Certificate and Public Key Pinning (2024)

Author: Jeffery Walton, JohnSteven, Jim Manico, Kevin Wall, Ricardo Iramar
Contributor(s): Jack Mannino, Karl Fogel, Jshowalter , Achim, Pawel Krawczyk, Peter Bachman, Bill Sempf, Izar, Echsecutor, Jmanico, Douglasheld, Anant Shrivastava, Riramar, Nabla.c0d3, Neil Smithline, Tfrdidi, kingthorin

Certificate and Public Key Pinning is a technicalguide to implementing certificate and public key pinning as discussed atthe Virginia chapter’spresentation Securing Wireless Channels in the MobileSpace.This guide is focused on providing clear, simple, actionable guidancefor securing the channel in a hostile environment where actors could bemalicious and the conference of trust a liability.

A cheat sheet is available at Pinning Cheat Sheet.

Introduction

Secure channels are a cornerstone to users and employees workingremotely and on the go. Users and developers expect end-to-end securitywhen sending and receiving data - especially sensitive data on channelsprotected by VPN, SSL, or TLS. While organizations which control DNS andCA have likely reduced risk to trivial levels under most threat models,users and developers subjugated to other’s DNS and a public CA hierarchyare exposed to non-trivial amounts of risk. In fact, history has shownthose relying on outside services have suffered chronic breaches intheir secure channels.

The pandemic abuse of trust has resulted in users, developers andapplications making security related decisions on untrusted input. Thesituation is somewhat of a paradox: entities such as DNS and CAs aretrusted and supposed to supply trusted input; yet their input cannot betrusted. Relying on untrusted input for security related decisions isnot only bad karma, it violates a number of secure coding principals(see, for example, OWASP’s Injection Theory and DataValidation.

Pinning effectively removes the “conference of trust”. An applicationwhich pins a certificate or public key no longer needs to depend onothers - such as DNS or CAs - when making security decisions relating toa peer’s identity. For those familiar with SSH, you should realize thatpublic key pinning is nearly identical to SSH’s StrictHostKeyCheckingoption. SSH had it right the entire time, and the rest of the world isbeginning to realize the virtues of directly identifying a host orservice by its public key.

Others who actively engage in pinning include Google and its browserChrome. Chrome was successful in detecting the DigiNotar compromisewhich uncovered suspected interception by the Iranian government on itscitizens. The initial report of the compromise can be found at Is ThisMITM Attack to Gmail’sSSL?;and Google Security’s immediate response at An update on attemptedman-in-the-middleattacks.

What’s the problem?

Users, developers, and applications expect end-to-end security on theirsecure channels, but some secure channels are not meeting theexpectation. Specifically, channels built using well known protocolssuch as VPN, SSL, and TLS can be vulnerable to a number of attacks.

Examples of past failures are listed on the discussion tab for thisarticle. This cheat sheet does not attempt to catalogue the failures inthe industry, investigate the design flaws in the scaffolding, justifythe lack of accountability or liability with the providers, explain therace to the bottom in services, or demystify the collusion between, forexample, Browsers and CAs. For additional reading, please visit PKI is Broken andThe Internet is Broken.

Patient 0

The original problem was the Key Distribution Problem. Insecurecommunications can be transformed into a secure communication problemwith encryption. Encrypted communications can be transformed into anidentity problem with signatures. The identity problem terminates at thekey distribution problem. They are the same problem.

The Cures

There are three cures for the key distribution problem. First is to havefirst hand knowledge of your partner or peer (i.e., a peer, server orservice). This could be solved with SneakerNet. Unfortunately,SneakerNet does not scale and cannot be used to solve the keydistribution problem.

The second is to rely on others, and it has two variants: (1) web oftrust, and (2) hierarchy of trust. Web of Trust and Hierarchy of Trustsolve the key distribution problem in a sterile environment. However,Web of Trust and Hierarchy of Trust each requires us to rely on others -or confer trust. In practice, trusting others is showing to beproblematic.

What Is Pinning?

