Presentation is loading. Please wait.

Presentation is loading. Please wait.

DER, PER, XER Certificate Size Study

Published byJonas Austin Modified over 6 years ago

Similar presentations

Presentation on theme: "DER, PER, XER Certificate Size Study"— Presentation transcript:

1 DER, PER, XER Certificate Size Study
October 2005

2 Bulk Sizes Five encoding rule sets were targeted
DER, aligned PER, unaligned PER, XER, Canonical XER Bulk sizes range from 445 bytes to bytes Not surprisingly, unaligned PER is always smallest and XER is always the largest

3  Original Profiles DER Aligned PER Unaligned PER XER Canonical XER CA PKCs - #1 1001 830 775 16781 12458 CA PKCs - #2 999 778 16645 12420 CA PKCs - #3 URI Pointer 910 742 697 16619 12272 CA PKCs - #4 Both 1041 869 805 17279 12830 Cross-Certificate PKCs - #1 1074 891 17884 13235 Cross-Certificate PKCs - #2 1083 899 841 18040 13411 EE PKCs - #1 845 721 672 10934 8772 EE PKCs - #2 890 759 707 11657 9295 EE PKCs - #3 840 720 10663 8587 EE PKCs - #4 875 754 701 11006 8836 EE PKCs - #5 782 624 9441 7855 EE PKCs - #6 654 610 9013 7517 EE PKCs - #7 763 611 9409 7815 EE PKCs - #8 765 660 616 9063 7567 EE PKCs - #9 770 662 618 9479 7885 EE PKCs - #10 768 9317 7765 EE PKCs - #11 URI Pointer 725 575 10720 8542 EE PKCs - #12 Both 789 753 699 11412 9124 OCSP Responder PKCs - #1 659 547 522 10027 8012 OCSP Responder PKCs - #2 551 526 9877 7968 Root CA PKCs - #1 559 470 447 8476 6845 Root CA PKCs - #2 548 466 445 7948 6505

4 Modified Profiles  DER Aligned PER Unaligned PER XER Canonical XER CA PKCs - #1 1057 886 826 17346 12883 CA PKCs - #2 1005 843 791 16498 12277 Cross-Certificate PKCs - #1 1089 916 854 16930 12743 Cross-Certificate PKCs - #2 1067 897 16716 12575 OCSP Responder PKCs - #1 630 528 502 9696 7747 OCSP Responder PKCs - #2 602 512 488 8734 7069 Root CA PKCs - #1 573 485 464 8686 6923 Root CA PKCs - #2 574 493 470 8175 6608

5 Certificate Structure
Certificate ::= SEQUENCE { tbsCertificate TBSCertificate, signatureAlgorithm AlgorithmIdentifier, signature BIT STRING } TBSCertificate ::= SEQUENCE { version [0] Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, extensions [3] Extensions OPTIONAL -- If present, version MUST be v3 -- }

6 DER Sample Issuer name takes 89 bytes to encode
: SEQUENCE { : SET { : SEQUENCE { : OBJECT IDENTIFIER countryName ( ) : PrintableString 'US' : } : } : SET { : SEQUENCE { : OBJECT IDENTIFIER organizationName ( ) : PrintableString 'U.S. Government' : SET { : SEQUENCE { : OBJECT IDENTIFIER organizationalUnitName ( ) : PrintableString 'DoD' : PrintableString 'KMI' : SET { : SEQUENCE { : OBJECT IDENTIFIER commonName ( ) : PrintableString 'Root-Name' : } Issuer name takes 89 bytes to encode Easy to read in a Hex editor Familiar tag-length-value Free tools are available for troubleshooting

7 PER Samples A ...U... .US..U.. F55 2E53 2E20 476F E 6D65 . .U.S. Governme E B F nt..U... .DoD..U B B 4D B KMI..U... . F 6F74 2D4E 616D Root-Name Issuer name takes 73 bytes to encode using aligned PER; unaligned reduces this slightly (~68 bytes) Both aligned (above) and unaligned (below) PER are more difficult to read than DER No tag values and often no length values Unaligned requires parsing of individual bits Decoding requires knowledge of structure What would be signed in unaligned scenario? A A AB 4C00 081A A820 .(... 0!..L.... FAA BA9A E411 F7F6 CBCB 76DC BBBA Py v... AA BE AA X! X AA A5BF 7F45 !..6H... .Q....E B3B0 EDCA

