验证RFC 3161受信任的时间戳
验证RFC 3161受信任的时间戳
提问于 2013-10-23 05:11:50
在我的构建过程中,我想包含一个来自符合RFC-3161的TSA的时间戳。在运行时,代码将验证此时间戳,最好不需要第三方库的帮助。(这是一个.NET应用程序,所以我可以随时使用标准散列和非对称加密功能。)
RFC3161依赖于ASN.1和X.690等等,实现起来并不简单,所以至少现在,我使用Bouncy Castle来生成TimeStampReq (请求)并解析TimeStampResp (响应)。我只是不太明白如何验证响应。
到目前为止,我已经知道了如何提取签名本身、公共证书、创建时间戳的时间,以及我发送的消息印记摘要和随机数(用于构建时验证)。我不明白的是,如何将这些数据放在一起来生成经过散列和签名的数据。
这是我正在做的事情和我想要做的事情的大致概念。这是测试代码,所以我走了一些捷径。一旦我得到了一些有用的东西,我将不得不清理一些东西,并以正确的方式完成它们。
构建时的时间戳生成:
// a lot of fully-qualified type names here to make sure it's clear what I'm using
static void WriteTimestampToBuild(){
var dataToTimestamp = Encoding.UTF8.GetBytes("The rain in Spain falls mainly on the plain");
var hashToTimestamp = new System.Security.Cryptography.SHA1Cng().ComputeHash(dataToTimestamp);
var nonce = GetRandomNonce();
var tsr = GetTimestamp(hashToTimestamp, nonce, "http://some.rfc3161-compliant.server");
var tst = tsr.TimeStampToken;
var tsi = tst.TimeStampInfo;
ValidateNonceAndHash(tsi, hashToTimestamp, nonce);
var cms = tst.ToCmsSignedData();
var signer =
cms.GetSignerInfos().GetSigners()
.Cast<Org.BouncyCastle.Cms.SignerInformation>().First();
// TODO: handle multiple signers?
var signature = signer.GetSignature();
var cert =
tst.GetCertificates("Collection").GetMatches(signer.SignerID)
.Cast<Org.BouncyCastle.X509.X509Certificate>().First();
// TODO: handle multiple certs (for one or multiple signers)?
ValidateCert(cert);
var timeString = tsi.TstInfo.GenTime.TimeString;
var time = tsi.GenTime; // not sure which is more useful
// TODO: Do I care about tsi.TstInfo.Accuracy or tsi.GenTimeAccuracy?
var serialNumber = tsi.SerialNumber.ToByteArray(); // do I care?
WriteToBuild(cert.GetEncoded(), signature, timeString/*or time*/, serialNumber);
// TODO: Do I need to store any more values?
}
static Org.BouncyCastle.Math.BigInteger GetRandomNonce(){
var rng = System.Security.Cryptography.RandomNumberGenerator.Create();
var bytes = new byte[10]; // TODO: make it a random length within a range
rng.GetBytes(bytes);
return new Org.BouncyCastle.Math.BigInteger(bytes);
}
static Org.BouncyCastle.Tsp.TimeStampResponse GetTimestamp(byte[] hash, Org.BouncyCastle.Math.BigInteger nonce, string url){
var reqgen = new Org.BouncyCastle.Tsp.TimeStampRequestGenerator();
reqgen.SetCertReq(true);
var tsrequest = reqgen.Generate(Org.BouncyCastle.Tsp.TspAlgorithms.Sha1, hash, nonce);
var data = tsrequest.GetEncoded();
var webreq = WebRequest.CreateHttp(url);
webreq.Method = "POST";
webreq.ContentType = "application/timestamp-query";
webreq.ContentLength = data.Length;
using(var reqStream = webreq.GetRequestStream())
reqStream.Write(data, 0, data.Length);
using(var respStream = webreq.GetResponse().GetResponseStream())
return new Org.BouncyCastle.Tsp.TimeStampResponse(respStream);
}
static void ValidateNonceAndHash(Org.BouncyCastle.Tsp.TimeStampTokenInfo tsi, byte[] hashToTimestamp, Org.BouncyCastle.Math.BigInteger nonce){
if(tsi.Nonce != nonce)
throw new Exception("Nonce doesn't match. Man-in-the-middle attack?");
var messageImprintDigest = tsi.GetMessageImprintDigest();
var hashMismatch =
messageImprintDigest.Length != hashToTimestamp.Length ||
Enumerable.Range(0, messageImprintDigest.Length).Any(i=>
messageImprintDigest[i] != hashToTimestamp[i]
);
if(hashMismatch)
throw new Exception("Message imprint doesn't match. Man-in-the-middle attack?");
}
static void ValidateCert(Org.BouncyCastle.X509.X509Certificate cert){
// not shown, but basic X509Chain validation; throw exception on failure
// TODO: Validate certificate subject and policy
}
static void WriteToBuild(byte[] cert, byte[] signature, string time/*or DateTime time*/, byte[] serialNumber){
// not shown
}运行时的时间戳验证(客户端站点):
// a lot of fully-qualified type names here to make sure it's clear what I'm using
static void VerifyTimestamp(){
var timestampedData = Encoding.UTF8.GetBytes("The rain in Spain falls mainly on the plain");
var timestampedHash = new System.Security.Cryptography.SHA1Cng().ComputeHash(timestampedData);
byte[] certContents;
byte[] signature;
string time; // or DateTime time
byte[] serialNumber;
GetDataStoredDuringBuild(out certContents, out signature, out time, out serialNumber);
var cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(certContents);
ValidateCert(cert);
var signedData = MagicallyCombineThisStuff(timestampedHash, time, serialNumber);
// TODO: What other stuff do I need to magically combine?