Pinning is the process of associating a host with their expected X509certificate or public key. Once a certificate or public key is known orseen for a host, the certificate or public key is associated or ‘pinned’to the host. If more than one certificate or public key is acceptable,then the program holds a pinset (taking from Jon Larimer and KennyRoot Google I/Otalk).In this case, the advertised identity must match one of the elements inthe pinset.

A host or service’s certificate or public key can be added to anapplication at development time, or it can be added upon firstencountering the certificate or public key. The former - adding atdevelopment time - is preferred since preloading the certificate orpublic key out of band usually means the attacker cannot taint thepin. If the certificate or public key is added upon first encounter, youwill be using key continuity. Key continuity can fail if the attackerhas a privileged position during the first encounter.

Pinning leverages knowledge of the pre-existing relationship between theuser and an organization or service to help make better security relateddecisions. Because you already have information on the server orservice, you don’t need to rely on generalized mechanisms meant to solvethe key distribution problem. That is, you don’t need to turn to DNSfor name/address mappings or CAs for bindings and status. One exceptionis revocation and it is discussed below in PinningGaps.

It is also worth mention that Pinning is not Stapling. Stapling sendsboth the certificate and OCSP responder information in the same requestto avoid the additional fetches the client should perform during pathvalidations.

When Do You Pin?

You should pin anytime you want to be relatively certain of the remotehost’s identity or when operating in a hostile environment. Since one orboth are almost always true, you should probably pin all the time.

A perfect case in point: during the two weeks or so of preparation forthe presentation and cheat sheet, we’ve observed three relevant andrelated failures. First was Nokia/Opera willfully breaking the securechannel;second was DigiCert issuing a code signing certificate formalware;and third was Bit9’s loss of its root signingkey.The environment is not only hostile, it’s toxic.

When Do You Allow List?

If you are working for an organization which practices “egressfiltering” as part of a Data Loss Prevention (DLP) strategy, you willlikely encounter Interception Proxies. I like to refer to these thingsas “good” bad guys (as opposed to “bad” bad guys) since bothbreak end-to-end security and we can’t tell them apart. In this case,do not offer to allow list the interception proxy since it defeatsyour security goals. Add the interception proxy’s public key to yourpinset after being instructed to do so by the folks in RiskAcceptance.

Note: if you allow list a certificate or public key for a different host(for example, to accommodate an interception proxy), you are no longerpinning the expected certificates and keys for the host. Security andintegrity on the channel could suffer, and it surely breaks end-to-endsecurity expectations of users and organizations.

For more reading on interception proxies, the additional risk theybestow, and how they fail, see Dr. Matthew Green’s How do InterceptionProxiesfail?and Jeff Jarmoc’s BlackHat talk SSL/TLS Interception Proxies andTransitiveTrust.

How Do You Pin?

The idea is to re-use the existing protocols and infrastructure, but usethem in a hardened manner. For re-use, a program would keep doing thethings it used to do when establishing a secure connection.

To harden the channel, the program would take advantage of theOnConnect callback offered by a library, framework or platform. In thecallback, the program would verify the remote host’s identity byvalidating its certificate or public key. While pinning does not have tooccur in an OnConnect callback, it’s often most convenient because theunderlying connection information is readily available.

When Do You Not Pin?

Pinning requires control of upcoming certificate attributes. If thecertificate key pair cannot be predicted in advance before it is putinto service, then pinning will lead to an outage when the endpointpresents a new certificate. For instance, if a certificate providergenerates random key pairs whenever a certificate is rotated, and youcannot control when this certificate is put into use, then you willnot be able to update your clients until they have already experiencedan outage. You should not pin using attributes of a certificatepresented by an endpoint outside of your control.

What Should Be Pinned?

The first thing to decide is what should be pinned. For this choice, youhave two options: you can (1) pin the certificate; or (2) pin the publickey. If you choose public keys, you have two additional choices: (a) pinthe subjectPublicKeyInfo; or (b) pin one of the concrete types such asRSAPublicKey or DSAPublicKey.

The three choices are explained below in more detail. I would encourageyou to pin the subjectPublicKeyInfo because it has the publicparameters (such as {e,n} for an RSA public key) and contextualinformation such as an algorithm and OID. The context will help you keepyour bearings at times, and Figure 1 below shows the additionalinformation available.

