Public key certificates are commonly used for authentication of principals, such as devices and users. A public key certificate binds a public part of an asymmetric key pair to an identifier of the certified principal. The certificate is issued by a trusted Certificate Authority (CA) that signs the certificate. The certificate also contains a certificate identifier, such as certificate serial number. Each certified principal should store the private part of the asymmetric key securely.
If the private key of any principal is compromised (e.g., extracted from the device by an attacker and published online), anyone can masquerade as the certified principal using the issued certificate and the compromised private key. Thus, in case of noticed key compromise, the corresponding certificate should be revoked and the corresponding revocation information should be distributed to the relevant parties. Two well-known mechanisms for certificate revocation exist.
First, the CA maintains and periodically publishes a Certificate Revocation List (CRL). Such lists are defined in common X.509 certificate standard [X509]. A CRL contains a list of certificate identifiers, typically certificate serial numbers that have been revoked by the CA. The CRL is typically signed by the CA that issued the revoked certificates, or by another trusted entity authorized by the CA. A CRL also contains a timestamp. Using this timestamp the CRL verifier can check that the CRL is sufficiently recent.
Second, a certificate verifier can query the revocation status of a certificate from an online service that is maintained by the CA, or another trusted entity authorized by the CA. The responses to such online queries are signed by the trusted authority. The Online Certificate Status Protocol (OCSP) is a standardized protocol for such online queries. The freshness of OCSP responses can be guaranteed in two ways: (a) an OCSP request can contain a random nonce that should be included with the signed OCSP response, or (b) the OCSP response can contain a timestamp similar to CRLs.
The above mentioned well-known mechanisms for handling certificate revocation assume that (a) the certificate verifier has online connectivity and/or (b) the verifier knows the current time in a reliable manner. Online connectivity is needed for fetching the latest CRL from an online directory and for checking the revocation status of the certificate with an online service. The current time is needed to determine that the timestamp in a CRL or in an OCSP response is sufficiently recent.
There are practical use cases in which the certificate verifier has no connectivity to infrastructure networks or has no access to a reliable source of the current time. As such, how is the certificate revocation status securely verified from such constrained devices in an efficient manner in the context of execution of an authentication protocol.
By way of an example, a system model is defined in the following way: assume that two entities are engaged in an authentication protocol: a client device wishes to authenticate itself towards a verifier. Assume that the verifier has no direct connectivity to infrastructure networks and possibly no access to a reliable source of time. The client device has constant or periodic network connectivity. In an authentication protocol run, the verifier sends an authentication request with a random nonce and the client device replies with an authentication response that contains a signature calculated over the nonce and other information relevant for this particular authentication protocol, and a certificate.
MirrorLink [ML-ARCH] is a system that enables integration of mobile device provided services and content to infotainment systems in cars. In the MirrorLink system, the car head-unit (verifier) needs to authenticate, or attest, that the mobile device (client) is manufactured by a compliant mobile device manufacturer and that the mobile device is running compliant MirrorLink software. The primary reasons why such verification is needed are driving safety and liability issues. In the MirrorLink system, this authentication is achieved with a straight-forward device attestation protocol (DAP) that follows the model outlined above using a certified device key issued by the mobile device manufacturer.
In some cases, mobile devices may have only periodic connectivity to infrastructure networks. A mobile device that is roaming in a foreign country is an example scenario: cellular connectivity might be blocked or unavailable but periodic WiFi access through hotspots is usually available. Therefore, even from mobile devices, it is not possible for applications to always expect connectivity on-demand. A typical car head-unit has no direct connectivity to infrastructure networks. A typical head-unit has no reliable source of time information either. In a typical head-unit, a malicious user could reset or modify the head-unit clock from the head-unit user interface. Also situations in which the car main battery runs out may cause the head-unit clock to be reset. Such head-unit clock modifications are a relevant attack vector in systems like MirrorLink because the owner of the car may have an incentive to try to circumvent the MirrorLink device attestation model, in order to use non-compliant mobile devices or services while driving.
Although the MirrorLink system is the primary use case addressed in this description, the problem is not limited to the MirrorLink system only. Instead, similar revocation problems exist in other systems in which the verifier device has no connectivity and no reliable clock.
As such, it remains an open question as to how to design an efficient certificate revocation/freshness checking scheme that can work from a verifier device (e.g., car head unit) with (a) no online connectivity of its own and (b) no reliable way to determine current time, by using the help of a client device (e.g., mobile phone) which itself may have periodic network connectivity but cannot always provide network connectivity on-demand.