Certificate Pinning – Brief up!

Hey! There is a concept of Certificate Pinning in Mobile (android and iOS). I wanted to take a look at it conceptually and understand its requirement. So here I go.

I found this great post #1 https://blog.approov.io/securing-https-with-certificate-pinning-on-android that gives a detailed intro to certificate pinning practically. What I could understand is as follows:

  1. You have an app interacting with a server.
  2. Now you want that while your http handshake, you only want to communicate with this server and no other.
  3. So you pin the certificate of that server into your app (possibly hard coded, may be).
  4. So that all your request would only go to that server.

Better is to frame it like as follow:

  1. You have a browser who wants to connect with google.com
  2. Now a handshake would take place between your browser and Google.com such that your browser would get a certificate from google.com which further can be used to establish a secure connection.
  3. But suppose another person tricks another DNS service to provide him/her as well the domain of google.com.
  4. How can your browser tell that which domain is legitimate?
  5. Here comes the role of certificate pinning. Your app (the browser) can pin the certificate of real google.com (server that your app wants to communicate with) So that even if the fraud domain tries to establish a connection with you, then your app can reject its request.

That’s it in story. This story is elaborated in #1.

The paragraph that tricked me in #1 is as follows:

The easiest way to pin is to use the server’s public key or the hash of that public key, The hashed public key is the most flexible and maintainable approach since it allows certificates to be rotated in the server, by signing the new one with the same public key. Thus the mobile app does not have to be updated with a new pin because the hash for the public key of the new certificate will continue to match the pin provided in the network security config file. We will see an example of this later when we talk about how to setup certificate pinning.

https://blog.approov.io/securing-https-with-certificate-pinning-on-android

I couldn’t understand the difference between public key, certificate, pin and digest. All these things appear to be related and similar. But what is the difference.

The answer of Ian Boyd in #2 https://stackoverflow.com/questions/40404963/how-do-i-get-public-key-hash-for-ssl-pinning clears all of my doubts. 🙂

  1. Public Key: Any openssl public key that is nothing but a number of XXXX bits (can be 1024, 2048, 4096, etc). These binary bits are converted to base64 so that we can read them alphanumerically in base64.
  2. Certificate: It contains public key and other information like certificate issuer, expiration, etc.
  3. Digest is also known as pin (the noun) == sha256 of public key.
  4. So you actually pin (the verb) this above digest in your app for certificate pinning.
  5. This pin (the noun) is nothing but the hash of public key of the server.

That’s it. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s