Collaborating with NCSU to deliver certificate validation and crypto validation reusable implementations.
Cryptography is very important in today’s world. Improper or maliciously altered crypto implementations have been a concern for the industry in recent years. On another topic, improperly validated X.509 certificates can pose a serious security concern for Web Authentication today. To address these challenges, Cisco proposed two Senior Design Projects for NCSU students in Spring 2018. These projects are for students to work on a practical industry problem as part of their Senior Design Project, develop their skills and gain experience working with industry partners. More specifically, the projects were:
Automated Cryptographic Validation Protocol for Java (ACVPJ)
The ACVPJ project extended on the great work from last semester’s project, the ACVP C client. The goal of this project was to create a Java client application for ACVP, a protocol for automated crypto validation. The work would allow Java products to verify the underlying cryptography with National Institute of Standards and Technology (NIST) using their native Java language. ACVPJ was coded to the Java JCA which allows any underlying provider’s crypto to be validated.
The NCSU students Andrew Shryock, Brandon Nguyen, Christopher Miller, and John-Michael Caskey were very excited to tackle the project. The initial focus was to perform the first Java initiated connection to the NIST server for crypto validation using TLS. Once successful, the team implemented the validations of SHA hashing, symmetric encryption of AES and keyed MAC HMAC on the installed crypto provider.
The ACVPJ project was sponsored and driven by Todd Johnson, Barry Fussel, Ellie Daw, and Ryan Granger from Cisco’s Common Security Modules team and overseen by NCSU CSC Senior Design Center Director, Ms. Margaret Heil, and technical advisor Dr. Lina Battestilli.
The outcome of this effort was a Java implementation of ACVP that can be leveraged to extend the validation of crypto providers for Java products.
We hope Cisco products and the industry will be able to leverage the great work on ACVPJ to extend their capabilities for users that want to validate the underlying crypto of their Java products. We also hope this work will be used and extended to expand the use cases of the ACVP protocol.
Certificate revocation checking and short-lived certs
One of the main pain points of PKI implementers is consistently verifying certificate status. Even though a lot of the functionality and command options are built into standard certificate libraries, there are no good native implementations that can be used by developers to check the revocation (CRL, OSCP, OCSP staples) out of the box. Additionally, there are no reference implementations that we are aware of that can be used out of the box to verify the CA transparency logs for a certificate.
To address this issue, NCSU students Daniel Cary, Brian Hogan, Joseph Tew wrote a reference implementation for development teams that want to check the revocation status and legitimate generation of an X.509 certificate. Their revocation checks focused on OCSP, OCSP stapling and CRLs. Their code also validates SCT logs in the TLS handshake. Additionally, Dan, Brian and Joseph studied the pros and cons of using certificate revocation vs short-lived certificates. Short-lived certificates have gained attention in the industry (, ) recently and there are ongoing discussions in IETF (, ) about their pros and cons.
The project was driven by Pete Beal, Barry Fussel and Panos Kampanakis from Cisco and overseen by NCSU CSC Senior Design Center Director, Ms. Margaret Heil, and technical advisor Dr. Lina Battestilli.
The outcomes of this effort were:
- A library that implements OCSP, OCSP staple, SCT and CRL checks published at https://github.com/danielcary/libx509crc
- A document that evaluates advantages and disadvantages between revocation checking and short-lived certificates.
We intend to use this work within our company, and hope that it will be useful to the industry as well.
We would like to thank the NCSU CSC Department students, Dan, Brian, Joseph, Andrew, Brandon, Christopher, and John-Michael for the good work and collaboration. Also thank you to the Director of the NCSU CSC Senior Design Center, Margaret Heil, and CSC Senior Design technical advisor, Professor Lina Battestilli. We hope to continue the collaboration.