Certificate Pinning - Public Key only?
Asked Answered
F

3

8

I would like to pin the public key of an root CA (verisign - http://www.verisign.com/repository/roots/root-certificates/PCA-3G5.pem) into my iOS app. Is is better to pin the public key or the subjectPublicKeyInfo? Could someone please explain me which method is better and why?

Floriated answered 30/3, 2013 at 10:10 Comment(0)
S
5

I would argue that it is better to pin the public key of the subject rather than the root's CA public key. Here is my understanding of the different trade-offs of pinning the CA's root pkey:

The good As long as you keep that same CA, you will be able to update your certificate over and over again and it will always work.

The bad I believe that you will be slightly more vulnerable to a MITM attack pinning the roots CA's pkey instead of the subjects public key, since you will take as valid any certificate signed by that CA, instead of just those that really match your subject.

What about pinning the public key of the subject then? Basically you should be slightly more safer than pinning the CA's public key, and you application should continue working even after the certificate expires and you renew it, as long as you maintain the same public key.

I just posted a question and solution on how to pin the public key, I hope it helps you: How to pin the Public key of a certificate on iOS

Synchroscope answered 31/3, 2013 at 10:55 Comment(0)
F
2

I would like to pin the public key of an root CA...

Just bike shedding, but its probably more secure to pin the certificate or public key of the server or service, and not the root or an intermediate certificate. Its especially true if you are using a public CA like DigiCert or Verisign (as opposed to a private, corporate CA).

In the case of a public CA, the CA could incorrectly issue a second certificate and clients will not be able to differentiate the "real" certificate (the one issued to you) and the "fake" certificate (the one issued incorrectly). This has happened in real life a number of times, so you should expect it to happen again.

Is is better to pin the public key or the subjectPublicKeyInfo? Could someone please explain me which method is better and why?

It is better to pin the public key (at least in the case of pinning a server certificate).

Some organizations, like Google, rotate their server certificates every 30 days or so. However, they re-certify the same public key. See, for example, Android 4.2 and Pinning. That means you will observe "key continuity" but not "certificate continuity".

Re-certifying the same public key is why CertPatrol fails so bad in some cases in the user experience. We really need a Public Key Patrol in cases like Google services.

Fein answered 9/6, 2014 at 23:11 Comment(0)
R
0

It is better to pin the SPKI (Subject Public Key Info) because it contains both the actual public key and the key's algorithm (RSA, ECDSA, etc.). This is described in more details in this article from Google's TLS guru at https://www.imperialviolet.org/2011/05/04/pinning.html:

The SPKI includes the type of the public key and some parameters along with the public key itself. This is important because just hashing the public key leaves one open to misinterpretation attacks. Consider a Diffie-Hellman public key: if one only hashes the public key, not the full SPKI, then an attacker can use the same public key but make the client interpret it in a different group. Likewise one could force an RSA key to be interpreted as a DSA key etc.

One challenge with pinning the SPKI within an iOS App is that the Security framework on iOS does not provide APIs for parsing a certificate and extracting the SPKI bits (https://nabla-c0d3.github.io/blog/2015/08/11/security-framework-wish-list/ ).

The good news tho is than an open-source library is available to do exactly that: https://github.com/datatheorem/TrustKit .

Rushing answered 7/4, 2016 at 1:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.