Scenarij 6.3: Delta-CRL

Kategorija: Preklic (Revocation)
Kompleksnost: Visoka
Predpogoji: Obstoječi bazni CRL
Ocenjeni čas: 20-30 minut

Opis

Ta scenarij opisuje ustvarjanje Delta-CRL (RFC 5280 §5.2.4). Delta-CRL vsebujejo samo spremembe od zadnjega baznega CRL in omogočajo učinkovitejše posodobitve.

Prednosti:

Manjša velikost prenosa
Pogostejše posodobitve možne
Zmanjšana pasovna širina
Hitrejše širjenje

Slabosti:

Kompleksnejša implementacija
Bazni CRL mora biti na voljo
Dodatna infrastruktura

Potek dela

flowchart TD BASE[Bazni CRL] --> DELTA1[Delta-CRL 1] DELTA1 --> DELTA2[Delta-CRL 2] DELTA2 --> DELTA3[Delta-CRL 3] DELTA3 --> NEW_BASE[Nov bazni CRL] NEW_BASE --> DELTA4[Delta-CRL 4] CLIENT[Odjemalec] --> |Prenos| BASE CLIENT --> |Posodobitve| DELTA1 CLIENT --> |Posodobitve| DELTA2 style BASE fill:#e3f2fd style NEW_BASE fill:#e3f2fd style DELTA1 fill:#fff3e0 style DELTA2 fill:#fff3e0 style DELTA3 fill:#fff3e0 style DELTA4 fill:#fff3e0

Primer kode: Ustvarjanje Delta-CRL

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using System.Numerics;
 
using var ctx = PqCryptoContext.Initialize();
 
// Nalaganje CA
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
 
// Nalaganje baznega CRL
var baseCrl = ctx.ParseCrl(File.ReadAllBytes("intermediate-ca-base.crl"));
var baseCrlNumber = baseCrl.CrlNumber;
 
// Delta-CRL Builder
var deltaCrlBuilder = new CertificateRevocationListBuilder();
 
// Dodajanje samo NOVIH preklicov od baznega CRL
var newRevocations = GetRevocationsSince(baseCrl.ThisUpdate);
foreach (var rev in newRevocations)
{
    deltaCrlBuilder.AddEntry(
        rev.SerialNumber,
        rev.RevocationTime,
        rev.Reason
    );
}
 
// Opcijsko: Umik certifikatov iz "Hold"
var removedFromHold = GetRemovedFromHold(baseCrl.ThisUpdate);
foreach (var serial in removedFromHold)
{
    deltaCrlBuilder.AddEntry(
        serial,
        DateTimeOffset.UtcNow,
        X509RevocationReason.RemoveFromCrl  // Koda 8
    );
}
 
// Delta-CRL Extensions
deltaCrlBuilder.AddExtension(
    oid: "2.5.29.27",  // Delta CRL Indicator
    critical: true,
    value: EncodeDeltaCrlIndicator(baseCrlNumber)
);
 
// Generiranje Delta-CRL
byte[] deltaCrlBytes = deltaCrlBuilder.Build(
    issuerCertificate: caCert,
    crlNumber: baseCrlNumber + 10,  // Delta-številke med baznimi številkami
    nextUpdate: DateTimeOffset.UtcNow.AddHours(4),  // Pogosteje kot bazni
    hashAlgorithm: HashAlgorithmName.SHA256,
    mode: CryptoMode.Hybrid
);
 
File.WriteAllBytes("intermediate-ca-delta.crl", deltaCrlBytes);
 
Console.WriteLine($"Delta-CRL ustvarjen:");
Console.WriteLine($"  Bazni CRL Number: {baseCrlNumber}");
Console.WriteLine($"  Delta-CRL Number: {baseCrlNumber + 10}");
Console.WriteLine($"  Novi vnosi: {newRevocations.Count}");
Console.WriteLine($"  Umaknjeno iz Hold: {removedFromHold.Count}");

Delta-CRL Indicator Extension

private byte[] EncodeDeltaCrlIndicator(BigInteger baseCrlNumber)
{
    // Delta CRL Indicator je preprosto bazna CRL-številka kot INTEGER
    var writer = new AsnWriter(AsnEncodingRules.DER);
    writer.WriteInteger(baseCrlNumber);
    return writer.Encode();
}

Bazni CRL s podporo Delta-CRL

// Bazni CRL mora kazati na Delta-CRL
var baseCrlBuilder = new CertificateRevocationListBuilder();
 
// Dodajanje vseh preklicanih certifikatov
foreach (var rev in allRevocations)
{
    baseCrlBuilder.AddEntry(rev.SerialNumber, rev.RevocationTime, rev.Reason);
}
 
// Freshest CRL Extension (kaže na Delta-CRL)
baseCrlBuilder.AddExtension(
    oid: "2.5.29.46",  // Freshest CRL (Delta CRL Distribution Point)
    critical: false,
    value: EncodeFreshestCrl("http://crl.example.com/intermediate-delta.crl")
);
 
byte[] baseCrlBytes = baseCrlBuilder.Build(
    issuerCertificate: caCert,
    crlNumber: BigInteger.Parse("1000"),
    nextUpdate: DateTimeOffset.UtcNow.AddDays(7),  // Daljša veljavnost
    hashAlgorithm: HashAlgorithmName.SHA256,
    mode: CryptoMode.Hybrid
);
 