Encodings/Formats

For the purposes of this article, the objects are in X509-compatiblepresentation format (PKCS#1 defers to X509, both of which use ASN.1).If you have a PEM encoded object, such as:

-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----

Then convert the object to DER encoding. Conversion using OpenSSL is offeredbelow in Format Conversions.

A certificate is an object which binds an entity (such as a person ororganization) to a public key via a signature. The certificate is DERencoded, and has associated data or attributes such as Subject (who isidentified or bound), Issuer (who signed it), Validity (NotBeforeand NotAfter), and a Public Key.

A certificate has a subjectPublicKeyInfo. The subjectPublicKeyInfo isa key with additional information. The ASN.1 type includes an AlgorithmID, a Version, and an extensible format to hold a concrete publickey. Figures 1 and 2 below show different views of the same RSA key,which is the subjectPublicKeyInfo. The key is for the siterandom.org, and it is used in the sampleprograms and listings below.

Figure 1: subjectPublicKeyInfo dumped with dumpasn1	Figure 2: subjectPublicKeyInfo under a hex editor

The concrete public key is an encoded public key. The key format willusually be specified elsewhere - for example, PKCS#1 in the case of RSAPublic Keys. In the case of an RSA public key, the type isRSAPublicKey and the parameters {e,n} will be ASN.1 encoded. Figures1 and 2 above clearly show the modulus (n at line 28) and exponent(e at line 289). For DSA, the concrete type is DSAPublicKey and theASN.1 encoded parameters would be {p,q,g,y}.

Final takeaways: (1) a certificate binds an entity to a public key; (2)a certificate has a subjectPublicKeyInfo; and (3) a subjectPublicKeyInfohas an concrete public key. For those who want to learn more, a morein-depth discussion from a programmer’s perspective can be found at theCode Project’s article Cryptographic Interoperability:Keys.

Certificate

The certificate is easiest to pin. You can fetch the certificate out of band forthe website, have the IT folks email your company certificate to you, useopenssl s_client to retrieve the certificate etc. When the certificateexpires, you would update your application. Assuming your application has nobugs or security defects, the application would be updated every year or two.

At runtime, you retrieve the website or server’s certificate in thecallback. Within the callback, you compare the retrieved certificatewith the certificate embedded within the program. If the comparisonfails, then fail the method or function.

There is a downside to pinning a certificate. If the site rotates itscertificate on a regular basis, then your application would need to beupdated regularly. If you do not control when this certificate is putinto service, then pinning will lead to an outage.

Public Key

Public key pinning is more flexible but a little trickier due to the extra stepsnecessary to extract the public key from a certificate. As with a certificate,the program checks the extracted public key with its embedded copy of the publickey.

There are two downsides to public key pinning. First, it’s harder towork with keys (versus certificates) since you usually must extractthe key from the certificate. Extraction is a minor inconvenience inJava and .NET, buts it’s uncomfortable in Cocoa/CocoaTouch andOpenSSL. Second, the key is static and may violate key rotationpolicies. For this reason, a certificate management service maygenerate new keys every time. If that is the case, then it may bedifficult to pin using the public key.

Hashing

While the three choices above used DER encoding, it’s also acceptable touse a hash of the information (or other transforms). In fact, theoriginal sample programs were written using digested certificates andpublic keys. The samples were changed to allow a programmer to inspectthe objects with tools like dumpasn1 and other ASN.1 decoders.

Hashing also provides three additional benefits. First, hashing allowsyou to anonymize a certificate or public key. This might be important ifyou application is concerned about leaking information duringdecompilation and re-engineering.

Second, a digested certificate fingerprint is often available as anative API for many libraries, so it’s convenient to use.

Finally, an organization might want to supply a reserve (or back-up)identity in case the primary identity is compromised. Hashing ensuresyour adversaries do not see the reserved certificate or public key inadvance of its use. In fact, Google’s IETF draft websec-key-pinninguses the technique.

The downside to hashing is similar to that of pinning thecertificate. You must be able to update client applications before thecertificate is used by the service endpoint.

Examples of Pinning

This section demonstrates certificate and public key pinning in AndroidJava, iOS, .NET, and OpenSSL.