8 XER Sample Issuer name takes 1651 bytes
<rdnSequence> <RelativeDistinguishedName> <AttributeTypeAndValue> <type> </type> <value> <DirectoryString> <printableString>US</printableString> </DirectoryString></value> </AttributeTypeAndValue> </RelativeDistinguishedName> <type> </type> <printableString>U.S. Government</printableString> <type> </type> <printableString>DoD</printableString> </AttributeTypeAndValue> </RelativeDistinguishedName> <RelativeDistinguishedName> <AttributeTypeAndValue> <type> </type> <value> <DirectoryString> <printableString>KMI</printableString> </DirectoryString></value> <type> </type> <printableString>Root-Name</printableString> </rdnSequence> </issuer> Issuer name takes 1651 bytes Canonical XER reduces this to 1114 bytes Signature field produced in XER is not an XML digital signature

9 Notes PER and XER are not canonical
Canonical XER was also tested but not compared to C14N We used unaltered ASN.1 files from the relevant specs It’s possible that PER results could be made smaller if ASN.1 definitions were modified to capitalize on PER strengths XER could be made smaller by using smaller field names or otherwise altering the ASN.1 to change the nature of the output Compression may be worth considering (see next two slides – sizes using Burrows/Wheeler via bzip2 program and savings vs. original) Alternative compression algorithms may offer better results XER does not feature WC3-compliant XML Digital Signatures Apache-based XML DISG implementation used to generate sample does not currently support ECDSA Using an XML Digital Signature around the TBSCertificate structure reduced default XER signature from ~2200 bytes to ~900 bytes

10 Cross-Certificate PKCs - #1 831 1013 2382 2239
DER Aligned PER Unaligned PER XER Canonical XER CA PKCs - #1 923 781 950 2222 2081 CA PKCs - #2 931 812 2251 2106 CA PKCs - #3 URI Pointer 858 725 839 2181 2018 CA PKCs - #4 Both 964 819 967 2269 2146 Cross-Certificate PKCs - #1 831 1013 2382 2239 Cross-Certificate PKCs - #2 1001 836 994 2379 2245 EE PKCs - #1 825 720 809 1803 1697 EE PKCs - #2 810 732 787 1833 EE PKCs - #3 878 769 859 1885 1795 EE PKCs - #4 840 749 828 1831 1741 EE PKCs - #5 876 863 1838 EE PKCs - #6 832 723 1870 1757 EE PKCs - #7 803 759 1784 1687 EE PKCs - #8 815 680 746 1853 1735 EE PKCs - #9 726 1800 1699 EE PKCs - #10 719 799 1850 1733 EE PKCs - #11 URI Pointer 742 619 717 1706 1608 EE PKCs - #12 Both 847 743 841 1851 1722 OCSP Responder PKCs - #1 686 580 612 1576 1497 OCSP Responder PKCs - #2 634 577 614 1654 1557 Root CA PKCs - #1 597 526 590 1407 1307 Root CA PKCs - #2 557 504 570 1385 1292

