cloudflare / cfssl

CFSSL: Cloudflare's PKI and TLS toolkit
https://cfssl.org/
BSD 2-Clause "Simplified" License
8.75k stars 1.11k forks source link

Understanding OSCP nonce support #740

Open gdhgdhgdh opened 7 years ago

gdhgdhgdh commented 7 years ago

When reading about OCSP in general I see that each request / response pair supports the use of a nonce to help guard against replay attacks.

Hence I was surprised to read at https://github.com/cloudflare/cfssl/blob/master/ocsp/responder.go#L227 that We don't intend to support nonces - would you mind describing why this is the case?

rolandshoemaker commented 7 years ago

The golang x/crypto/ocsp library doesn't support the nonce extension and using a request/response nonce prevents offline signing as each response needs to be signed with the individual request nonce in the body which is not performant.

Also since OCSP responses have a built in validity period there are very few scenarios where a replay attack would actually be that bad.

di-org commented 2 months ago

Since this issue is still open: A replay attack should not be considered "not that bad", especially when talking about protecting cryptographic operations.

Use of a NONCE for OSCP was written into section 4.4.1 in the 06/1999 OSCP standard RFC-2560 and most recently updated by the NONCE Extension standard RFC-8954 in 11/2020. Not supporting NONCE functionality is not complying with an published internet standard.

While agreed that there is a performance hit when using NONCEs, so too is there a performance hit when using TLS over Non-TLS HTTP, but we still do it in part to protect the integrity of the data, as does a NONCE w/ OSCP.