HTTP pinning

Expect-CT header allows sites to opt in to the Certificate Transparency framework, in report or enforcement mode, based on the readiness of the application.

HPKP got deprecated in 2018 after intents of removing it started in 2017. Almost all browsers no longer support it as attacks against HPKP surfaced. HPKP is being replaced by the reactive Certificate Transparency framework coupled with the Expect-CT header.

Certificate Transparency project help detect and protect users from mistakenly issued certificates or certificates that have been issued by rogue certificate authoroties (CA). One example of a rogue CA happening was the Dutch CA DigiNotar.

Expect-CT header is expected to be obsolete in June 2021, as all issued certificates will already be incorporating Signed Certificate Timestamps (SCTs).

Android

Since Android N, the preferred way for implementing pinning is byleveraging Android’s Network SecurityConfigurationfeature, which lets apps customize their network security settings in asafe, declarative configuration file without modifying app code.

To enable pinning, the <pin-set> configurationsettingcan be used.

If devices running a version of Android that is earlier than N need tobe supported, a backport of the Network Security Configuration pinningfunctionality is available via the TrustKit Android library.

Lastly, the Android documentation provides an example of how SSLvalidation can be customized within the app’s code (in order toimplement pinning) in the Unknown CA implementationdocument.However, implementing pinning validation from scratch should be avoided,as implementation mistakes are extremely likely and usually lead tosevere vulnerabilities.

iOS

TrustKit, an open-source SSL pinning library for iOS and macOS isavailable at https://github.com/datatheorem/TrustKit. It provides aneasy-to-use API for implementing pinning, and has been deployed in manyapps.

Otherwise, more details regarding how SSL validation can be customizedon iOS (in order to implement pinning) are available in the “HTTPSServer Trust Evaluation” technical note.However, implementing pinning validation from scratch should be avoided,as implementation mistakes are extremely likely and usually lead tosevere vulnerabilities.

.NET

.NET pinning can be achieved by using ServicePointManager for HttpWebRequest, orHttpClientHandler when using HttpClient, as shown below.

HttpWebRequest

Download: .Net sample program.

// Domain name for which to perform certificate pinningprivate const string DomainName = "encrypted.google.com";// Encoded RSAPublicKey for Domain nameprivate const string DomainPublicKey = "30818902818100C4A06B7B52F8D17DC1CCB47362" +"C64AB799AAE19E245A7559E9CEEC7D8AA4DF07CB0B21FDFD763C63A313A668FE9D764E" +"D913C51A676788DB62AF624F422C2F112C1316922AA5D37823CD9F43D1FC54513D14B2" +"9E36991F08A042C42EAAEEE5FE8E2CB10167174A359CEBF6FACC2C9CA933AD403137EE" +"2C3F4CBED9460129C72B0203010001";public static void Main(string[] args){ServicePointManager.ServerCertificateValidationCallback = PinPublicKey;var wr = WebRequest.Create(string.Format("https://{0}/", DomainName));wr.GetResponse();}private static bool PinPublicKey(object sender,X509Certificate certificate,X509Chain chain,SslPolicyErrors sslPolicyErrors){if (certificate == null)return false;var request = sender as HttpWebRequest;if (request == null)return false;// if the request is for the target domain, perform certificate pinningif (string.Equals(request.Address.Authority, DomainName, StringComparison.OrdinalIgnoreCase)){var pk = certificate.GetPublicKeyString();return pk.Equals(DomainPublicKey);}// Check whether there were any policy errors for any other domainreturn sslPolicyErrors == SslPolicyErrors.None;}

Note that using ServicePointManager.ServerCertificateValidationCallback affectsserver certificate validation for all requests requiring validation fromthe AppDomain. It is therefore advisable to check that the sender represents a requestto the authority to which to apply certificate pinning, as the example above demonstrates.

