A Performance Evaluation Study of an X.509 Compliant Public Key Infrastructure Emilia Rosti
advertisement
A Performance Evaluation Study of an X.509 Compliant Public Key Infrastructure Emilia Rosti Joint work with Danilo Bruschi and Arianna Curti Dipartimento di Scienze dell’Informazione Università degli Studi di Milano rose@dsi.unimi.it © Rosti/DSI NPS - 02/22/01 1 Outline • • • • • • PKI: what it is X.509: what it means Certificate revocation protocols Modeling a PKI Results Future work © Rosti/DSI NPS - 02/22/01 2 Public Key Infrastructure • A system comprising policies, software and hardware components that realize a trusted third party that guarantees – authenticity, – ownership, – validity, of “keys” and information related to them. – implements “organized” trust relationships © Rosti/DSI NPS - 02/22/01 3 PKI - Certificates • End users generate public-private key pairs • Certificate associated with public component of each key pair – information about owner, certifier entity, certificate validity, algorithm used for signature, digital signature of the certifier entity © Rosti/DSI NPS - 02/22/01 4 PKI - Certificates • Certificate authenticity – issued by PKI • Certificate ownership – binding between certificate and organization (person) indicated on it • Certificate validity – not revoked © Rosti/DSI NPS - 02/22/01 5 PKI - Components • Registration Authority – authenticates users, distributes keys and certificates, requests certificates • Certification Authority – digitally signs, distributes, and revokes certificates, issues lists of revoked certificates • trusted third party • Directory – stores certificates for public access – X.500 directory with LDAP access protocol © Rosti/DSI NPS - 02/22/01 6 PKI – End users • People and/or software applications – request ceritificate from CA or via RA, access Directory to download lists of revoked certificates and certificates of other party – may have SW or HW devices for signature/encryption (smart card) © Rosti/DSI NPS - 02/22/01 7 PKI - Functionalities • Issueing certificates • Distributing certificates • Distributing certificate status information – certificate revocation lists (CRLs) • Distributing policies adopted when issueing certificates © Rosti/DSI NPS - 02/22/01 8 Public Key Infrastructure Directory certificate and CRL retrieval certificates and CRL certificate and CRL retrieval RA certificate and CRL distribution certificate requests/ revocations certificate issueing end user Registration Authority (optional) CA Certification Authority © Rosti/DSI NPS - 02/22/01 9 X.509 • Standard protocol for authentication services in X.500 Directory Service – part of X.500 Directory Recommendation – adopted by Visa, Mastercard, Netscape, Entrust, TimeStep © Rosti/DSI NPS - 02/22/01 10 X.509v3 • Current standard – extension of X.509 – more flexible structure • from hierarchical structure with three levels Internet Policy Registration Authority (root) Policy Certification Authorities (level 2) Certification Authorities (level 3 to flat structure with cross certification among CAs – no need to traverse the tree up to IPRA © Rosti/DSI NPS - 02/22/01 11 X.509v3 certificate • (X.509) Information about – version and serial number – subject (key owner) – issuer (CA that issued certificate) – validity (not before, not after) – subject public key info (key and algorithm to be used with) – algorithm used for signing – signature of certificate © Rosti/DSI NPS - 02/22/01 12 X.509v3 certificate • v3 extensions – authority key ID (if CA has multiple signature keys) – subject key info (if subject has multiple keys) – key usage restrictions – certificate policies – CA and subject attributes – certification constraints – CRL distribution points © Rosti/DSI NPS - 02/22/01 13 Certificate revocation • Certificates may be revoked before their natural expiration date – private key compromised/lost – canceled account • Certificate status information must be published for end user to be able to verify certificates they handle © Rosti/DSI NPS - 02/22/01 14 Certificate revocation • Certificate Revocation List – serial numbers of revoked certificates – time of revocation – CA signature – CRL issuance