Jump to content

HTTP Public Key Pinning

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by DavisNT (talk | contribs) at 21:02, 9 August 2015. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

HTTP Public Key Pinning (HPKP) is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities.[1] The security context or pinset data is supplied by the site or origin.[citation needed]

The HPKP policy is communicated by the server to the user agent via a HTTP response header field named Public-Key-Pins (or Public-Key-Pins-Report-Only for reporting-only purposes). The HPKP policy specifies hashes of the subject public key info of one of the certificates in the website's authentic X.509 public key certificate chain (and at least one backup key) in pin-sha256 directives, and a period of time during which the user agent shall enforce public key pinning in max-age directive, optional includeSubDomains directive to include all subdomains (of the domain that has send the header) in pinning policy and optional report-uri directive with URL where to send pinning violation reports. At least one of the public key of the certificates in the certificate chain needs to match a pinned public key in order for the chain to be considered valid by the user agent. At the time of publishing RFC 7469 only allowed hash algorithm is SHA-256. Hashes for HPKP policy can be generated by POSIX shell commands mentioned in Appendix A. of RFC 7469 or third party tools.

A website operator can choose to either pin the root certificate public key of a particular root certificate authority, allowing only that certificate authority (and all intermediate authorities signed by it's key) to issue valid certificates for the website's domain, and/or to pin the key(s) of one or more intermediate issuing certificates, or to pin the end-entity public key. At least one backup key must be pinned, in case the current pinned key needs to be replaced. The HPKP is not valid without this backup key (a backup key is defined as a public key not present in the current certificate chain)[2]

HPKP is standardized in RFC 7469.[1] It expands on static certificate pinning, which hardcodes public key hashes of well-known websites or services within web browsers and applications.[3]

Chromium browser disables pinning for certificate chains with private root certificates to enable various corporate content inspection scanners [4] and web debugging tools (such as Fiddler). The RFC 7469 standard also recommends disabling pinning violation reports for such certificate chains.[5]

See also

References

  1. ^ a b "RFC 7469 - Public Key Pinning Extension for HTTP". tools.ietf.org. Retrieved 2015-05-07.
  2. ^ "About Public Key Pinning". noncombatant.org. Retrieved 2015-05-07.
  3. ^ "Certificate and Public Key Pinning - OWASP". www.owasp.org. Retrieved 2015-05-07.
  4. ^ "Security FAQ - The Chromium Projects". www.chromium.org. Retrieved 2015-07-07.
  5. ^ "RFC 7469 - Public Key Pinning Extension for HTTP". tools.ietf.org. Retrieved 2015-07-07.
Retrieved from "https://en.wikipedia.org/w/index.php?title=HTTP_Public_Key_Pinning&oldid=675319730"