11 Cross-Certificate PKCs - #1 9.96% saved 6.73% saved -22.05% saved
DER Aligned PER Unaligned PER XER Canonical XER CA PKCs - #1 7.79% saved 5.90% saved -22.58% saved 86.76% saved 83.30% saved CA PKCs - #2 6.81% saved 2.17% saved -18.64% saved 86.48% saved 83.04% saved CA PKCs - #3 URI Pointer 5.71% saved 2.29% saved -20.37% saved 86.88% saved 83.56% saved CA PKCs - #4 Both 7.40% saved 5.75% saved -20.12% saved 86.87% saved 83.27% saved Cross-Certificate PKCs - #1 9.96% saved 6.73% saved -22.05% saved 86.68% saved 83.08% saved Cross-Certificate PKCs - #2 7.57% saved 7.01% saved -18.19% saved 86.81% saved 83.26% saved EE PKCs - #1 2.37% saved 0.14% saved -20.39% saved 83.51% saved 80.65% saved EE PKCs - #2 -5.47% saved -10.91% saved -27.76% saved 80.33% saved 78.15% saved EE PKCs - #3 1.35% saved -1.32% saved -21.50% saved 83.83% saved 80.69% saved EE PKCs - #4 0.00% saved -4.03% saved -23.21% saved 82.83% saved 79.73% saved EE PKCs - #5 -0.11% saved -4.38% saved -23.11% saved 80.30% saved EE PKCs - #6 -6.39% saved -7.59% saved -29.65% saved 80.19% saved 77.63% saved EE PKCs - #7 -5.80% saved -10.55% saved -24.43% saved 80.21% saved 77.56% saved EE PKCs - #8 -6.82% saved -3.98% saved -22.09% saved 80.31% saved 77.80% saved EE PKCs - #9 -7.06% saved -10.00% saved 80.14% saved 77.55% saved EE PKCs - #10 -5.84% saved -8.61% saved -29.29% saved 80.48% saved 78.02% saved EE PKCs - #11 URI Pointer -2.34% saved -1.31% saved -24.70% saved 84.09% saved 81.18% saved EE PKCs - #12 Both 3.64% saved 1.33% saved -20.31% saved 83.78% saved 81.13% saved OCSP Responder PKCs - #1 -4.10% saved -6.03% saved -17.24% saved 84.28% saved 81.32% saved OCSP Responder PKCs - #2 3.79% saved -4.72% saved -16.73% saved 83.25% saved 80.46% saved Root CA PKCs - #1 -6.80% saved -11.91% saved -31.99% saved 83.40% saved 80.91% saved Root CA PKCs - #2 -1.64% saved -8.15% saved -28.09% saved 82.57% saved

12 Slim Jim November 2005

13 Certificate Name DER Aligned PER Unaligned PER Canonical XER XER Root CA PKCs - 1 507 431 414 6050 7281 Root CA PKCs - 2 483 395 5686 6845 Root CA PKCs - 3 463 397 385 5500 6611 Root CA PKCs - 4 381 368 5133 6103 CA PKCs - 1 832 710 661 8593 10486 CA PKCs - 2 790 680 633 8127 9930 CA PKCs - 3 617 530 498 6759 8176 CA PKCs - 4 602 519 490 6603 7951 CA PKCs - 5 496 423 404 5944 7161 Cross-Certificate PKCs – 1 952 808 756 10538 13427 Cross-Certificate PKCs – 2 803 675 640 9428 12043 Cross-Certificate PKCs – 3 782 666 632 9280 11834 Cross-Certificate PKCs – 4 639 553 524 6922 8386 OCSP Responder PKCs – 1 506 432 415 6068 7299

14 Infrastructure Summary
DER: 431 through 952 bytes Aligned PER: 381 through 808 bytes Unaligned PER: 368 through 756 bytes Canonical and non-canonical XER: BIG

15 EE Variations 7 Name forms X 4 profiles Subject field w/ dc name
Subject field empty w/ one each of the following in subject alternate name field otherName RFC822Name DNSName IPv4 name IPv6 name URI

16 Certificate Name DER Aligned PER Unaligned PER Canonical XER XER (EE PKCs DN - 1) Subject DN, AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 837 727 674 8315 10091 (EE PKCs DN - 2) Subject DN, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship, 713 615 578 7419 8969 (EE PKCs DN - 3) Subject DN, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 692 601 562 7225 8735 (EE PKCs DN - 4) Subject DN, CP, Clearance, CRLDP, Sponsor, and Citizenship 660 581 543 6922 8336 (EE Other Name - 1) SAN(ON), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 786 678 630 8058 9640 (EE Other Name - 2) SAN(ON), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 663 568 535 7170 8510 (EE Other Name - 3) SAN(ON), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 644 552 520 6968 8276 (EE Other Name - 4) SAN(ON), CP, Clearance, CRLDP, Sponsor, and Citizenship 612 531 501 6673 7877 (EE PKCs RFC - 1) SAN(RFC), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 792 683 633 7852 9370 (EE PKCs RFC - 2) SAN(RFC), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 666 574 536 6956 8256 (EE PKCs RFC - 3) SAN(RFC), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 645 557 522 6746 8014 (EE PKCs RFC - 4) SAN(RFC), CP, Clearance, CRLDP, Sponsor, and Citizenship 613 537 503 6459 7623

