← Older revision
Revision as of 14:57, 13 February 2013
(8 intermediate revisions by one user not shown)
Line 11:
Line 11:
The pandemic abuse of trust has resulted in users, developers and applications making security related decisions on untrusted input. The situation is somewhat of a paradox: entities such as DNS and CAs are trusted and supposed to supply trusted input; yet their input cannot be trusted. Relying on others for security related decisions is not only bad karma, it violates a number of secure coding principals (see, for example, OWASP's [[Injection Theory]] and [[Data Validation]]).
The pandemic abuse of trust has resulted in users, developers and applications making security related decisions on untrusted input. The situation is somewhat of a paradox: entities such as DNS and CAs are trusted and supposed to supply trusted input; yet their input cannot be trusted. Relying on others for security related decisions is not only bad karma, it violates a number of secure coding principals (see, for example, OWASP's [[Injection Theory]] and [[Data Validation]]).
−
Pinning effectively removes the "conference of trust"
and identifies the host or service by its public certificate or public key when holding a public/private key pair
. An application which pins a certificate or public key no longer needs to depend on others - such as DNS or CAs - when making decisions relating to a peer's identity. For those familiar with SSH, you should realize that public key pinning nearly identical to SSH's StrictHostKeyChecking option. SSH had it right the entire time, and the rest of the world is beginning to realize the virtues of directly identifying a host or service by its public key.
+
Pinning effectively removes the "conference of trust". An application which pins a certificate or public key no longer needs to depend on others - such as DNS or CAs - when making decisions relating to a peer's identity. For those familiar with SSH, you should realize that public key pinning nearly identical to SSH's StrictHostKeyChecking option. SSH had it right the entire time, and the rest of the world is beginning to realize the virtues of directly identifying a host or service by its public key.
Others who actively engage in pinning include Google and its browser Chrome. Chrome was successful in detecting the DigiNotar compromise which uncovered suspected interception by the Iranian government on its citizens. The initial report of the compromise can be found at ''[https://productforums.google.com/d/topic/gmail/3J3r2JqFNTw/discussion Is This MITM Attack to Gmail's SSL?]''; and Google Security's immediate response at ''[https://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html An update on attempted man-in-the-middle attacks]''.
Others who actively engage in pinning include Google and its browser Chrome. Chrome was successful in detecting the DigiNotar compromise which uncovered suspected interception by the Iranian government on its citizens. The initial report of the compromise can be found at ''[https://productforums.google.com/d/topic/gmail/3J3r2JqFNTw/discussion Is This MITM Attack to Gmail's SSL?]''; and Google Security's immediate response at ''[https://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html An update on attempted man-in-the-middle attacks]''.
Line 19:
Line 19:
In essence, pinning is the act of verifying a host's identity based on their ''expected'' X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is 'pinned' to the host. Put another way, its a whitelist of known certificate or public key for a host, server, or service. If more than one certificate or public key is acceptable, then the program holds a ''pinset'' for a host, server, or service. In this case, the peer's advertised identity must match one of the elements in the pinset.
In essence, pinning is the act of verifying a host's identity based on their ''expected'' X509 certificate or public key. Once a certificate or public key is known or seen for a host, the certificate or public key is 'pinned' to the host. Put another way, its a whitelist of known certificate or public key for a host, server, or service. If more than one certificate or public key is acceptable, then the program holds a ''pinset'' for a host, server, or service. In this case, the peer's advertised identity must match one of the elements in the pinset.
−
Pinning leverages knowledge of the pre-existing relationship between the user and an organization or service to help make better security related decisions. Because you already have information on the server or service, you don't need to rely on generalized mechanisms meant to solve the ''key distribution'' problem. That is, you don't need to turn to DNS for
names
/
addresses
or CAs for
binding
and
identity
status (though it does not hurt).
+
Pinning leverages knowledge of the pre-existing relationship between the user and an organization or service to help make better security related decisions. Because you already have information on the server or service, you don't need to rely on generalized mechanisms meant to solve the ''key distribution'' problem. That is, you don't need to turn to DNS for
name
/
address mappings
or CAs for
bindings
and status (though it does not hurt).
== How Do You Pin? ==
== How Do You Pin? ==
Line 33:
Line 33:
A perfect case in point: during the two weeks or so of preparation for the presentation and cheat sheet, we've observed three relevant and related failures. First was [http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/ Nokia/Opera willfully breaking the secure channel]; second was [http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/ DigiCert issuing a code signing certificate for malware]; and third was [http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/ Bit9's loss of its root signing key]. The environment is not only hostile, its toxic.
A perfect case in point: during the two weeks or so of preparation for the presentation and cheat sheet, we've observed three relevant and related failures. First was [http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/ Nokia/Opera willfully breaking the secure channel]; second was [http://blog.malwarebytes.org/intelligence/2013/02/digital-certificates-and-malware-a-dangerous-mix/ DigiCert issuing a code signing certificate for malware]; and third was [http://krebsonsecurity.com/2013/02/security-firm-bit9-hacked-used-to-spread-malware/ Bit9's loss of its root signing key]. The environment is not only hostile, its toxic.
−
If you are working for an organization which practices "egress filtering" as part of a Data Loss Prevention (DLP) strategy, you will likely encounter ''Interception Proxies''. I like to refer to these things as '''"good" bad guys''' (as opposed to '''"bad" bad guys''') since both break end-to-end security and we can't tell them apart. In this case, add the interception proxy's public key to your pinset '''after''' being requested to do so by the folks in Risk Acceptance. Don't offer to whitelist the interception proxy since it defeats your security goals.
+
== When Do You Whitelist? ==
−
For more reading on interception proxies, the additional risk they bestow, and how they fail, see Dr. Matthew Green's [http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxies-fail.html How do Interception Proxies fail?] and Jeff Jarmoc's BlackHat talk [https://www.blackhat.com/html/bh-eu-12/bh-eu-12-archives.html#jarmoc SSL/TLS Interception Proxies and Transitive Trust].
+
If you are working for an organization which practices "egress filtering" as part of a Data Loss Prevention (DLP) strategy, you will likely encounter ''Interception Proxies''. I like to refer to these things as '''"good" bad guys''' (as opposed to '''"bad" bad guys''') since both break end-to-end security and we can't tell them apart. In this case, '''don not''' offer to whitelist the interception proxy since it defeats your security goals. Add the interception proxy's public key to your pinset '''after''' being requested to do so by the folks in Risk Acceptance.
+
+
For more reading on interception proxies, the additional risk they bestow, and how they fail, see Dr. Matthew Green's
''
[http://blog.cryptographyengineering.com/2012/03/how-do-interception-proxies-fail.html How do Interception Proxies fail?]
''
and Jeff Jarmoc's BlackHat talk
''
[https://www.blackhat.com/html/bh-eu-12/bh-eu-12-archives.html#jarmoc SSL/TLS Interception Proxies and Transitive Trust]
''
.
== What Should Be Pinned? ==
== What Should Be Pinned? ==
Line 41:
Line 43:
The first thing to decide is what should be pinned. For this choice, you have two options: you can pin (1) the certificate; or (2) the public key. If you choose public keys, you have two additional choices: (a) pin the subjectPublicKeyInfo; or (b) pin one of the concrete types such as RSAPublicKey or DSAPublicKey.
The first thing to decide is what should be pinned. For this choice, you have two options: you can pin (1) the certificate; or (2) the public key. If you choose public keys, you have two additional choices: (a) pin the subjectPublicKeyInfo; or (b) pin one of the concrete types such as RSAPublicKey or DSAPublicKey.
−
The three choices are explained below in more detail. I would encourage you to pin the subjectPublicKeyInfo because it has the public parameters (such as {e,n}) '''and''' contextual information such as an algorithm and OID. The context will help you keep your bearings at times.
+
The three choices are explained below in more detail. I would encourage you to pin the subjectPublicKeyInfo because it has the public parameters (such as {e,n}
for an RSA public key
) '''and''' contextual information such as an algorithm and OID. The context will help you keep your bearings at times.
=== Encodings/Formats ===
=== Encodings/Formats ===
Line 49:
Line 51:
A certificate is an object which binds an entity (such as a person or organization) to a public key via a signature. The certificate is DER encoded, and has associated data or attributes such as ''Subject'' (who is identified or bound), ''Issuer'' (who signed it), ''Validity'' (''NotBefore'' and ''NotAfter''), and a ''Public Key''.
A certificate is an object which binds an entity (such as a person or organization) to a public key via a signature. The certificate is DER encoded, and has associated data or attributes such as ''Subject'' (who is identified or bound), ''Issuer'' (who signed it), ''Validity'' (''NotBefore'' and ''NotAfter''), and a ''Public Key''.
−
A certificate has a ''subjectPublicKeyInfo''. The subjectPublicKeyInfo is a key with additional information. The ASN.1 type includes an ''Algorithm ID'', a ''Version'', and an extensible format to hold a concrete public key. Figures 1 and 2 below show different views of the same of a RSA key, which is the subjectPublicKeyInfo. The key is for the site [https://www.random.org random.org], and
its
used in the sample programs.
+
A certificate has a ''subjectPublicKeyInfo''. The subjectPublicKeyInfo is a key with additional information. The ASN.1 type includes an ''Algorithm ID'', a ''Version'', and an extensible format to hold a concrete public key. Figures 1 and 2 below show different views of the same of a RSA key, which is the subjectPublicKeyInfo. The key is for the site [https://www.random.org random.org], and
it is
used in the sample programs
and listings below
.
{| align="center"
{| align="center"
Line 137:
Line 139:
=== iOS ===
=== iOS ===
−
iOS pinning is performed through a NSURLConnectionDelegate. The delegate must implement connection:canAuthenticateAgainstProtectionSpace: and connection:didReceiveAuthenticationChallenge:. The relevant code to pin a certificate is shown below
+
iOS pinning is performed through a NSURLConnectionDelegate. The delegate must implement connection:canAuthenticateAgainstProtectionSpace: and connection:didReceiveAuthenticationChallenge:. The relevant code to pin a certificate is shown below
.
