[cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Ryan Sleevi sleevi at google.com
Wed Apr 27 22:44:38 MST 2016


How do you comply with the existing requirement for 20 bits? Do you believe
64 bits would be different?
On Apr 27, 2016 10:29 PM, "Eneli Kirme" <Eneli.Kirme at sk.ee> wrote:

Dear all,

SK has a question about this proposal: how it is supposed to be described
in CPS and audited?

Today there are no requirements for a CA to develop its own software or
have access to the source of the used certificate-generation software. The
users guide most probably doesn’t state exact details about the method used
to generate non-sequential serial numbers.

For the same reason we are a bit worried about the proposed short time to
comply. A CA using commercially available software might not be able to get
the new feature quickly enough because the CA software vendors are not
obliged to follow neither BR-s nor the discussions here.


Best regards,

Eneli Kirme
AS Sertifitseerimiskeskus/SK

On 26 Apr 2016, at 17:56, Ben Wilson <Ben.Wilson at digicert.com> wrote:

What about,

"For certificates having a notBefore date after 1 July 2016, CAs SHALL use
a Certificate serialNumber greater than zero (0) that exhibits at least 64
bits of entropy (i.e. randomness or unpredictability)."

?

*From:* Erwann Abalea [mailto:Erwann.Abalea at docusign.com
<Erwann.Abalea at docusign.com>]
*Sent:* Tuesday, April 26, 2016 2:47 AM
*To:* Tim Hollebeek <THollebeek at trustwave.com>
*Cc:* Ryan Sleevi <sleevi at google.com>; Ben Wilson <ben.wilson at digicert.com>;
CABFPub <public at cabforum.org>
*Subject:* Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

That’s a good start :)

I find it unfortunate that we need to define in BRs what a CSPRNG is,
though.

Cordialement,
Erwann Abalea


Le 19 avr. 2016 à 16:01, Tim Hollebeek <THollebeek at trustwave.com> a écrit :

This is actually a pet peeve of mine that I’d like to fix, though
unfortunately it is hard to fix.  One of the first security projects I was
ever involved in involved exploiting bad random number generators to
predict who would win a poker hand based on just your own hole cards and
the flop (https://www.cigital.com/papers/download/developer_gambling.php).

Various security standards have tried with varying degrees of success to
describe entropy requirements with generally poor results.  A first stab is:

---
A blah blah blah (serial number, challenge, etc) must be generated using at
least N bits from a cryptographically strong pseudorandom number generator.

Definition (Cryptographically strong pseudorandom number generator): An
algorithm that uses cryptographic functions to generate pseudorandom
numbers that cannot be predicted by anyone who does not have knowledge of
the internal data describing the current state of the generator.
---

It’s not perfect, because you can use cryptographic functions and still
build a bad PRNG (hello NSA!), but at least it rules out all the really bad
ones like rand() that don’t use any cryptographic functions at all, and
should allow all existing and future secure PRNGs.

-Tim

*From:* public-bounces at cabforum.org [mailto:public-bounces at cabforum.org
<public-bounces at cabforum.org>] *On Behalf Of *Ryan Sleevi
*Sent:* Tuesday, April 19, 2016 9:42 AM
*To:* Ben Wilson
*Cc:* CABFPub
*Subject:* Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

Ben, is there any thought further on 'unpredictable bits'?

While I realize Richard disagreed, I do think it creates a possibility for
a CA to argue that they're using unpredictable bits from, say, a Microsoft
GUID generator, but such bits are not unpredictable. My hope would be to
provide objective and unambiguous criteria, since, as we've seen from this
discussion, 'unpredictable bits' and 'entropy' seem to cause some confusion.

On Tue, Apr 19, 2016 at 6:24 AM, Ben Wilson <ben.wilson at digicert.com> wrote:
Then I'll move forward with the  ballot if we have two endorsers.