17 Certificate Name DER Aligned PER Unaligned PER Canonical XER XER (EE PKCs DNS - 1) SAN(DNS), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 777 672 625 7810 9336 (EE PKCs DNS - 2) SAN(DNS), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 655 563 528 6922 8206 (EE PKCs DNS - 3) SAN(DNS), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 635 547 514 6720 7964 (EE PKCs DNS - 4) SAN(DNS), CP, Clearance, CRLDP, Sponsor, and Citizenship 602 527 494 6425 7581 (EE PKCs IPv4 - 1) SAN(IPv4), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, and Freshest CRL 770 664 618 7828 9330 (EE PKCs IPv4 - 2) SAN(IPv4), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 647 556 522 6924 8216 (EE PKCs IPv4 - 3) SAN(IPv4), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 628 541 508 6722 7982 (EE PKCs IPv4 - 4) SAN(IPv4), CP, Clearance, CRLDP, Sponsor, and Citizenship 596 518 488 6435 7591 (EE PKCs IPv4 - 1) SAN(IPv6), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, Citizenship, Freshest CRL 782 677 630 7868 9386 (EE PKCs IPv6 - 2) SAN(IPv6), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 659 567 534 6964 8272 (EE PKCs IPv6 - 3) SAN(IPv6), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 641 552 520 6778 8030

18 Certificate Name DER Aligned PER Unaligned PER Canonical XER XER (EE PKCs IPv6 - 4) SAN(IPv6), CP, Clearance, CRLDP, Sponsor, and Citizenship 607 531 501 6467 7639 (EE PKCs URI - 1) SAN(URI), AKI, SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship, Freshest CRL 776 673 624 7890 9416 (EE PKCs URI - 2) SAN(URI), SKI, KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 653 561 529 6986 8294 (EE PKCs URI - 3) SAN(URI), KU, CP, Clearance, CRLDP, Seed, Sponsor, and Citizenship 635 548 513 6792 8036 (EE PKCs URI - 4) SAN(URI), CP, Clearance, CRLDP, Sponsor, and Citizenship 603 527 495 6505 7653

19 EE Summary DER: 596 through 837 bytes
Aligned PER: 518 through 727 bytes Unaligned PER: 488 through 676 bytes Canonical and non-canonical XER: BIG

Download ppt "DER, PER, XER Certificate Size Study"

Similar presentations

A. Steffen, 10.4.2000, KSy_Auth.ppt 1 Zürcher Hochschule Winterthur Kommunikationssysteme (KSy) - Block 9 Secure Network Communication Part III Authentication.

A. Steffen, , KSy_Auth.ppt 1 Zürcher Hochschule Winterthur Kommunikationssysteme (KSy) - Block 9 Secure Network Communication Part III Authentication.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E APNIC Open Policy Meeting SIG: Whois Database October 2000 APNIC Certificate Authority.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.

SAFE BioPharma Association CONFIDENTIAL1 SAFE Public Key Infrastructure (PKI) 2005 EDUCAUSE/Dartmouth PKI Deployment Summit.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 7 Digital Certificates.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 7 Digital Certificates.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6: Digital Certificates.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6: Digital Certificates.
A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
HEPKI-TAG UPDATE Jim Jokl University of Virginia

HEPKI-TAG UPDATE Jim Jokl University of Virginia
Communications-Electronics Security Group. PKI interoperability issues for UK Government Richard Lampard

Communications-Electronics Security Group. PKI interoperability issues for UK Government Richard Lampard

Similar presentations

Ads by Google