Download: [[Media:pubkey-pin-ios.zip|iOS sample program]].
Download: [[Media:pubkey-pin-ios.zip|iOS sample program]].
Line 232:
Line 234:
The code below is from pkp_pin_peer_key. The function receives control '''after''' OpenSSL performs the customary SSL/TLS negotiation with internal tests (signature checks, chaining to a trusted root, validity, and hostname). A second function - pkp_verify_cb - is not shown. It's the callback invoked during certificate chain verification. pkp_verify_cb is useful for developing an understanding of OpenSSL's processing of the connection.
The code below is from pkp_pin_peer_key. The function receives control '''after''' OpenSSL performs the customary SSL/TLS negotiation with internal tests (signature checks, chaining to a trusted root, validity, and hostname). A second function - pkp_verify_cb - is not shown. It's the callback invoked during certificate chain verification. pkp_verify_cb is useful for developing an understanding of OpenSSL's processing of the connection.
−
Rather than use an unconditional jump (goto), the code uses a do/while to achieve the same effect. I've been scolded for both and a do/while seems to
offend the
least. And I refuse to use deeply nested if statements.
+
Rather than use an unconditional jump (goto), the code uses a do/while to achieve the same effect. I've been scolded for both
(goto and do/while)
and a do/while seems to
be
least
offensive
. And I refuse to use deeply nested if statements.
Download: [[Media:pubkey-pin-openssl.zip|OpenSSL sample program]].
Download: [[Media:pubkey-pin-openssl.zip|OpenSSL sample program]].
Line 360:
Line 362:
== Pinning Alternatives ==
== Pinning Alternatives ==
−
Not all applications use split key cryptography. Fortunately, there are protocols which allow you to set up a secure channel based on knowledge of passwords and pre-shared secrets (rather than putting the secret on the wire in a basic authentication scheme). Two are listed below - SRP and PSK. SRP and PSK have [http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3 88 cipher suites assigned to them by IANA for TLS]
. There
's no shortage of choices.
+
Not all applications use split key cryptography. Fortunately, there are protocols which allow you to set up a secure channel based on knowledge of passwords and pre-shared secrets (rather than putting the secret on the wire in a basic authentication scheme). Two are listed below - SRP and PSK. SRP and PSK have [http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-3 88 cipher suites assigned to them by IANA for TLS]
, so there
's no shortage of choices.
{| align="center"
{| align="center"
Line 389:
Line 391:
Second, bad certificates are being spotted quicker in the field due to projects like [http://www.chromium.org Chromium] and [https://addons.mozilla.org/en-us/firefox/addon/certificate-patrol/ Certificate Patrol], and initiatives like the EFF's [https://www.eff.org/observatory SSL Observatory].
Second, bad certificates are being spotted quicker in the field due to projects like [http://www.chromium.org Chromium] and [https://addons.mozilla.org/en-us/firefox/addon/certificate-patrol/ Certificate Patrol], and initiatives like the EFF's [https://www.eff.org/observatory SSL Observatory].
−
Third, help is on its way, and there are three futures that will assist with the
issues. They are
:
+
Third, help is on its way, and there are three futures that will assist with the
endeavors
:
* Public Key Pinning (http://www.ietf.org/id/draft-ietf-websec-key-pinning-04.txt) – an extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time.
* Public Key Pinning (http://www.ietf.org/id/draft-ietf-websec-key-pinning-04.txt) – an extension to the HTTP protocol allowing web host operators to instruct user agents (UAs) to remember ("pin") the hosts' cryptographic identities for a given period of time.
Line 395:
Line 397:
* Convergence (http://convergence.io) – different [geographical] views of a site and its associated data (certificates and public keys). Web of Trust is used. Semi-centralized.
* Convergence (http://convergence.io) – different [geographical] views of a site and its associated data (certificates and public keys). Web of Trust is used. Semi-centralized.
−
While Sovereign Keys and Convergence still require us to confer trust to outside parties, the parties involved do not serve share
holder
or
protect
revenue streams. Their interests are industry transparency and user security.
+
While Sovereign Keys and Convergence still require us to confer trust to outside parties, the parties involved do not serve share
holders
or
covet
revenue streams. Their interests are industry transparency and user security.
== More Information? ==
== More Information? ==
−
Pinning is an ''old new thing'' that has been shaken, stirred, and repackaged. While "pinning" and "pinsets" are relatively new terms for old things, Jon Larimer and Kenny Root spent time on the subject at Google I/O 2012 with their ''[https://developers.google.com/events/io/sessions/gooio2012/107/ Security and Privacy in Android Apps]''.
+
Pinning is an ''old new thing'' that has been shaken, stirred, and repackaged. While "pinning" and "pinsets" are relatively new terms for old things, Jon Larimer and Kenny Root spent time on the subject at Google I/O 2012 with their
talk
''[https://developers.google.com/events/io/sessions/gooio2012/107/ Security and Privacy in Android Apps]''.