-----Original Message-----
From: Peter Bowen [mailto:pzb at amzn.com]
Sent: Monday, April 18, 2016 9:16 PM
To: Ben Wilson <ben.wilson at digicert.com>

Cc: CABFPub <public at cabforum.org>
Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy

I looked at certificates across all CT logs that had notBefore dates in
March 2016.  Only 549 unique certificates had more than 20 bits but less
than 61 bits in the serial number.  They were spread among many CAs.  >From
the looks of it, I’m guessing that some CAs using a random number between 0
and N (probably 2^64 or 2^128) and some percentage of the time the value
chosen is less than 2^61.  I used 2^61 as that is 16 hex digits which is a
good approximation of 64-bits.

So, I would say that almost everyone is using at least 64-bit serial
numbers already.

> On Apr 18, 2016, at 3:45 PM, Ben Wilson <ben.wilson at digicert.com> wrote:
>
> On the cablint report for the 20 bits of entropy,
https://crt.sh/?cablint=38
<http://scanmail.trustwave.com/?c=4062&d=_7WW1-Xsik0C2oQr-Abmw1rpiv0FhB9gtfVo4c10-Q&s=5&u=https%3a%2f%2fcrt%2esh%2f%3fcablint%3d38>,
there  are 20 certificates that were listed.  If this changes to 64 bits,
how many more certificates will be on the list?
>
> From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
> Sent: Monday, April 18, 2016 10:25 AM
> To: CABFPub <public at cabforum.org>
> Subject: [cabfpub] FW: Pre-Ballot 164 - Certificate Serial Number Entropy
>
> Forwarding
>
> From: Kane York [mailto:kanepyork at gmail.com]
> Sent: Monday, April 18, 2016 10:23 AM
> To: Ben Wilson <ben.wilson at digicert.com>; Erwann Abalea <
Erwann.Abalea at docusign.com>
> Cc: questions at cabforum.org
> Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
>
>
> On Fri, Apr 15, 2016 at 7:52 AM Ben Wilson <ben.wilson at digicert.com>
wrote:
> I didn’t think it was that simple.  For instance, see
https://en.wikipedia.org/wiki/Password_strength
<http://scanmail.trustwave.com/?c=4062&d=_7WW1-Xsik0C2oQr-Abmw1rpiv0FhB9gtfZt5Zwiog&s=5&u=https%3a%2f%2fen%2ewikipedia%2eorg%2fwiki%2fPassword%5fstrength>
>
> From: Erwann Abalea [mailto:Erwann.Abalea at docusign.com]
> Sent: Friday, April 15, 2016 8:44 AM
> To: Ben Wilson <ben.wilson at digicert.com>
> Cc: CABFPub <public at cabforum.org>
>
> Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
>
> Bonjour,
>
> 20 bits of entropy is the same as 20 bits unpredictable bits.
>
> Whence, 64 bits of entropy is a higher requirement than 20 bits of
entropy.
>
> Cordialement,
> Erwann Abalea
>
> No, it definitely is that simple.
>
> I think the confusion here is the definition of "hex characters".
>
> > Our CA issues certificates with 32 hexadecimal characters for the
serial number.
>
> This is not possible - you cannot have 32 ASCII characters in the serial
number.
> The most likely truth given that explanation is that you have 16 fully
random bytes. Which would be 16 * 8 = 128 random bits, satisfying the
entropy requirements.
>
> 3 fully random bytes would satisfy the 20-bit requirement.
> 6 fully random hexadecimal ASCII characters encoded in the serial number
would satisfy the 20-bit requirement.
>
> 8 fully random bytes is required to satisfy the 64-bit requirement.
> 16 bytes with 4 bits of entropy each, which ASCII-encoded hexadecimal
would be, would satisfy the entropy requirement and leave you 3.875 bytes
left over for other information.
>
>
> Le 15 avr. 2016 à 16:32, Ben Wilson <ben.wilson at digicert.com> a écrit :
>
> Forwarding
>
> From: Man Ho (Certizen) [mailto:manho at certizen.com]
> Sent: Thursday, April 14, 2016 7:51 PM
> To: Ben Wilson <ben.wilson at digicert.com>; Ryan Sleevi <sleevi at google.com>
> Cc: public at cabforum.org
> Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