In .NET Framework 4.5 onwards, a validation callback can be set per HTTP request

// Domain name for which to perform certificate pinningprivate const string DomainName = "encrypted.google.com";// Encoded RSAPublicKey for Domain nameprivate const string DomainPublicKey = "30818902818100C4A06B7B52F8D17DC1CCB47362" +"C64AB799AAE19E245A7559E9CEEC7D8AA4DF07CB0B21FDFD763C63A313A668FE9D764E" +"D913C51A676788DB62AF624F422C2F112C1316922AA5D37823CD9F43D1FC54513D14B2" +"9E36991F08A042C42EAAEEE5FE8E2CB10167174A359CEBF6FACC2C9CA933AD403137EE" +"2C3F4CBED9460129C72B0203010001";public static void Main(string[] args){var wr = (HttpWebRequest)WebRequest.Create(string.Format("https://{0}/", DomainName));// set server validation callback for this request onlywr.ServerCertificateValidationCallback = PinPublicKey;wr.GetResponse();}private static bool PinPublicKey(object sender,X509Certificate certificate,X509Chain chain,SslPolicyErrors sslPolicyErrors){if (certificate == null)return false;var request = sender as HttpWebRequest;if (request == null)return false;// if the request is for the target domain, perform certificate pinningif (string.Equals(request.Address.Authority, DomainName, StringComparison.OrdinalIgnoreCase)){var pk = certificate.GetPublicKeyString();return pk.Equals(DomainPublicKey);}// Check whether there were any policy errors for any other domainreturn sslPolicyErrors == SslPolicyErrors.None;}

HttpClient

When using HttpClient, a server validation callback can be set onHttpClientHandler that will affect all requests requiringvalidation made with HttpClient instances using the HttpClientHandler.

// Domain name for which to perform certificate pinningprivate const string DomainName = "encrypted.google.com";// Encoded RSAPublicKey for Domain nameprivate const string DomainPublicKey = "30818902818100C4A06B7B52F8D17DC1CCB47362" +"C64AB799AAE19E245A7559E9CEEC7D8AA4DF07CB0B21FDFD763C63A313A668FE9D764E" +"D913C51A676788DB62AF624F422C2F112C1316922AA5D37823CD9F43D1FC54513D14B2" +"9E36991F08A042C42EAAEEE5FE8E2CB10167174A359CEBF6FACC2C9CA933AD403137EE" +"2C3F4CBED9460129C72B0203010001";public static void Main(string[] args){MainAsync().Wait();}private static async Task MainAsync(){var handler = new HttpClientHandler{ServerCertificateCustomValidationCallback = PinPublicKey};var client = new HttpClient(handler);await client.GetAsync(string.Format("https://{0}/", DomainName));}private static bool PinPublicKey(HttpRequestMessage requestMessage,X509Certificate2 certificate,X509Chain chain,SslPolicyErrors sslPolicyErrors){if (certificate == null)return false;// if the request is for the target domain, perform certificate pinningif (string.Equals(requestMessage.RequestUri.Authority, DomainName, StringComparison.OrdinalIgnoreCase)){var pk = certificate.GetPublicKeyString();return pk.Equals(DomainPublicKey);}// Check whether there were any policy errors for any other domainreturn sslPolicyErrors == SslPolicyErrors.None;}

OpenSSL

Pinning can occur at one of two places with OpenSSL. First is the usersupplied verify_callback. Second is after the connection isestablished via SSL_get_peer_certificate. Either method will allow youto access the peer’s certificate.

Though OpenSSL performs the X509 checks, you must fail the connectionand tear down the socket on error. By design, a server that does notsupply a certificate will result in X509_V_OK with a NULLcertificate. To check the result of the customary verification: (1) youmust call SSL_get_verify_result and verify the return code isX509_V_OK; and (2) you must call SSL_get_peer_certificate and verifythe certificate is non-NULL.

Download: OpenSSL sample program.