VerifySignature(signedData, signature, cert);
// not shown: Use time from timestamp to validate cert for other signed data
}
static void GetDataStoredDuringBuild(out byte[] certContents, out byte[] signature, out string/*or DateTime*/ time, out byte[] serialNumber){
// not shown
}
static void ValidateCert(System.Security.Cryptography.X509Certificates.X509Certificate2 cert){
// not shown, but basic X509Chain validation; throw exception on failure
}
static byte[] MagicallyCombineThisStuff(byte[] timestampedhash, string/*or DateTime*/ time, byte[] serialNumber){
// HELP!
}
static void VerifySignature(byte[] signedData, byte[] signature, System.Security.Cryptography.X509Certificates.X509Certificate2 cert){
var key = (RSACryptoServiceProvider)cert.PublicKey.Key;
// TODO: Handle DSA keys, too
var okay = key.VerifyData(signedData, CryptoConfig.MapNameToOID("SHA1"), signature);
// TODO: Make sure to use the same hash algorithm as the TSA
if(!okay)
throw new Exception("Timestamp doesn't match! Don't trust this!");
}正如您可能猜到的那样,我认为我陷入困境的地方是MagicallyCombineThisStuff函数。
回答 3
Stack Overflow用户
回答已采纳
发布于 2013-10-31 07:43:52
我终于自己想明白了。这不应该令人惊讶,但答案是令人作恶的复杂和间接的。
缺少拼图的部分在RFC5652中。直到我阅读(浏览了一下)那个文档,我才真正理解了TimeStampResp结构。
让我简要描述一下TimeStampReq和TimeStampResp结构。请求中有趣的字段包括:
- a "message imprint",这是用于创建消息印记的散列算法的散列OID的散列数据的散列OID。
- a可选的"nonce",这是客户端选择的标识符,用于验证响应是否专门针对此请求生成。这实际上只是一个盐,用于避免重放攻击和检测错误。
响应的核心是一个CMS SignedData结构。此结构中的字段包括:
- 用于对包含TSTInfo结构的EncapsulatedContentInfo成员的响应
进行签名的证书。重要的是,此结构包含:在请求中发送的消息印记
- 在请求
中发送的现时值
- 由TSA
认证的时间
- 一组SignerInfo结构,通常只有一个结构。对于每个属性,结构中有趣的字段是:
- 一个序列的“符号属性”。此序列的DER编码的BLOB实际上是经过签名的。这些属性包括:
- 由TSA (再次)认证的时间
- TSTInfo structure
- 一个序列的“符号属性”。此序列的DER编码的BLOB实际上是经过签名的。这些属性包括:
的DER编码的BLOB的散列
- an issuer and serial number or subject key identifier that identifies the signer's certificate from the set of certificates found in the SignedData structure
- the signature itself验证时间戳的基本流程如下:
读取带有时间戳的数据,并使用与在时间戳请求中使用的时间戳和现时值相同的散列算法来重新计算消息印迹,该散列算法必须与用于该purpose.
- Read的时间戳一起存储,并且解析TimeStampResp structure.
- Verify,即TSTInfo结构包含正确的消息印迹和现时值。
- 来自TimeStampResp,请阅读certificate(s).
