Configuring Randomized Validity

Introduction

Randomizing validity is one of the methods allowing to add entropy to certificates in order to make it more difficult attacks on cryptographic hashes. RFC 4270 (written by P. Hoffman and B. Schneier) provides three suggestions to reduce the likelihood of hash-based attacks:

• making part of the certificate serial number unpredictable to the attacker

• adding a randomly chosen component to the identity

• making the validity dates unpredictable to the attacker by skewing each one forwards or backwards

CA’s profile framework is based on plug-ins. One type of the plug-ins is responsible for setting defaults and verifying constraints for in the process of populating validity. Simple replacement of validity plug-in in a profile with new one randomizing validity allows to generate certificates with randomized validity when using enrollment with modified profile.

Process of profile editing in order to replace validity plug-in is described below.

Managing Certificate Profiles

Typical certificate profile configuration includes section configuring ValidityDefault and ValidityConstraint plug-ins.

Sample below shows default configuration included in caUserCert profile (/usr/share/pki/ca/profiles/ca/caUserCert.cfg).

ValidityDefault plug-in configuration in caUserCert.cfg:

...
policyset.userCertSet.2.default.class_id=validityDefaultImpl
policyset.userCertSet.2.default.name=Validity Default
policyset.userCertSet.2.default.params.range=180
policyset.userCertSet.2.default.params.startTime=0
...

ValidityConstraint plug-in configuration in caUserCert.cfg:

...
policyset.userCertSet.2.constraint.class_id=validityConstraintImpl
policyset.userCertSet.2.constraint.name=Validity Constraint
policyset.userCertSet.2.constraint.params.notAfterCheck=false
policyset.userCertSet.2.constraint.params.notBeforeCheck=false
policyset.userCertSet.2.constraint.params.notBeforeGracePeriod=0
policyset.userCertSet.2.constraint.params.range=365
...

Profile needs to be disabled to initiate profile editing.

Here are sample steps:

• Selecting caUserCert profile (Manual User Dual-Use Certificate Enrollment)

• Disabling caUserCert profile (Manual User Dual-Use Certificate Enrollment):

Editing Certificate Profiles

Disabled profile can be edited.

Here are sample steps:

• Selecting caUserCert profile for editing

• Editing caUserCert profile

Review Current Validity Configuration

Review current validity configuration before replacing it with randomized validity plug-in.

Here are sample steps:

• Check current validity defaults

• Check current validity constraints

Delete Validity

Delete current validity plug-in.

Here are sample steps:

• Select current validity plug-in

• Confirm validity plug-in removal

• Check if validity plug-in was deleted.

Add Randomized Validity

Add randomized validity plug-in.

Here are sample steps:

• Press add button in profile editor

• Select "Randomized Validity Default" and "Validity Constraint"

• Enter "Policy ID"

• Update "Validity Default" configuration

• Update "Validity Constraint" configuration and save configuration updates

• Check new randomized validity plug-in

• Select caUserCert profile (Manual User Dual-Use Certificate Enrollment)

• Approve update caUserCert profile (Manual User Dual-Use Certificate Enrollment)

New Randomized Validity Plug-in Configuration

Sample below shows updated caUserCert profile configuration including randomized validity plug-in;

policyset.userCertSet.2.default.class_id=randomizedValidityDefaultImpl
policyset.userCertSet.2.default.name=Randomized Validity Default
policyset.userCertSet.2.default.params.notBeforeRandomBits=10
policyset.userCertSet.2.default.params.range=180
policyset.userCertSet.2.default.params.startTime=0
policyset.userCertSet.2.default.params.startTimeRandomBits=10