanism builds on PHB's earlier proposal [2].
[1]
https://www.win.tue.nl/hashclash/rogue-ca/
[2]
https://cabforum.org/pipermail/public/2016-July/008053.html
(*)
----- Serial Number Origin Transparency (SNOT): Verification -----
1. Check that the first 3 bytes of the certificate's serial number value
(including the leading sign byte) are 0x00DE7E.
2. Check that the certificate's serial number value is exactly 20 bytes
long (including the leading 0x00 sign byte).
3. Let A be the 4th byte of the serial number value (considering the
leading 0x00 sign byte to be the 1st byte). Check that A denotes a
supported hash algorithm.
4. Let D1 be a copy of the last 8 bytes of the certificate's serial number.
5. Let T be a copy of the DER-encoded TBSCertificate component of the
certificate.
6. Change the last 8 bytes of T's serial number to the magic constant:
0x0102030405060708
(To avoid having to DER-decode and re-DER-encode T, this step should be
performed using a binary search-and-replace directly on the first
occurrence of D1 in T).
7. Let D2 be the thumbprint of T, calculated using the hash algorithm
denoted by A.
e.g., D2 = SHA-256(T)
8. Check that D1 exactly matches D2.
------------------------------------------------------------------
On 12/03/2019 14:14, Jakob Bohm via dev-security-policy wrote:
> On 09/03/2019 03:43, Matthew Hardeman wrote:
> This overspecifies too far. For example, there is no stated reason to
> force the value 117 (0x75).
>
> Nor is there a stated reason why the "encrypted actual serial" should be
> used in place of genuinely reandom entropy. The encryption would only
> provide the entropy of its key (256 bits max) spread over all the serial
> numbers of a CA, typically resulting in less than 1 bit of entropy per
> serial number.
>
> Here is a better, simpler form:
>
>
> 1. The ASN.1 DER signed integer encoded form of the certificate serial
> number value must be represented as not less than n+1 bytes and not
> more than 20 bytes.
> Note: The first encoded byte shall have a value between 0x01 and
> 0x7F to make the serial number a valid DER encoding of a number > 0.
>
> 2. The serial number shall included a contiguous sequence of at lest
> n*8 random bits generated from a fresh invocation of a CSRNG with no
> filtering of the resulting bits. These bits shall not be known by
> any person or system before all other parts of the TbsCertificate
> have been chosen and committed to the signing process. The location
> of these n*8 random bits within the serial number shall be specified
> in the associated CPS, such that both the CA's auditors and the
> community can check that the scheme is being followed.
>
> 3. The value n shall be at least 8 for any certificates issued with
> historic hash algorithms such as SHA-1 (such certificates are not
> currently BR compliant anyway, but is relevant for no-longer-trusted
> CAs intended to be trusted only be legacy systems.).
>
> 4. For current hash algorithms, n shall be at least 12 (96 bits of
> entropy). A future BR may increase that value.
>
> 5. As a special exception, systems that require signing certificates
> with the same serial-number more than once (such as CT and CA
> validity adjustments) are not required to change the serial number
> after initial selection).
>
> 6. As a special exception due to widespread technical failures,
> certificates issued on or prior to 2019-03-31 UTC may instead use
> serial numbers consisting only of 63 random bits chosen as per #2,
> but checked to reject any value that would be encoded to 7 or fewer
> bytes or be the same as a previously issued serial number.
>
Rob Stradling
Senior Research & Development Scientist
Sectigo Limited