>
> Ben,
>
> We had already changed our system to issue SSL certificates with 20
hexadecimal characters of at least 20-bit of entropy since 2014. I'm just
wondering why the requirement is changed from "bits of entropy" to
"unpredictable bits", which I don't understand the conversion (like "cm" to
"inch" :). I don't know whether our software vendor understands it.
>
> Man
>
> On 4/15/2016 4:24 AM, Ben Wilson wrote:
> You’re right, given a randomly generated 20-byte serial number, you have
159 unpredictable bits.
>
> From: Ryan Sleevi [mailto:sleevi at google.com]
> Sent: Thursday, April 14, 2016 2:03 PM
> To: Ben Wilson <ben.wilson at digicert.com>
> Cc: Man Ho (Certizen) <manho at certizen.com>; public at cabforum.org
> Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
>
> Ben:
>
> Are you sure your math is correct? A serial number is 20 bytes, with the
high bit needing to be 1 (for the encoding of positive INTEGERS within
DER). This leaves 159 bits for entropy. So you certainly can't have more
unpredictable bits than that :)
>
> On Thu, Apr 14, 2016 at 12:59 PM, Ben Wilson <ben.wilson at digicert.com>
wrote:
> Man,
> Have you had a chance to do  further research on the capabilities of your
system?   Our CA issues certificates with 32 hexadecimal characters for the
serial number.  There are 4 bits of entropy for each hexadecimal
character.  Therefore, our serial numbers have 128 bits of entropy and
16*32= 512 unpredictable bits.  An 8-hexadecimal character serial number
would have 32 bits of entropy and 128 unpredictable bits.  A 20-bit entropy
would be equal to 5 hexadecimal characters, or 80 unpredictable bits, so
this seems like this is a downgrade to go to 64 unpredictable bits.  Am I
right?
> Ben
>
> From: Man Ho (Certizen) [mailto:manho at certizen.com]
> Sent: Wednesday, March 23, 2016 12:27 AM
> To: Ben Wilson <ben.wilson at digicert.com>; public at cabforum.org
> Subject: Re: [cabfpub] Pre-Ballot 164 - Certificate Serial Number Entropy
>
> Hi all,
>
> Is the meaning of "at least 64 unpredictable bits" setting the same or a
higher requirement than "at least 20 bits of entropy" ? I'm not quite sure
whether our certificate generation software has this setting in itself.
>
> Cheers
> Man
>
> On 3/1/2016 12:21 AM, Ben Wilson wrote:
> REPLACE
> "CAs SHOULD generate non-sequential Certificate serial numbers that
exhibit at least 20 bits of entropy"
> WITH
> "Effective April 1, 2016, CAs SHALL use a Certificate serialNumber
greater than zero (0) that contains at least 64 unpredictable bits."
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
<http://scanmail.trustwave.com/?c=4062&d=_7WW1-Xsik0C2oQr-Abmw1rpiv0FhB9gtaA94Mx38A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
<http://scanmail.trustwave.com/?c=4062&d=_7WW1-Xsik0C2oQr-Abmw1rpiv0FhB9gtaA94Mx38A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
<http://scanmail.trustwave.com/?c=4062&d=_7WW1-Xsik0C2oQr-Abmw1rpiv0FhB9gtaA94Mx38A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
<http://scanmail.trustwave.com/?c=4062&d=_7WW1-Xsik0C2oQr-Abmw1rpiv0FhB9gtaA94Mx38A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
<http://scanmail.trustwave.com/?c=4062&d=_7WW1-Xsik0C2oQr-Abmw1rpiv0FhB9gtaA94Mx38A&s=5&u=https%3a%2f%2fcabforum%2eorg%2fmailman%2flistinfo%2fpublic>


------------------------------

This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is strictly prohibited. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format.
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public


_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public



_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160427/7a290c5e/attachment-0001.html 


More information about the Public mailing list