[openssl-users] Using set_serial to control serial number size directly

Mon Aug 21 16:26:02 UTC 2017

My proposal.

Keep k bits (k/8 octets) long serial numbers for all your certificates, chose a block cipher operating on blocks of k bits, and operate this block cipher in CTR mode, with a proper secret key and secret starting counter. That way, no collision detection is necessary, you’ll be able to generate 2^(k/2) unique k bits longs serial numbers (in fact, you can generate 2^k unique serial numbers, but after 2^(k/2) you lose some security guarantees).

With 3DES, k=64, and with AES, k=128.
Since you need to make a tradeoff between security and size, you can play with lightweight block ciphers such as Simon, Speck, or find some tweakable lightweight block cipher, maybe from the ECRYPT portfolio (it’s down at this moment).

Again, the 64bits coming from a CSPRNG is for public CAs only, and the uniqueness of a serial number is a dirty hack to be able to use a non collision-resistant hash function a little longer. If you’re confident the hash function used for signature is collision resistant (for example a member of the SHA2 or SHA3 family), and you have a purely private CA, don’t bother will all this, the only hard requirement is the unicity of the tuple {CA name, serial number}.

Cordialement,
Erwann Abalea

> Le 21 août 2017 à 15:44, Robert Moskowitz <rgm at htt-consult.com> a écrit :
> 
> 
> 
> On 08/21/2017 09:36 AM, Salz, Rich wrote:
>> ➢ Thus how large does this random number have
>> 
>> It’s also to protect against predicting serial numbers and being able to leverage that.  It’s not just (nor really mainly) the MD5 digest attacks.  According to CABForum, you need 8 octets.  No reason not to use more if you can.
> 
> Sure there is.  On constrained systems with constrained communication links.  Every byte counts.  My real thrust on this is for IoT.  To get IoT developers to build around certs and know their products work with them instead of, well we will get to it eventually.
> 
> When I work with 802.15.4 communications with a 128 byte MTU, there is considerable debate over every byte sent.  When you tell an IoT chip maker that they have to go from 32KB memory to 100MB, they walk out of the room.
> 
> Oh, I want DOTS and I2NSF developers to be working with certs from the get go, instead waiting for deployments and getting 'production' certs and THEN discovering what works and what does not.  But IoT is in many ways more of a challenge.
> 
> So yes, size matters.
> 
>> 
>> 
>> ➢ page was talking about in conjunction with the -CA option. With 'openssl
>>     ca' use of the serial file is mandatory according to the man page.
>>     There are no command line options for it.
>> 
>> Fixed in master and will be part of the next releases; the –rand_serial flag.
>> 