time – next CRL issuance time • Size – 51B + 9B*#revoked_certificates [MITRE 94] – entries deleted after certificate expiration © Rosti/DSI NPS - 02/22/01 15 Certificate revocation protocols • Periodic publication of CRL – possibly outdated information • overissued CRL • periodic publication of updates (delta-CRL) • On demand status verification via OCSP (On-line Certificate Status Protocol) – timely status information • Revocation policies performance analysis [Cooper1999, 2000] © Rosti/DSI NPS - 02/22/01 16 Modeling a PKI • Who • CA, RA, Directory, end users – does what • transaction identification • service demands – and how • different policies for revocation information management © Rosti/DSI NPS - 02/22/01 17 Modeling a PKI • CA transactions – certificate issuance • self-signed, RA-generated, renewal – cross-certification – certificate revocation – CRL publication © Rosti/DSI NPS - 02/22/01 18 Modeling a PKI • RA transactions – certificate issuance request – certificate revocation request • Directory transactions – search, modify, add, delete • End users transactions – certificate issuance/revocation request – certificate status verification © Rosti/DSI NPS - 02/22/01 19 Modeling a PKI - Transactions • Self-signed certificate requests – user generates request and protects it with shared secret – CA authenticates sender and shared secret, generates certificate, inserts it in local DB, signs reply and sends it to user – user verifies CA signature, sends ack to CA – CA publishes certificate in Directory © Rosti/DSI NPS - 02/22/01 20 Modeling a PKI - Transactions • RA-generated certificate requests – RA verifies user request, signs it and sends it to CA – CA verifies RA signature, generates certificate, inserts it in local DB, signs and sends it to RA – RA verifies CA signature, sends certificate to user, ack to CA – CA publishes the certificate in Directory © Rosti/DSI NPS - 02/22/01 21 Modeling a PKI - Transactions • Self-signed revocation requests – user generates revocation request, signs it and sends it to CA – CA verifies user’s signature, adds serial number and revocation time to local DB, sends signed reply to user – user verifies CA signature © Rosti/DSI NPS - 02/22/01 22 Modeling a PKI - Transactions • RA-generated revocation requests – RA generates revocation request, signs it and sends it to CA – CA verifies RA signature, adds serial number and revocation time to local DB, sends signed reply to RA – RA verifies CA signature and informs user © Rosti/DSI NPS - 02/22/01 23 Modeling a PKI - Transactions • CRL generation – CA reads revocation list, last full CRL and delta-CRL from local DB – CA generates new delta-CRL and signs it – CA updates local DB – CA publishes delta-CRL in Directory © Rosti/DSI NPS - 02/22/01 24 Modeling a PKI - Methodology • Queueing network model – hierarchical analysis • components in isolation • complete model • enhancements – analytic and simulation • exponentially distributed service times and customers interarrival times – single and multiclass customer population • different resource usage by various transactions – closed and open models © Rosti/DSI NPS - 02/22/01 25 Modeling a PKI - Objectives • Bottleneck analysis • Impact of population mix on response time • Maximum arrival rate for an acceptable response time • What if analysis © Rosti/DSI NPS - 02/22/01 26 Modeling a PKI - Assumptions • 2048 RSA bit signature key for CA – dedicated cryptographic coprocessor • • • • • • • MD5 hash Simple queries by CA to local certificate DB Certificates for signature keys only Delta-CRL Off-line full CRL generation Signed messages Network communication services ignored © Rosti/DSI NPS - 02/22/01 27 Modeling a PKI - Assumptions • Multiclass customer population – class 1: self-signed certificate request – class 2: self-signed revocation request – class 3: delta-CRL generation – class 4: RA-generated certificate request – class 5: RA-generated revocation request – class 6: cross-certification request © Rosti/DSI NPS - 02/22/01 28 PKI complete model RA © Rosti/DSI CA NPS - 02/22/01 Rep 29 Basic models • CA model in isolation • RA model in isolation DISK CPU CrytoCoP © Rosti/DSI NPS - 02/22/01 30 