What is public key pinning and how does it boost Web security?


Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains how it works and its benefits.

Secure communication over the Internet relies on the SSL/TLS protocol, which uses digital certificates to provide authentication and encryption. The public key in a Web server’s certificate is used to encrypt traffic to the site, while the certificate identifies who owns the site. A website’s certificate is typically validated by checking the signature hierarchy; MyWebServerCert is signed by AnIntermediateCert which is signed by ARootCert, a certificate authority (CA) root certificate that is trusted implicitly by the majority of operating systems and browsers.

However, this chain or hierarchy of trust can be compromised, making protocols that rely on certificate chain verification like SSL/TLS vulnerable to various attacks — including man-in-the-middle (MITM) attacks.

To fool a user’s browser into trusting a site an attacker controls, the attacker can present a stolen or forged certificate for the site. This has happened a disturbing number of times in the last few years. For example, hackers broke into the Dutch CA DigiNotar and issued fraudulent but valid certificates for several major sites, including Google, Twitter and Yahoo. CAs have also accidently issued certificates to the wrong people, and some have failed to follow their own policies, leading to hackers obtaining certificates for domains they don’t own. These shortcomings in the CA infrastructure are undermining confidence in the CA hierarchy of trust.

Certificate pinning overcomes this lack of trust by associating a host with its expected certificate or public key. It’s similar to SSH’s StrictHostKeyChecking option as it directly identifies a host or service by its public key, only trusting certificates signed by a specific certificate. This method of checking a site’s digital certificate avoids the risks present in the CA infrastructure and prevents man-in-the-middle attacks. The public key pinning in Chrome helped detect the fraudulent SSL certificate issued by DigiNotar used in a MITM attack against Google users in Iran.

However, this chain or hierarchy of trust can be compromised, making protocols that rely on certificate chain verification like SSL/TLS vulnerable to various attacks — including man-in-the-middle (MITM) attacks.

To fool a user’s browser into trusting a site an attacker controls, the attacker can present a stolen or forged certificate for the site. This has happened a disturbing number of times in the last few years. For example, hackers broke into the Dutch CA DigiNotar and issued fraudulent but valid certificates for several major sites, including Google, Twitter and Yahoo. CAs have also accidently issued certificates to the wrong people, and some have failed to follow their own policies, leading to hackers obtaining certificates for domains they don’t own. These shortcomings in the CA infrastructure are undermining confidence in the CA hierarchy of trust.

Certificate pinning overcomes this lack of trust by associating a host with its expected certificate or public key. It’s similar to SSH’s StrictHostKeyChecking option as it directly identifies a host or service by its public key, only trusting certificates signed by a specific certificate. This method of checking a site’s digital certificate avoids the risks present in the CA infrastructure and prevents man-in-the-middle attacks. The public key pinning in Chrome helped detect the fraudulent SSL certificate issued by DigiNotar used in a MITM attack against Google users in Iran.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: