Identity Pinning: A New Approach to Certificate Validation

Just Published: RFC 8672 on Server Identity Pinning – a modern, lightweight alternative to certificate pinning #

The RFC Editor just published RFC 8672, a specification that can potentially make TLS deployments much more secure by virtually eliminating the risk of forged public-key certificates.

For many years we have been seeing attacks on certificate authorities (CAs). All CAs are essentially created equal, and if a rogue CA issues a certificate for example.com and hands it to a malicious server, there’s nothing to stop clients from connecting to the server and trusting its identity. The same is true for servers located behind enterprise firewalls. A rogue CA could just as well issue a fake certificate for finance-dept.example.com, regardless of whether it can access the server or not.

An often used approach within enterprise networks is certificate pinning. Normally we trust a server certificate because it is the last component of a certificate chain: a chain that starts with CAs that are widely known, and are configured into the TLS client (the browser, typically), contains one or two lesser “intermediate” CAs, and ends with the server certificate. Each of these chained certificates is digitally signed by the one above it.

pins-1358849_800.jpg
Photo: Brett Hondow, Pixabay

Certificate pinning, the solution that we are replacing, forgoes the certificate chain in favor of direct trust in the server’s certificate, which is stored in the client’s certificate store. Unfortunately, certificate pinning is a management nightmare: every time the server’s certificate is reissued – typically once a year – all clients need to be updated with the new certificate. A variant of this approach is to pin the CA, instead of the server certificate, by having all clients remember that the certificate for example.com must only be issued by my-favorite-ca.com. This works quite well… until the company decides to migrate to cheaper-ca.com. Then, all clients need to be updated with the new CA, a major pain. For this reason and others, internet standards for certificate pinning have not seen wide deployment.

In an attempt to simplify this solution, we came up with the identity pinning notion, based on the Trust-on-First-Use (TOFU) principle:

The first time a client connects to a server, they both compute a secret value based on the TLS handshake. The server sends back to the client an opaque (encrypted) ticket that contains this secret. The client that already computed the secret independently, stores the ticket along with the secret for future use. Note the trust-on-first-use element here: the server authenticates itself the good old fashioned way, using only its certificate.

Pinning_ Initial Connection.pngInitial Connection

On any subsequent connection, the client sends the ticket to the server. Only the genuine server is able to decrypt the ticket, obtain the secret and send back a proof that indeed, it knows the secret. The client now verifies the proof. If the proof is correct, the TLS handshake completes successfully and the connection is established. Otherwise, poof  –  the TLS handshake is aborted.
Pinning_ Subsequent Connection.pngSubsequent Connection (Simplified)

What we have gained is second-factor authentication for the server. The TLS server not only needs to present a valid certificate, as usual, it also needs to prove that it possesses the secret that’s needed to decrypt the ticket, proving its legitimacy.

This all happens automatically with no need to configure anything, either on the client or the server side. It is also independent of the server’s certificate (hence identity pinning), which eliminates the complexity inherent in certificate pinning solutions. 

You may want to read the RFC for the lowdown on this protocol. We learned from other people’s experience, and the protocol has quite a few features that make it attractive for real-life use:

tls13.png

We have implemented the Identity Pinning protocol but due to the slow pace of standardization, the implementation is somewhat outdated by now. If you plan to implement the protocol, feel free to reach out to the authors (Daniel Migault and myself) with any questions.

 
10
Kudos
 
10
Kudos

Now read this

HTTP Message Signatures in Go, by the Book

There are many good reasons to sign HTTP messages, to ensure authenticity and integrity of HTTP service calls (a.k.a. REST APIs). Now that RFC 9421 is finally published, we can expect many people to migrate from provisional and... Continue →