Jeroen Willemsen - To pin or not to pin

Transcript

1. 
 To pin or not to pin SWIFT USER GROUP

   VERSION 0X3: SECURITY JEROEN WILLEMSEN

2. About me Jeroen Willemsen @commjoenie [email protected] “Security architect” “Full-stack developer”

   "Mobile security”

3. Agenda ! MASVS & MSTG ! Should you pin? !

   Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap

4. OWASP MASVS & MSTG ! Mobile Application Security Verification Standard

   (MASVS) ! https://github.com/OWASP/ owasp-masvs ! Mobile Security Testing Guide (MSTG) ! https://github.com/OWASP/ owasp-mstg

5. Agenda ! MASVS & MSTG ! Should you pin? !

   Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap

6. Basics first: TLS TLS

7. TLS is based on PKIX Root CA Intermediate Leaf cert

   TLS

8. Should you pin? Is your organisation mature enough? It takes

   proper certificate lifecycle management to pin! The in app implementation is just the next step! How about protecting the private key?

9. Should you pin? X Pin when you have something valuable

   to protect and when you don’t trust PKIX

10. Should you pin? Pinning does NOT protect against local attacks

    That’s where other controls come into play

11. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap

12. SPKI fingerprint Where to pin to? Version Certificate Serial Number

    Cerificate Algorightm Identifier for Certificae Issuer’s Signature Issuer Validity Period Subject Subject Public-Key Information Issuer Unique Identifier Subject Unique Identifier Extensions Algorithm Identifier Public-key Value Certification Authority’s Digital Signature Certificate pinning Public key

13. Where to pin to? What Certificate pinning SPKI/public key Ease

    of Installation Just use cert: easiest Getting easier recently Expiry When cert expires When you stop using the public key Challenges - CA’s might have multiple certs - Has to be updated more often - How long can you use that same public key? - Using a self-signed CA? … Still needs a trust-store..

14. Root CA Where to pin to? Leaf VS Root certificates

    Root CA Intermediate cert Intermediate cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Intermediate cert Yours

15. Root CA Root CA Root CA Root CA Intermediate cert

    Intermediate cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Intermediate cert Yours Com prom ised Interm ediate Where to pin to? Leaf VS Root certificates

16. Root CA Intermediate cert Intermediate cert Leaf cert Leaf cert

    Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Intermediate cert Yours Com prom ised Interm ediate Root CA Root CA Where to pin to? Leaf VS Root certificates

17. Root CA Intermediate cert Intermediate cert Leaf cert Leaf cert

    Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Leaf cert Intermediate cert Yours Com prom ised Interm ediate Root CA Root CA Where to pin to? Leaf VS Root certificates

18. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap

19. Hardcode it or use HTTP Public Key Pinning Leaf cert

    Hardcode: Programmatically define to which cert/key you pin. Stops if key/cert is no longer there. Add future public key? X TLS X

20. Hardcode it or use HTTP Public Key Pinning HTTP Public

    Key Pinning RFC 7469 Trust On First Use ! " Vulnerable On First Use Requires backup pin Public-Key-Pins-Report-Only: max-age=2592000; pin-sha256="E9CZ9INDbd+2eRQozYqqbQ2yXLVKB9+xcprMF+44U1g="; pin-sha256="LPJNul+wow4m6DsqxbninhsWHlwfp0JecwQzYpOLmCQ="; report-uri="https://other.example.net/pkp-report"

21. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap

22. Get the materials to pin ! Certificate: download & save

    ! openssl s_client -showcerts -connect your.sub.domain:443 ! Public key: ! Use your app program-code to extract it programmatically from your cert. ! openssl s_client -connect www.google.com:443 -CAfile rootcert.pem | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl enc -base64 -d > publickey.der

23. Get the materials to pin ! Hash over SPKI !

    openssl s_client -connect www.github.com:443 -CAfile rootcert.pem | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

24. Pinning in iOS ! Using NSURLConnection ! canAuthenticateAgainstProtectionSpace: & didReceiveAuthenticationChallenge:

    " DEPRECATED ! optional func connection(_ connection: NSURLConnection, willSendRequestFor challenge: URLAuthenticationChallenge)

25. Pinning in iOS !Using NSURLConnection: connection(_ connection: NSURLConnection, willSendRequestFor challenge:

    URLAuthenticationChallenge) 1. Load the certificate in .DER format 2. Get the remote certificate you want to pin to using SecTrustGetCertificateAtIndex 3. Evaluate the server trust 4. Verify that the loaded certificate (its public key) is the same as the selected remote certificate

26. Pinning in iOS !Using Alamofire: 1. Setup ServerTrustPolicy with the

    certificates (or keys) let serverTrustPolicy = ServerTrustPolicy.PinCertificates( certificates: ServerTrustPolicy.certificatesInBundle(), validateCertificateChain: true, validateHost: true ) //or keys: pinPublicKeys 2. Initialze the serverTrustPolicyManager with the policy let sessionManager = SessionManager( serverTrustPolicyManager: ServerTrustPolicyManager(policies: serverTrustPolicies) )

27. Pinning in iOS ! Alternative: Trustkit 1. Get the pins

    you want to pin to 2. Enter them in your Info.plist file or programmatically initiate the TrustKit with a configuration that specify the pins 3. In your URLSession completionhandler use TSKPinningValidator *pinValididator= [[TrustKit sharedInstance] pinningValidator]; and evaluate [pinningValidator handleChallenge:challenge completionHandler:completionHandler]

28. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! Recap

29. Basic verification 1. Setup Burp 2. Generate a certificate for

    the given domain and install it on your device 3. Proxy your device through Burp 4. Try to connect with your app to the designated domain. ! You can? Then you pinned wrongly ! Repeat same process, now with wrong hostname in step 2. ! You cannot? BASIC verification completed

30. Your secure connection Demo time!

31. Basic verification with ZAP and DVIA OS DVIA app Network

    + SSL killswitch

32. Your secure connection

33. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! recap

34. Anti anti pinning techniques ! Payload encryption: ! Using asymmetric

    crypto ! Using Secure Remote Password protocol ! Using other Password Agreement Key Exchange (PAKE) protocols ! Slow down the attacker: ! Anti-reverse engineering controls (obfuscation) ! Tamper detection

35. Agenda ! MASVS & MSTG ! Should you pin? !

    Where to pin to? ! Hardcode VS HTTP Public Key Pinning ! Pinning in iOS ! Basic verification ! Anti-anti pinning techniques ! recap

36. Recap ! Pin only if you have to ! Choose

    your pinning strategy wisely ! Make sure you only pin when your organization is ready ! Validate your pinning implementation

37. Questions?

38. Thank you!