int pkp_pin_peer_pubkey(SSL* ssl){ if(NULL == ssl) return FALSE; X509* cert = NULL; FILE* fp = NULL; /* Scratch */ int len1 = 0, len2 = 0; unsigned char *buff1 = NULL, *buff2 = NULL; /* Result is returned to caller */ int ret = 0, result = FALSE; do { /* http://www.openssl.org/docs/ssl/SSL_get_peer_certificate.html */ cert = SSL_get_peer_certificate(ssl); if(!(cert != NULL)) break; /* failed */ /* Begin Gyrations to get the subjectPublicKeyInfo */ /* Thanks to Viktor Dukhovni on the OpenSSL mailing list */ /* http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/d61858dae102c6c7 */ len1 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL); if(!(len1 > 0)) break; /* failed */ /* scratch */ unsigned char* temp = NULL; /* http://www.openssl.org/docs/crypto/buffer.html */ buff1 = temp = OPENSSL_malloc(len1); if(!(buff1 != NULL)) break; /* failed */ /* http://www.openssl.org/docs/crypto/d2i_X509.html */ len2 = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &temp); /* These checks are verifying we got back the same values as when we sized the buffer. */ /* It's pretty weak since they should always be the same. But it gives us something to test. */ if(!((len1 == len2) && (temp != NULL) && ((temp - buff1) == len1))) break; /* failed */ /* End Gyrations */ /* See the warning above!!! */ /* http://pubs.opengroup.org/onlinepubs/009696699/functions/fopen.html */ fp = fopen("random-org.der", "rx"); if(NULL ==fp) { fp = fopen("random-org.der", "r"); if(!(NULL != fp)) break; /* failed */ /* Seek to eof to determine the file's size */ /* http://pubs.opengroup.org/onlinepubs/009696699/functions/fseek.html */ ret = fseek(fp, 0, SEEK_END); if(!(0 == ret)) break; /* failed */ /* Fetch the file's size */ /* http://pubs.opengroup.org/onlinepubs/009696699/functions/ftell.html */ long size = ftell(fp); /* Arbitrary size, but should be relatively small (less than 1K or 2K) */ if(!(size != -1 && size > 0 && size < 2048)) break; /* failed */ /* Rewind to beginning to perform the read */ /* http://pubs.opengroup.org/onlinepubs/009696699/functions/fseek.html */ ret = fseek(fp, 0, SEEK_SET); if(!(0 == ret)) break; /* failed */ /* Re-use buff2 and len2 */ buff2 = NULL; len2 = (int)size; /* http://www.openssl.org/docs/crypto/buffer.html */ buff2 = OPENSSL_malloc(len2); if(!(buff2 != NULL)) break; /* failed */ /* http://pubs.opengroup.org/onlinepubs/009696699/functions/fread.html */ /* Returns number of elements read, which should be 1 */ ret = (int)fread(buff2, (size_t)len2, 1, fp); if(!(ret == 1)) break; /* failed */ /* Re-use size. MIN and MAX macro below... */ size = len1 < len2 ? len1 : len2; /*************************/ /***** PAYDIRT *****/ /*************************/ if(len1 != (int)size || len2 != (int)size || 0 != memcmp(buff1, buff2, (size_t)size)) break; /* failed */ /* The one good exit point */ result = TRUE; } while(0); if(fp != NULL) fclose(fp); /* http://www.openssl.org/docs/crypto/buffer.html */ if(NULL != buff2) OPENSSL_free(buff2); /* http://www.openssl.org/docs/crypto/buffer.html */ if(NULL != buff1) OPENSSL_free(buff1); /* http://www.openssl.org/docs/crypto/X509_new.html */ if(NULL != cert) X509_free(cert); return result;}

Miscellaneous

This sections covers administrivia and miscellaneous items related topinning.

Ephemeral Keys

Ephemeral keys are temporary keys used for one instance of a protocolexecution and then thrown away. An ephemeral key has the benefit ofproviding forward secrecy, meaning a compromise of the site or service’slong term (static) signing key does not facilitate decrypting pastmessages because the key was temporary and discarded (once the sessionterminated).

Ephemeral keys do not affect pinning because the Ephemeral key isdelivered in a separate ServerKeyExchange message. In addition, theephemeral key is a key and not a certificate, so it does not change theconstruction of the certificate chain. That is, the certificate ofinterest will still be located at certificates[0].

Pinning Gaps

There are two gaps when pinning due to reuse of the existinginfrastructure and protocols. First, an explicit challenge is notsent by the program to the peer server based on the server’s publicinformation. So the program never knows if the peer can actually decryptmessages. However, the shortcoming is usually academic in practice sincean adversary will receive messages it can’t decrypt.

