What are the security risks of using OCSP caching or nonces for PKI validation?

1 What is caching and why is it used?

Caching is a technique that stores frequently used data in a local or intermediate storage, such as a browser or a proxy, to reduce network traffic and improve performance. In the context of OCSP, caching can be used to store the responses from the OCSP server, which indicate whether a certificate is valid or revoked. This way, the client does not need to query the OCSP server every time it encounters the same certificate, which can save time and bandwidth.

2 What is a nonce and why is it used?

A nonce is a random number that is added to a request or a response to prevent replay attacks. A replay attack is when an attacker intercepts and reuses a valid request or response to impersonate a party or gain access to a resource. In the context of OCSP, a nonce can be used to ensure that the response from the OCSP server is fresh and not a replay of a previous response. This way, the client can verify that the certificate status is up to date and not stale.

3 What are the security risks of caching OCSP responses?

Caching OCSP responses can introduce several security risks, such as outdated responses, forged responses, and sensitive responses. Outdated responses can lead to the client accepting an invalid certificate and exposing itself to a man-in-the-middle attack or a data breach. Forged responses can trick the client into accepting a revoked or fake certificate, which can also cause a man-in-the-middle attack or a data breach. Furthermore, if the cached response contains sensitive information, it can leak privacy or security data to unauthorized parties, thus harming the reputation or compliance of the certificate issuer or holder.

4 What are the security risks of using nonces for OCSP requests?

Using nonces for OCSP requests can introduce security risks, such as increasing the load on the OCSP server, reducing the availability of OCSP responses, and creating compatibility issues. If every request includes a nonce, the OCSP server cannot cache or reuse its responses, leading to a higher computational and network load. This can make it more vulnerable to denial-of-service attacks or performance degradation. Moreover, if the OCSP server is overloaded or unavailable, the client won't be able to obtain a fresh response with a matching nonce. This could cause the client to reject valid certificates or fail to establish secure connections. Additionally, not all OCSP servers or clients support nonces, which can cause interoperability problems. For example, if either the client or server expects a nonce but doesn't receive one, they may reject the response as invalid or unauthorized.

5 How can you mitigate the security risks of OCSP caching and nonces?

Although there is no perfect solution for the security risks of OCSP caching and nonces, there are some best practices and trade-offs to consider. For example, OCSP stapling allows the certificate holder to attach an OCSP response to its certificate during the handshake, reducing network latency and exposure to caching or replay attacks. However, it requires the certificate holder to periodically update its OCSP response and support the stapling protocol. Alternatively, OCSP must-staple is an extension that indicates the certificate holder must use OCSP stapling and that the client must verify the stapled response. This enforces a higher level of security but requires both the certificate holder and client to support it. Finally, OCSP cache-control is a header that specifies how long an OCSP response can be cached by intermediaries or clients, allowing the OCSP server to control freshness and validity of its responses. However, intermediaries and clients must respect and implement this header.