- For each SignerInfo:
- 查找该签名者的证书(应该正好有一个)。
- 验证该证书,验证签名者的signature.
- Verify签名的属性是否包含正确的TSTInfo structure
哈希
如果一切正常,那么我们知道所有带符号的属性都是有效的,因为它们是带符号的,并且因为这些属性包含TSTInfo结构的散列,所以我们知道这也是可以的。因此,我们已经验证了时间戳数据自TSA给定的时间以来是不变的。
由于签名数据是DER编码的BLOB (其中包含不同DER编码的BLOB的散列,其中包含验证器实际关心的信息),因此无法在客户端(验证器)上使用某种理解X.690编码和ASN.1类型的库。因此,我承认在客户端和构建过程中都包含了Bouncy Castle,因为我没有时间自己实现这些标准。
我添加和验证时间戳的代码类似于以下代码:
构建时的时间戳生成:
// a lot of fully-qualified type names here to make sure it's clear what I'm using
static void WriteTimestampToBuild(){
var dataToTimestamp = ... // see OP
var hashToTimestamp = ... // see OP
var nonce = ... // see OP
var tsq = GetTimestampRequest(hashToTimestamp, nonce);
var tsr = GetTimestampResponse(tsq, "http://some.rfc3161-compliant.server");
ValidateTimestamp(tsq, tsr);
WriteToBuild("tsq-hashalg", Encoding.UTF8.GetBytes("SHA1"));
WriteToBuild("nonce", nonce.ToByteArray());
WriteToBuild("timestamp", tsr.GetEncoded());
}
static Org.BouncyCastle.Tsp.TimeStampRequest GetTimestampRequest(byte[] hash, Org.BouncyCastle.Math.BigInteger nonce){
var reqgen = new TimeStampRequestGenerator();
reqgen.SetCertReq(true);
return reqgen.Generate(TspAlgorithms.Sha1/*assumption*/, hash, nonce);
}
static void GetTimestampResponse(Org.BouncyCastle.Tsp.TimeStampRequest tsq, string url){
// similar to OP
}
static void ValidateTimestamp(Org.BouncyCastle.Tsp.TimeStampRequest tsq, Org.BouncyCastle.Tsp.TimeStampResponse tsr){
// same as client code, see below
}
static void WriteToBuild(string key, byte[] value){
// not shown
}运行时的时间戳验证(客户端站点):
/* Just like in the OP, I've used fully-qualified names here to avoid confusion.
* In my real code, I'm not doing that, for readability's sake.
*/
static DateTime GetTimestamp(){
var timestampedData = ReadFromBuild("timestamped-data");
var hashAlg = Encoding.UTF8.GetString(ReadFromBuild("tsq-hashalg"));
var timestampedHash = System.Security.Cryptography.HashAlgorithm.Create(hashAlg).ComputeHash(timestampedData);
var nonce = new Org.BouncyCastle.Math.BigInteger(ReadFromBuild("nonce"));
var tsq = new Org.BouncyCastle.Tsp.TimeStampRequestGenerator().Generate(System.Security.Cryptography.CryptoConfig.MapNameToOID(hashAlg), timestampedHash, nonce);
var tsr = new Org.BouncyCastle.Tsp.TimeStampResponse(ReadFromBuild("timestamp"));
ValidateTimestamp(tsq, tsr);
// if we got here, the timestamp is okay, so we can trust the time it alleges
return tsr.TimeStampToken.TimeStampInfo.GenTime;
}
static void ValidateTimestamp(Org.BouncyCastle.Tsp.TimeStampRequest tsq, Org.BouncyCastle.Tsp.TimeStampResponse tsr){
/* This compares the nonce and message imprint and whatnot in the TSTInfo.
* It throws an exception if they don't match. This doesn't validate the
* certs or signatures, though. We still have to do that in order to trust
* this data.
*/
tsr.Validate(tsq);
var tst = tsr.TimeStampToken;
var timestamp = tst.TimeStampInfo.GenTime;
var signers = tst.ToCmsSignedData().GetSignerInfos().GetSigners().Cast<Org.BouncyCastle.Cms.SignerInformation>();
var certs = tst.GetCertificates("Collection");
foreach(var signer in signers){
var signerCerts = certs.GetMatches(signer.SignerID).Cast<Org.BouncyCastle.X509.X509Certificate>().ToList();
if(signerCerts.Count != 1)
throw new Exception("Expected exactly one certificate for each signer in the timestamp");
if(!signerCerts[0].IsValid(timestamp)){
/* IsValid only checks whether the given time is within the certificate's
* validity period. It doesn't verify that it's a valid certificate or
* that it hasn't been revoked. It would probably be better to do that
* kind of thing, just like I'm doing for the signing certificate itself.
* What's more, I'm not sure it's a good idea to trust the timestamp given
* by the TSA to verify the validity of the TSA's certificate. If the
* TSA's certificate is compromised, then an unauthorized third party could
* generate a TimeStampResp with any timestamp they wanted. But this is a
* chicken-and-egg scenario that my brain is now too tired to keep thinking
* about.
*/
throw new Exception("The timestamp authority's certificate is expired or not yet valid.");
}
if(!signer.Verify(signerCerts[0])){ // might throw an exception, might not ... depends on what's wrong
/* I'm pretty sure that signer.Verify verifies the signature and that the
* signed attributes contains a hash of the TSTInfo. It also does some
* stuff that I didn't identify in my list above.
* Some verification errors cause it to throw an exception, some just
* cause it to return false. If it throws an exception, that's great,
* because that's what I'm counting on. If it returns false, let's
* throw an exception of our own.
*/
throw new Exception("Invalid signature");
}
}
}
static byte[] ReadFromBuild(string key){
// not shown
}Stack Overflow用户
发布于 2013-10-28 19:58:54
我不太明白您为什么要重建响应中签名的数据结构。实际上,如果您想要从时间戳服务器响应中提取签名数据,您可以这样做:
var tsr = GetTimestamp(hashToTimestamp, nonce, "http://some.rfc3161-compliant.server");
var tst = tsr.TimeStampToken;
var tsi = tst.TimeStampInfo;
var signature = // Get the signature
var certificate = // Get the signer certificate
var signedData = tsi.GetEncoded(); // Similar to tsi.TstInfo.GetEncoded();
VerifySignature(signedData, signature, certificate)如果您想要重新构建数据结构,则需要使用响应中包含的所有元素创建一个新的Org.BouncyCastle.Asn1.Tsp.TstInfo实例(tsi.TstInfo是一个Org.BouncyCastle.Asn1.Tsp.TstInfo对象)。
在RFC 3161中,签名数据结构被定义为ASN.1序列:
TSTInfo ::= SEQUENCE {
version INTEGER { v1(1) },
policy TSAPolicyId,
messageImprint MessageImprint,
-- MUST have the same value as the similar field in
-- TimeStampReq
serialNumber INTEGER,
-- Time-Stamping users MUST be ready to accommodate integers
-- up to 160 bits.
genTime GeneralizedTime,
accuracy Accuracy OPTIONAL,
ordering BOOLEAN DEFAULT FALSE,
nonce INTEGER OPTIONAL,
-- MUST be present if the similar field was present
-- in TimeStampReq. In that case it MUST have the same value.
tsa [0] GeneralName OPTIONAL,
extensions [1] IMPLICIT Extensions OPTIONAL }Stack Overflow用户
发布于 2017-10-30 11:48:46
恭喜你完成了这个棘手的协议工作!
另请参阅rfc3161ng 2.0.4上的Python客户端实现。
请注意,对于RFC3161TSP协议,正如在Web Science and Digital Libraries Research Group: 2017-04-20: Trusted Timestamping of Mementos和其他出版物中讨论的那样,您和您的依赖方必须相信时间戳颁发机构(TSA)是正确和安全地运行的。当然,要真正保护像大多数TSA运行的在线服务器是非常困难的,如果不是不可能的话。
正如那篇论文中所讨论的,通过与TSP的比较,现在世界上有各种公共区块链,在这些区块链中,信任是分布的,并且(有时)被仔细地监控,因此有了新的可信时间戳选项(为文档提供“存在的证明”)。例如,请参阅OriginStamp - Trusted Timestamping with Bitcoin。该协议要简单得多,并且它们为各种语言提供了客户端代码。虽然他们的在线服务器也可能被攻破,但客户端可以检查他们的哈希是否正确嵌入到比特币区块链中,从而绕过了信任OriginStamp服务本身的需要。一个缺点是时间戳每天只发布一次,除非支付额外的费用。比特币交易已经变得相当昂贵,因此该服务正在考虑支持其他区块链,以降低成本,并使其更便宜地获得更及时的帖子。
更新:查看Stellar和Keybase,获得免费、高效、闪电般的速度和经过广泛审查的时间戳,查看Stellar区块链协议和STELLARAPI.IO服务。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/19528456
复制相关文章
相似问题
腾讯云开发者