Second is revocation. Clients don’t usually engage in revocationchecking, so it could be possible to use a known bad certificate or keyin a pinset. Even if revocation is active, Certificate Revocation Lists(CRLs) and Online Certificate Status Protocol (OCSP) can be defeated ina hostile environment. An application can take steps to remediate, withthe primary means being freshness. That is, an application should beupdated and distributed immediately when a critical security parameterchanges.

No Relationship ^@$\!

If you don’t have a pre-existing relationship, all is not lost. First,you can pin a host or server’s certificate or public key the first timeyou encounter it. If the bad person was not active when you encountered thecertificate or public key, they will not be successful with futurefunny business.

Second, bad certificates are being spotted quicker in the field due toprojects like Chromium and CertificatePatrol,and initiatives like the EFF’s SSL Observatory.

Third, help is on its way, and there are a number of futures that willassist with the endeavors:

• Public Key Pinning (http://www.ietf.org/id/draft-ietf-websec-key-pinning-09.txt) – an extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember (“pin”) the hosts’ cryptographic identities for a given period of time.
• DNS-based Authentication of Named Entities (DANE) (https://datatracker.ietf.org/doc/rfc6698/) - uses Secure DNS to associate Certificates with Domain Names For S/MIME, SMTP with TLS, DNSSEC and TLSA records.
• Sovereign Keys (http://www.eff.org/sovereign-keys) - operates by providing an optional and secure way of associating domain names with public keys via DNSSEC. PKI (hierarchical) is still used. Semi-centralized with append only logging.
• Convergence (http://convergence.io) – different [geographical] views of a site and its associated data (certificates and public keys). Web of Trust is used. Semi-centralized.

While Sovereign Keys and Convergence still require us to confer trust tooutside parties, the parties involved do not serve share holders orcovet revenue streams. Their interests are industry transparency anduser security.

More Information?

Pinning is an old new thing that has been shaken, stirred, andrepackaged. While “pinning” and “pinsets” are relatively new terms forold things, Jon Larimer and Kenny Root spent time on the subject atGoogle I/O 2012 with their talk Security and Privacy in AndroidApps.

Format Conversions

As a convenience to readers, the following with convert between PEM andDER format using OpenSSL.

# Public key, X509$ openssl genrsa -out rsa-openssl.pem 3072$ openssl rsa -in rsa-openssl.pem -pubout -outform DER -out rsa-openssl.der# Private key, PKCS#8$ openssl genrsa -out rsa-openssl.pem 3072$ openssl pkcs8 -nocrypt -in rsa-openssl.pem -inform PEM -topk8 -outform DER -out rsa-openssl.der

References

• OWASP Injection Theory
• OWASP Transport Layer Protection Cheat Sheet
• IETF Public Key Pinning
• IETF RFC 5054 (SRP)
• IETF RFC 4764 (EAP-PSK)
• IETF RFC 1421 (PEM Encoding)
• IETF RFC 5280 (Internet X.509, PKIX)
• IETF RFC 4648 (Base16, Base32, and Base64 Encodings)
• IETF RFC 3279 (PKI, X509 Algorithms and CRL Profiles)
• IETF RFC 4055 (PKI, X509 Additional Algorithms and CRL Profiles)
• IETF RFC 2246 (TLS 1.0)
• IETF RFC 4346 (TLS 1.1)
• IETF RFC 5246 (TLS 1.2)
• IETF RFC 6698, Draft (DANE)
• EFF Sovereign Keys
• Thoughtcrime Labs Convergence
• RSA Laboratories PKCS#1, RSA Encryption Standard
• RSA Laboratories PKCS#6, Extended-Certificate Syntax Standard
• ITU Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER)
• TOR Project Detecting Certificate Authority Compromises and Web Browser Collusion
• Code Project Cryptographic Interoperability: Keys
• Google I/O Security and Privacy in Android Apps
• Trevor Perrin Transparency, Trust Agility, Pinning (Recent Developments in Server Authentication)
• Dr. Peter Gutmann’s PKI is Broken
• Dr. Matthew Green’s The Internet is Broken
• Dr. Matthew Green’s How do Interception Proxies fail?
• Presentation: SSL Pinning implementation and bypasses for iOS and Android