Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jeroen Willemsen - To pin or not to pin

Jeroen Willemsen - To pin or not to pin

This was presented at the Swift Usergroup Netherlands. Would you like to speak/present? Visit https://swift.amsterdam for more information.

Should you pin? And if so: on what? On the certificate? On the public key? Should you follow http public Key pinning? And to which certificate: leaf, intermediate or root? And how can you easily do this with iOS? In this talk we will briefly go to the highlights on pinning on mobile and if you do it, how you can best apply it.

Jeroen Willemsen (https://www.twitter.com/commjoenie) is a security architect working at Xebia with a passion for mobile and risk management. He is dedicated to help developers, product owners and architects to take security seriously in their daily development life (but not too serious of course ;-)).

Swift Usergroup Netherlands

November 28, 2017
Tweet

More Decks by Swift Usergroup Netherlands

Other Decks in Programming

Transcript

  1. 
 To pin or not to pin SWIFT USER GROUP

    VERSION 0X3: SECURITY JEROEN WILLEMSEN
  2. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap
  3. OWASP MASVS & MSTG ! Mobile Application Security Verification Standard

    (MASVS) ! https://github.com/OWASP/ owasp-masvs ! Mobile Security Testing Guide (MSTG) ! https://github.com/OWASP/ owasp-mstg
  4. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap
  5. Should you pin? Is your organisation mature enough? It takes

    proper certificate lifecycle management to pin! The in app implementation is just the next step! How about protecting the private key?
  6. Should you pin? X Pin when you have something valuable

    to protect and when you don’t trust PKIX
  7. Should you pin? Pinning does NOT protect against local attacks

    That’s where other controls come into play
  8. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap
  9. SPKI fingerprint Where to pin to? Version Certificate Serial Number

    Cerificate Algorightm Identifier for Certificae Issuer’s Signature Issuer Validity Period Subject Subject Public-Key Information Issuer Unique Identifier Subject Unique Identifier Extensions Algorithm Identifier Public-key Value Certification Authority’s Digital Signature Certificate pinning Public key
  10. Where to pin to? What Certificate pinning SPKI/public key Ease

    of Installation Just use cert: easiest Getting easier recently Expiry When cert expires When you stop using the public key Challenges - CA’s might have multiple certs - Has to be updated more often - How long can you use that same public key? - Using a self-signed CA? … Still needs a trust-store..
  11. Root CA Where to pin to? Leaf VS Root certificates

    Root CA Intermediate cert Intermediate cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Intermediate cert Yours
  12. Root CA Root CA Root CA Root CA Intermediate cert

    Intermediate cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Intermediate cert Yours Com prom ised Interm ediate Where to pin to? Leaf VS Root certificates
  13. Root CA Intermediate cert Intermediate cert Leaf cert Leaf cert

    Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Intermediate cert Yours Com prom ised Interm ediate Root CA Root CA Where to pin to? Leaf VS Root certificates
  14. Root CA Intermediate cert Intermediate cert Leaf cert Leaf cert

    Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Intermediate cert Yours Com prom ised Interm ediate Root CA Root CA Where to pin to? Leaf VS Root certificates
  15. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap
  16. Hardcode it or use HTTP Public Key Pinning Leaf cert

    Hardcode: Programmatically define to which cert/key you pin. Stops if key/cert is no longer there. Add future public key? X TLS X
  17. Hardcode it or use HTTP Public Key Pinning HTTP Public

    Key Pinning RFC 7469 Trust On First Use ! " Vulnerable On First Use Requires backup pin Public-Key-Pins-Report-Only: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; report-uri="https://other.example.net/pkp-report"
  18. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap
  19. Get the materials to pin ! Certificate: download & save

    ! openssl s_client -showcerts -connect your.sub.domain:443 ! Public key: ! Use your app program-code to extract it programmatically from your cert. ! openssl s_client -connect www.google.com:443 -CAfile rootcert.pem | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl enc -base64 -d > publickey.der
  20. Get the materials to pin ! Hash over SPKI !

    openssl s_client -connect www.github.com:443 -CAfile rootcert.pem | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
  21. Pinning in iOS ! Using NSURLConnection ! canAuthenticateAgainstProtectionSpace: & didReceiveAuthenticationChallenge:

    " DEPRECATED ! optional func connection(_ connection: NSURLConnection, willSendRequestFor challenge: URLAuthenticationChallenge)
  22. Pinning in iOS !Using NSURLConnection: connection(_ connection: NSURLConnection, willSendRequestFor challenge:

    URLAuthenticationChallenge) 1. Load the certificate in .DER format 2. Get the remote certificate you want to pin to using SecTrustGetCertificateAtIndex 3. Evaluate the server trust 4. Verify that the loaded certificate (its public key) is the same as the selected remote certificate
  23. Pinning in iOS !Using Alamofire: 1. Setup ServerTrustPolicy with the

    certificates (or keys) let serverTrustPolicy = ServerTrustPolicy.PinCertificates( certificates: ServerTrustPolicy.certificatesInBundle(), validateCertificateChain: true, validateHost: true ) //or keys: pinPublicKeys 2. Initialze the serverTrustPolicyManager with the policy let sessionManager = SessionManager( serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies) )
  24. Pinning in iOS ! Alternative: Trustkit 1. Get the pins

    you want to pin to 2. Enter them in your Info.plist file or programmatically initiate the TrustKit with a configuration that specify the pins 3. In your URLSession completionhandler use TSKPinningValidator *pinValididator= [[TrustKit sharedInstance] pinningValidator]; and evaluate [pinningValidator handleChallenge:challenge completionHandler:completionHandler]
  25. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap
  26. Basic verification 1. Setup Burp 2. Generate a certificate for

    the given domain and install it on your device 3. Proxy your device through Burp 4. Try to connect with your app to the designated domain. ! You can? Then you pinned wrongly ! Repeat same process, now with wrong hostname in step 2. ! You cannot? BASIC verification completed
  27. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! recap
  28. Anti anti pinning techniques ! Payload encryption: ! Using asymmetric

    crypto ! Using Secure Remote Password protocol ! Using other Password Agreement Key Exchange (PAKE) protocols ! Slow down the attacker: ! Anti-reverse engineering controls (obfuscation) ! Tamper detection
  29. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! recap
  30. Recap ! Pin only if you have to ! Choose

    your pinning strategy wisely ! Make sure you only pin when your organization is ready ! Validate your pinning implementation