File.WriteAllBytes("intermediate-ca-base.crl", baseCrlBytes);

Obdelava Delta-CRL na strani odjemalca

public class DeltaCrlProcessor
{
    public CombinedRevocationList CombineCrls(
        byte[] baseCrlBytes,
        byte[] deltaCrlBytes,
        PqCryptoContext ctx)
    {
        var baseCrl = ctx.ParseCrl(baseCrlBytes);
        var deltaCrl = ctx.ParseCrl(deltaCrlBytes);
 
        // Preverjanje ali Delta ustreza bazi
        var deltaIndicator = GetDeltaCrlIndicator(deltaCrl);
        if (deltaIndicator != baseCrl.CrlNumber)
        {
            throw new InvalidOperationException(
                $"Delta-CRL (Indicator: {deltaIndicator}) ne ustreza baznemu CRL ({baseCrl.CrlNumber})"
            );
        }
 
        // Ustvarjanje kombiniranega seznama
        var combined = new CombinedRevocationList
        {
            BaseCrlNumber = baseCrl.CrlNumber,
            DeltaCrlNumber = deltaCrl.CrlNumber,
            ThisUpdate = deltaCrl.ThisUpdate,  // Delta je aktualnejši
            NextUpdate = deltaCrl.NextUpdate,
            Entries = new Dictionary<string, RevocationEntry>()
        };
 
        // Prevzem baznih vnosov
        foreach (var entry in baseCrl.Entries)
        {
            combined.Entries[entry.SerialNumber] = entry;
        }
 
        // Uporaba Delta vnosov
        foreach (var entry in deltaCrl.Entries)
        {
            if (entry.Reason == X509RevocationReason.RemoveFromCrl)
            {
                // Odstranitev iz CRL (Hold odpravljen)
                combined.Entries.Remove(entry.SerialNumber);
            }
            else
            {
                // Dodajanje ali posodabljanje
                combined.Entries[entry.SerialNumber] = entry;
            }
        }
 
        return combined;
    }
 
    public bool IsRevoked(string serialNumber, CombinedRevocationList crl)
    {
        return crl.Entries.ContainsKey(serialNumber);
    }
}

Avtomatizirani cikel Delta-CRL

public class DeltaCrlScheduler
{
    private readonly TimeSpan _baseCrlInterval = TimeSpan.FromDays(7);
    private readonly TimeSpan _deltaCrlInterval = TimeSpan.FromHours(4);
    private BigInteger _currentBaseCrlNumber = 1000;
    private BigInteger _currentDeltaNumber = 0;
 
    public async Task RunScheduler(CancellationToken cancellationToken)
    {
        var lastBaseCrl = DateTimeOffset.UtcNow;
 
        while (!cancellationToken.IsCancellationRequested)
        {
            if (DateTimeOffset.UtcNow - lastBaseCrl >= _baseCrlInterval)
            {
                // Čas za nov bazni CRL
                await CreateBaseCrl();
                lastBaseCrl = DateTimeOffset.UtcNow;
                _currentBaseCrlNumber += 100;
                _currentDeltaNumber = 0;
            }
            else
            {
                // Ustvarjanje Delta-CRL
                await CreateDeltaCrl();
                _currentDeltaNumber++;
            }
 
            await Task.Delay(_deltaCrlInterval, cancellationToken);
        }
    }
 
    private async Task CreateBaseCrl()
    {
        Console.WriteLine($"Ustvarjanje baznega CRL #{_currentBaseCrlNumber}");
        // ... Logika baznega CRL
    }
 
    private async Task CreateDeltaCrl()
    {
        var deltaCrlNumber = _currentBaseCrlNumber + _currentDeltaNumber;
        Console.WriteLine($"Ustvarjanje Delta-CRL #{deltaCrlNumber} (Baza: {_currentBaseCrlNumber})");
        // ... Logika Delta-CRL
    }
}

Panožni cikli Delta-CRL

Panoga	Bazni CRL	Delta-CRL	Priporočilo
WebPKI	7 dni	4 ure	Opcijsko, OCSP prednostno
Enterprise	24 ur	1 ura	Priporočeno
Finančni sektor	12 ur	15 minut	Obvezno
Energetika/SCADA	7 dni	24 ur	Odvisno od povezave

Povezani scenariji

Povezava	Scenarij	Opis
Predpogoj	6.1 Ustvarjanje CRL	Bazni CRL
Alternativa	6.2 OCSP strežnik	Status v realnem času
Povezano	5.3 Preverjanje preklica	Preverjanje na strani odjemalca

« ← 6.2 OCSP strežnik | ↑ Pregled preklica | 6.4 Preklic certifikata → »

szenario, widerruf, delta-crl, inkrementell, performance

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional