Security Protocols and Infrastructures. Winter Term 2012/2013

Transcription

1 Security Protocols and Infrastructures Winter Term 2012/2013 Harald Baier Chapter 4: Introduction to Abstract Syntax Notation 1 ASN.1 The key ASN.1 structure of the lecture: Certificates Certificate ::= SEQUENCE { tbscertificate TBSCertificate, signaturealgorithm AlgorithmIdentifier, signaturevalue BIT STRING } TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialnumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectpublickeyinfo SubjectPublicKeyInfo, issueruniqueid [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version shall be v2 or v3 subjectuniqueid [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version shall be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version shall be v3 } Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/2013 2

2 Contents ASN.1 foundations ASN.1 encoding Demo Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ Contents ASN.1 foundations ASN.1 encoding Demo Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/2013 4

3 ASN.1 basics ASN.1 = Abstract Syntax Notation One Objectives: Abstract description of data objects at the application layer (according to ISO-OSI reference model) Syntax is similar to higher programming languages Very flexible Coding is typically implemented using Basic Encoding Rules (BER) or Distinguished Encoding Rules (DER) Standard: ITU-T X.680, Specification of ASN.1, Nov Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ Four ASN.1 type classes Simple types: Atomic (i.e. do not comprise components) Examples: INTEGER, BIT STRING, UTCTime Structured types: Possess components Examples: SET, SEQUENCE Tagged types: Derived from other types Implicit vs. explicit tagging mode Other Types: Examples: CHOICE, ANY Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/2013 6

4 ASN.1 notation (1/2) Comment: Starts after two hyphens '--' Ends either at end of line or at two hyphens '--' Notation of variables and types: Allowed characters: A-Z, a-z, 0-9, -, 'SPACE' Variables begin with a lowercase Types begin with an uppercase Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ ASN.1 notation (2/2) Assigning operator: a ::= b Define a by b Declaration of variables: nameofvariable Type Example: b INTEGER b is an INTEGER Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/2013 8

5 ASN.1 tags Every ASN.1 type (besides CHOICE, ANY) has a universal tag (is needed in encoding to define the ASN.1 type) Every tag comprises a tag class and a tag number Notation: [ <class> <tag number> ] Default tag (if class is omitted): context specific Do not confuse: A tag to define a universal type and A tagged type There are four tag classes Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ Four ASN.1 tag classes (1/2) Universal tags: Meaning is standardised and the same within each application Key word: UNIVERSAL Application specific tags (not relevant for us): Meaning not standardised; depends on application context Key word: APPLICATION Example: Database vs. office application The same tag number has different implications Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

6 Four ASN.1 tag classes (2/2) Private tags (not relevant for us): Self-defined and only valid within proprietary environment Key word: PRIVATE Context-specific tags: Meaning depends on the context, where the tag is used Typically used within structured types to avoid ambiguity Most important tag class for certificates No key word Default tag, if key word is missing Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ ASN.1 Simple Types Type Universal Details Tag BOOLEAN 1 Values are TRUE or FALSE INTEGER 2 An integer BIT STRING 3 A string of 0 and 1 OCTET STRING 4 A string of bytes NULL 5 No information available OBJECT IDENTIFIER 6 A reference of an object PrintableString 19 A string of printable characters IA5String 22 A string of ASCII characters UTCTime 23 Coordinated Universal Time (GMT) GeneralizedTime 24 Generalized Time (GMT) Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

7 4 Classes of Structured Types SEQUENCE (Universal Type 16): Ordered set of one or more types SEQUENCE OF (Universal Type 16): Ordered set of 0,...,N instances of the same type SET (Universal Type 17): Unordered set of one or more types SET OF (Universal Type 17): Unordered set of 0,...,N instances of the same type Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ Sample Types and Tags Definition of a simple type by its tag: [ UNIVERSAL 2 ] : INTEGER [ UNIVERSAL 6 ] : OBJECT IDENTIFIER Definition of a structured type by its tag: [ UNIVERSAL 16 ] : SEQUENCE [ UNIVERSAL 17 ] : SET Definition of a tagged-type: [ 0 ] : Context specific tag number 0 Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

8 Time notation in ASN.1 2 simple types to denote the time UTCTime : Coordinated Universal Time Format: YYMMDDHHMMSSZ Z : Zulu = GMT YY 50: Year = 19YY YY < 50: Year = 20YY GeneralizedTime : Format: YYYYMMDDHHMMSSZ Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ Tagged Types Use case: Avoid ambiguity in a structered type Typically optional types in a SEQUENCE Two or more instances of the same type in a SET 2 methods of tagging: Explicit tagging: New tag is a wrapper of the old tag Notation: [ class number ] EXPLICIT Default tagging method, if key word is missing Implicit tagging: New tag overrides the old tag Notation: [ class number ] IMPLICIT Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

9 Contents ASN.1 foundations ASN.1 encoding Demo Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ ASN.1 encoding methods Encoding method: Defines how to write an ASN.1 structure as a bit string Scheme: Type - Length Value (TLV) Type: Defines the ASN.1 type to encode Length: Represents the length of value Value: Actual contents Relevant encoding methods of ASN.1 structures: Basic Encoding Rules (BER) Distinguished Encoding Rules (DER): A subset of BER Privacy Enhanced Mail Coding (PEM): Default in openssl Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

10 3 BER encoding forms Primitive form: Length of value is known Example: Simple type, which is not a string (BOOLEAN, OBJECT IDENTIFIER, INTEGER,...) Constructed form: Length of value is known Examples: Simple string type, structured type Length of value is not known Examples: Simple string type, structured type Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ BER encoding parts BER encoding comprises three or four parts (TLV): Identifier: Encodes the ASN.1 type Length: Describes the length of value (if known) Value: Encoded Value End-of-contents: End of encoded value, if its length is unknown Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

11 BER encoding of the identifier (1/3) Notation of the first identifier byte: b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 Bits b 7 b 6 define the ASN.1 tag class: b 7 b 6 = 00 : UNIVERSAL b 7 b 6 = 01 : APPLICATION b 7 b 6 = 10 : context-specific b 7 b 6 = 11 : PRIVATE Bit b 5 defines the encoding form: b 5 = 0 : Primitive form (i.e. length is known) b 5 = 1 : Constructed form (length known or not) Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ BER encoding of the identifier (2/3) Bits b 4 b 3 b 2 b 1 b 0 define the value of the tag: b 4 b 3 b 2 b 1 b 0 < : Bit string represents the tag number in big-endian Tag numbers 0,..., 30 can be represented in this form b 4 b 3 b 2 b 1 b 0 = : Tag number is encoded in the following bytes Every relevant byte for the tag number starts with a '1' The last tag number byte starts with a '0' Ignore the most significant bit of these bytes to get the actual tag number Typically does not happen in our context Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

12 BER encoding of the identifier (3/3) Source: Olivier Dubuisson, ASN.1 Communication between Heterogeneous Networks Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ BER encoding of the length (1/2) Notation of the first length byte: b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 Bit b 7 = 0: Short definite length Value requires b 6 b 5 b 4 b 3 b 2 b 1 b 0 bytes (written in binary) Maximum length of value: b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 = = 127 Bit b 7 = 1: Long definite length or indefinite length b 7 b 6 b 5 b 4 b 3 b 2 b 1 b 0 = : Indefinite length Otherwise b 6 b 5 b 4 b 3 b 2 b 1 b 0 defines the following number of bytes to encode the length of value Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

13 BER encoding of the length (2/2) Source: Olivier Dubuisson, ASN.1 Communication between Heterogeneous Networks Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ BER vs. DER Drawback of BER BER does not require a specific encoding form, if multiple encodings are possible (e.g. for string types) Ambiguity of encoding is possible for the same input of raw data If a digital signature is computed over this raw data, the signature is not unique Solution: Use Distinguished Encoding Rules (DER) A subset of BER Deterministic enoding of raw data Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

14 Contents ASN.1 foundations ASN.1 encoding Demo Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ ASN.1-Demo Hex dump of a certificate of the German Federal Network Agency Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

15 ASN.1-Demo: Identifier of first ASN.1 variable ASN.1 type of the first ASN.1 variable is encoded within the identifier Byte number 0: Corresponding bit string: ASN.1 tag class (first two bits): Encoding form (third bit): Value of the tag: Bit string: ASN.1 type: Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ ASN.1-Demo: Length of value of first ASN.1 variable The length of the first ASN.1 value is encoded after the identifier: Byte number : Corresponding bit string: The length is encoded in the following bytes!! Actual length of the value in bytes (octets) to : In hex: Decimal: Comparison to the length of the file: $ ls -l BNetA-10R-CA-s42.cer -rw baier baier Nov 13:25 BNetA-10R-CA-s42.cer Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

16 ASN.1-Demo: Next ASN.1 variable Its header is encoded in the bytes to Byte = Length: Byte : Corresponding bit string: The length is encoded again in the following bytes!! Actual length of the value in bytes (octets) to : In hex: Decimal: Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ ASN.1-Demo: Next ASN.1 variable Its header is encoded in the bytes to Type: Byte = Corresponding bit string: ASN.1 tag class (first two bits): Encoding form (third bit): Value of the tag: Length: Byte : Actual length of the value is bytes Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

17 ASN.1-Demo: Next ASN.1 variable Its header is encoded in the bytes to Type: Byte = Corresponding bit string: ASN.1 tag class (first two bits): Encoding form (third bit): Value of the tag: Length: Byte is Value is encoded in octet : Context-specific tag ends here Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/ ASN.1-Demo: Next ASN.1 variable Its header is encoded in the bytes to Type: Byte = Corresponding bit string: ASN.1 tag class (first two bits): Encoding form (third bit): Value of the tag: Length: Byte is Value is encoded in octet : INTEGER ends here Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/

18 ASN.1-Demo: openssl asn1parse openssl asn1parse shows ASN.1 structure of certificate (take care of the input encoding form using the switch inform ) Harald Baier Security Protocols and Infrastructures h_da, Winter Term 2012/