Basic models parameters • Number of users/certificates: 50,000 • Avg. number of revoked certificates: 20% • Service demands estimation (ms) – time to sign 166 ms, to verify signature 4 ms cl1 cl2 CAmod CPU 0.215 0.049 DISK 43.163 32.373 CCP 340 170 RAmod CPU DISK CCP © Rosti/DSI cl3 3.584 44.36 166 cl4 cl5 cl6 0.182 0.051 0.199 43.167 32.337 32.373 336 170 336 0.215 0.081 32.835 21.144 340 340 NPS - 02/22/01 cl1: self-sig. req. cl2: self-sig. rev. cl3: delta-CRL cl4: RA-gen req. cl5: RA-gen rev. cl6: cross-cert. 31 Basic model results • Signature is the bottleneck operation • CA and RA can be modeled as load independent servers – service rates are throughputs obtained – service times in complete model (ms) CA RA © Rosti/DSI cl1 340 cl2 170 cl3 166 cl4 336 340 NPS - 02/22/01 cl5 170 340 cl6 336 cl1: self-sig. req. cl2: self-sig. rev. cl3: delta-CRL cl4: RA-gen req. cl5: RA-gen rev. cl6: cross-cert. 32 Complete model RA CA Dir • Only 5 classes – class 6 accounts for less than 0.02% • Directory – certificate publication: 6ms – CRL publication: 12ms © Rosti/DSI NPS - 02/22/01 33 Complete model assumptions • Variable population mixes on classes 1, 2, 3, 4, 5 – class 3 arrival rate is fixed • generation of delta-CRL every 10 minutes • 3 = 0.001667 req/s – variable splits of total arrival rate among classes • • • • • © Rosti/DSI 1 = 1( - 3) 2 = 2( - 3) 4 = 4( - 3) 5 = 5( - 3) 1 + 2 + 4 + 5 = 1 NPS - 02/22/01 34 Model results • Certificate requests rate larger than revocation requests rate – very unbalanced: total request fraction 82% • 1 = 4 = 41% • 2 = 5 = 9% – less unbalanced: total request fraction 66% • 1 = 4 = 33% • 2 = 5 = 17% © Rosti/DSI NPS - 02/22/01 35 More certificate requests classe1: richieste self_signed 22,5 s 20 Response time 17,5 classe2: revoche self-signed 15 12,5 classe3: CRL 10 7,5 5 classe4: richieste RA-generated 2,5 66% new certificate requests 3 < max < 3.5 0 0 0,5 1 1,5 2 2,5 3 3,5 4 classe5: revoche RA-generated Arrival rate 25 classe1: richieste self-signed s 22,5 20 classe2: revoche self-signed Response time 17,5 15 12,5 classe3: CRL 10 7,5 classe4: richieste RA-generated 5 82% new certificate requests 3 < max < 3.5 2,5 0 0 © Rosti/DSI 0,5 1 1,5 2 Arrival rate 2,5 3 3,5 classe5: revoche RA-generated NPS - 02/22/01 36 Model results • Only RA-generated certificate and revocation requests – 4 = 82% – 5 = 18% • Only self-signed certificate and revocation requests – 1 = 82% – 2 = 18% © Rosti/DSI NPS - 02/22/01 37 Unique request source 30 s 25 Response time classe3: CRL 20 classe4: richieste RA-generated 15 10 5 classe5: revoche RA-generated 0 0 0,5 1 1,5 2 2,5 3 RA-generated only requests 2.5 < max < 3 3,5 Arrival rate s 25 Response time 30 20 classe1: richieste self-signed classe2: revoche self-signed 15 10 classe3: CRL 5 0 0 © Rosti/DSI 0,5 1 1,5 2 Arrival rate 2,5 3 3,5 NPS - 02/22/01 self-signed only requests 2.5 < max < 3.5 38 Model results • Revocation requests rate larger than certificate requests rate – very unbalanced: tot. revocation fraction 82% • 1 = 4 = 9% • 2 = 5 = 41% – less unbalanced: tot. revocation fraction 66% • 1 = 4 = 17% • 2 = 5 = 33% © Rosti/DSI NPS - 02/22/01 39 More revocation requests s 35 classe1: richieste self-signed 30 classe2: revoche self-signed Response time 25 20 classe3: CRL 15 10 classe4: richieste RA-generated 5 66% revocation requests 4 < max < 4.5 0 0 0,5 1 1,5 2 2,5 3 3,5 4 4,5 classe5: revoche RA-generated 5 Arrival rate classe1: richieste self-signed Response time s 25 20 classe2: revoche self-signed 15 classe3: CRL 10 classe4: richieste RA-generated 5 0 0 0,5 1 1,5 2 2,5 3 3,5 4 4,5 5 5,5 © Rosti/DSI Arrival rate 82% revocation requests 4.5 < max < 5 classe5: revoche RA-generated NPS - 02/22/01 40 Model results • Balanced load – 1 = 2 = 4 = 5 = 25% – with - 3 such that response time is less than 5s, N 755,000 • Crev = 151,000 • SCRL = 1.3MB, average size of a full CRL – SCRL = 51 + 9*Crev B • TCRL = 0.568 s, time to generate a full CRL – TCRL = Tdisk + Thash + Tsig irrelevant since performed every 4 hours © Rosti/DSI NPS - 02/22/01 41 Balanced load s 35 classe1: richieste self-signed 30 classe2: revoche self-signed Response time 25 20 classe3: CRL 15 10 classe4: