[openssl-users] regarding SSL security

[Jakob Bohm]

On 11/02/2016 19:31, R-D intern wrote:
> Hello ,
>          I am a Masters student and currently working on a project related to
> security. I have certain queries regarding ssl security. It would be of
> great use to me if some of my queries get clarified. The following is listed
> as:
> 1. How do I prove that ECC 256 bit key is equivalently strong to RSA 2048
> bit key?
This is so hard that noone has done it yet.  Experienced experts
have made estimates based on the best known theoretical attack
against each and comparing the (extreme/impossibly large) amount
of computer power to break them.

For example one of the relevant attacks against 2048 bit RSA is
to use the best known algorithm to factor a 2048 bit number known
to be the multiple of two large primes.  This requires a certain
number of fundamental computer resources (CPU cycles and memory
bytes).

A similar consideration can be made for the best algorithm to find
the secret multiplier (private key) from the ECC 256-p point
published as the public key.

Next adjust both numbers by how much those algorithms are going
to improve over the time the private key has to be kept secret
(for SSL/TLS session signatures with ephemeral DH session key
exchange), this is just the time from certificate issuance/key
generation until the certificate expires.  But for some other
uses this is the time until signed digital documents (such as
deeds of ownership to a house) are no longer important enough
to protect against forgery, usually many decades.

Especially that last step is very much a matter of opinion,
and thus different researchers disagree.  For instance
Certicom, the original main proponents of ECC crypto,
published tables that claimed a much larger RSA key would be
needed to get the same security as 256 bit ECC.

> 2. What all types of threats could be used for testing the above question?
See above.
> 3.The paper has listed Openssl library  can be used for enabling ssl
> security , certificate generation and management. I have created an ECC
> certificate that works fine  but such a certificate shows "Invalid digital
> signature "message on the certificate. The elliptic curve used for
> certificate generation is one amongst the named curves supported by Openssl
> and recommended by NIST-suite B.  How can that be resolved?
Either you did something wrong when generating the certificate,
or you are testing with a software tool that doesn't support
that particular form of ECC signature.  Note that ECC keys and
signatures can refer to the chosen curve in one of two ways
("named curve" or explicit curve description), OpenSSL only
accepts the "named curve" form as input.


> 4.The Openssl library has certificate verification method that checks the
> certificate validity w.r.t validity period, certificate chain depth, etc,
> then why is a Certificate Revocation List or an OCSP  needed, in a sense if
> the verification is already done, then why should invalid certificates be
> revoked and verification be done on the basis of CRL?
The revocation check is to check if something bad happened after
the certificate was generated and signed by the issuing CA.

Typical examples include:

- The legitimate certificate holder had her private key stolen
  ("compromised") or at least found herself in a situation where
  she could no longer be sure if someone has an illegetimate copy.

- The facts stated in the certificate are no longer true, for
  instance, if the certificate states that the certificate holder
  is a resident of city X, but has since moved to city Y.

- The CA that issued the certificate finds out it did so in
  error, e.g. it accidentally issued it to the wrong person, or it
  issued an SHA-1 based certificate after the official deadline
  for ceasing all such issuance (This has happened sevaral times
  in the last 40 days).

> 5. Is there any other approach for client authentication in SSL other than
> certificates approach?
Yes, the full SSL protocol also supports various password based
methods, but they are considered less secure for most purposes.
> 6. Is ssl security suitable enough for securing connections to server in
> control and monitoring systems? How can client authentication be done for
> such systems using SSL protocol?
Depends how important security of that communication is, and how
strong the minimum SSL settings are configured.

For example if the control connection is for a large industrial
plant of a type where deliberately issuing the wrong control
commands can generate a major disaster (Bopal sized), then as
long as people are living next to the factory or working inside
the factory, it might not be secure to allow such control to be
done from outside the factory, no matter how secure the
connection is (the problem is that the person pushing the buttons
isn't risking his own life too).

But as the potential risks get smaller, the level of security
of the connection can be weighed against the dangers that would
result from compromising the connection.  Assessing this
involves not only the technical dangers (how much damage could
someone do), but also how much money and effort someone might
spend to cause that damage deliberately.

At one extreme, the process and its location/ownership may be
such that a major superpower may dedicate some of its top
secret experts to break in.  At the other extreme, the
circumstances may make it reasonable to assume no one will
spend more than 1M$ to break into the connection (if the
price of breaking in is less than that, there is a real
risk that ordinary criminals might do it using stolen
tools).



> 7.If CRLs are to be used, then how will the CA know about the private key
> being compromised so that it can revoke the certificate considering it being
> forged?
>     Thanks and regards,
>      Suman Patro
>
As previously mentioned, the most common ways a certificate
gets added to a revocation list are:

1. The person/company to whom it was issued calls the CA and
   says "someone may have stolen my key, please revoke it".
    The standard contracts from CAs specify where to call and
   how quickly they have to add it to the public revocation
   systems.

2. The person/company in whose name it was issued calls the
   CA and says "Whomever you issued that certificate to isn't
   me, revoke it at once!".  Again there are are standard
   procedures to do this.

3. A professional review/audit of issued certificates
   discovers something should not have been issued and
   contacts the CA.  Many CAs have internal teams doing such
   reviews on a regular basis, and publicly trusted CAs are
   subject to independent audits at least once a year.

4. A relevant event (death, bankruptcy, etc.) is announced in
   an official medium (such as a national government gazette),
   causing the CA to revoke the certificate in accordance with
   specific contract clauses regarding said type of event.

5. A relevant event (such as a person getting fired from
   their job) is reliably communicated to a CA that issued
   a certificate no longer valid then (for instance a
   certificate identifying said person as being an authorized
   employee).

All in all, these are the same situations in which credit
cards or a door keys might be revoked (mechanical door keys
are revoked by changing the locks).

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160211/08e0e296/attachment.html>