richieste RA-generated 5 0 0 0,5 1 1,5 2 2,5 3 3,5 4 4,5 classe5: revoche RA-generated Arrival rate 3.5 < max < 4 © Rosti/DSI NPS - 02/22/01 42 Model results • Balanced load – 1 = 2 = 4 = 5 = 25% – max = 3.5 req/s, Resp-Time < 5s • Limit frequency of full CRL publication without affecting performance – 5 minutes • Limit frequency of delta-CRL publication without affecting performance – 1 minute © Rosti/DSI NPS - 02/22/01 43 Impact of full CRL generation 80 classe1: richieste self-signed s 70 classe2: revoche self-signed Response time 60 50 classe3: delta-CRL 40 30 classe4: richieste RA-generated 20 6 = 0.00007 once every 4 hours classe5: revoche RA-generated 10 0 0 0,5 1 1,5 2 2,5 3 3,5 4 classe6: full-CRL Arrival rate classe1: richieste self-signed 40 s 30 classe2: revoche self-signed Response time 35 25 classe3: delta-CRL 20 variable 6 classe4: richieste RA-generated 15 10 5 classe5: revoche RA-generated 0 classe6: full-CRL 0 0,5 © Rosti/DSI 1 1,5 2 2,5 Arrival rate 3 3,5 4 NPS - 02/22/01 44 Model results • Signed log files – each operation performed by CA logged – CA signs each file entry – service times per class (s) CA cl1 cl2 cl3 cl4 cl5 2.498 1.332 1.162 2.162 1.332 cl1: self-sig. req. cl2: self-sig. rev. cl3: delta-CRL cl4: RA-gen req. cl5: RA-gen rev. © Rosti/DSI NPS - 02/22/01 45 Signed log file • Unbalanced load – 1 = 4 = 41%, 2 = 5 = 9% • max 0.4 req/s – 1 = 4 = 17%, 2 = 5 = 33% • max 0.66 req/s • Balanced load – 1 = 4 = 2 = 5 = 25% • max 0.5 req/s © Rosti/DSI NPS - 02/22/01 46 Plain vs signed log files 35 classe1: richieste self-signed Response time s 30 25 classe2: revoche self-signed 20 classe3: CRL 15 classe4: richieste RA-generated 10 classe5: revoche RA-generated 5 0 0 0,5 1 1,5 2 2,5 3 3,5 4 Arrival rate sat 0.5 vs 3.7 req/s © Rosti/DSI NPS - 02/22/01 47 Enhancements • Directory requests according to [Cooper2000] – sliding window over-issued delta-CRL • full CRL every 20 hours • delta-CRL every ten minutes, valid for 4 hours – directory utilization increases – max not affected © Rosti/DSI NPS - 02/22/01 48 Enhancements • Revocations are signed and immediately published – users query the repository directly – no CRL – 2.5 < max < 3 req/s with balanced and unbalanced load © Rosti/DSI NPS - 02/22/01 49 Response time s Over-issued CRL vs no CRL 25 classe1: richieste self-signed 20 classe2: revoche self-signed 15 classe3: CRL Over-issued CRL w/ balanced load 10 classe4: richieste RA-generated 5 classe5: revoche RA-generated 0 0 0,5 1 1,5 2 2,5 3 3,5 Arrival rate 4 classe6: accessi al Repository s 35 classe1: richieste self-signed 30 Response time 25 classe2: revoche self_signed 20 15 classe3: richieste RA_generated 10 5 classe4: revoche RA-generated 0 0 0,5 © Rosti/DSI 1 1,5 2 Arrival rate 2,5 3 revocations signed individually balanced load 3,5 NPS - 02/22/01 50 Enhancements • Online Certificate Status Protocol – users query OCSP responder – only OCSP responder downloads CRL – OCSP signs replies to users – max_OCSP 5.67 query/s – 3.5 < max < 4 req/s with balanced load © Rosti/DSI NPS - 02/22/01 51 OCSP s 45 classe1: richieste self-signed 40 Response time 35 30 classe2: revoche self-signed 25 classe3: delta-CRL single OCSP 20 classe4: richieste RA-generated 15 10 classe5: revoche RA-generated 5 0 0 0,5 1 1,5 2 2,5 3 3,5 classe6: richieste all'OCSP 4 Arrival rate classe1: richieste self-signed 40 s 35 classe2: revoche self-signed Response time 30 25 classe3: CRL 11 OCSP server 20 15 classe4: richieste RA-generated 10 5 classe5: revoche RA-generated 0 0 0,5 © Rosti/DSI 1 1,5 2 2,5 Arrival rate 3 3,5 4 4,5 classe6: responder NPS - 02/22/01 OCSP 1-11 52 Future work • Compare results with software-only systems – no cryptographic coprocessor used • Include communication time – bottleneck might switch • Add Timestamp Authority • Estimate total number of users for a given performance level © Rosti/DSI NPS - 02/22/01 53 Bibliography • Cooper1999: D.A. Cooper, A model of certificate revocation, 15th Annual Computer Security Application Conference, pp 256-264, 1999. • Cooper2000: D.A. Cooper, A more efficient use of delta-CRL, 2000 IEEE Symposium of Security and Privacy, pp 190-202, 2000. © Rosti/DSI NPS - 02/22/01 54
