[websec] Pin activation in HPKP

Trevor Perrin <trevp@trevp.net> Tue, 16 April 2013 00:23 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id C131421E8037 for <websec@ietfa.amsl.com>; Mon, 15 Apr 2013 17:23:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.479
X-Spam-Status: No, score=0.479 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RCVD_IN_PBL=0.905, RDNS_NONE=0.1]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 62oy4i0FOzzs for <websec@ietfa.amsl.com>; Mon, 15 Apr 2013 17:23:35 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) by ietfa.amsl.com (Postfix) with ESMTP id 29DCF21E8041 for <websec@ietf.org>; Mon, 15 Apr 2013 17:23:34 -0700 (PDT)
Received: by mail-wi0-f179.google.com with SMTP id hn17so2103939wib.0 for <websec@ietf.org>; Mon, 15 Apr 2013 17:23:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:x-originating-ip:date:message-id:subject :from:to:content-type:x-gm-message-state; bh=zEzHib+Hy0k4fb68c5eQ67SWxUc1Q1bD+lxuyGwij8w=; b=mvH80w75wzwLVY5eYAKPIGc70+0HpLSeT8xyARLXzONtLa96Mia+BtsjdsKB7PYt5q MQ0K3gbdmoPia3YSvOhkX+1EDXUfMqsKGDLvdAtqzum53KRElAQKsni7niTKeMuRcr3I 8qFD1x/O1Kb0EYP5xcB6YuLRNPcKu2riRa4ZaoiooRpcKiTNJj5M2CH3woamPOt5Ss/+ 723o2+Lc8j0VkWB7m3x8EgVnIfVPI4KOyHrKK8+91zfrhktvkJ+MTEs5Ti9WO/XqG/4V QxkWT2UIr7X67JFyEItvsPLcw1ZdOpnNMMmvOoFOTuVR/y8vP1eQsrcUf/DOD+hQ3Ho1 N8AQ==
MIME-Version: 1.0
X-Received: by with SMTP id k9mr15401076wic.6.1366071814225; Mon, 15 Apr 2013 17:23:34 -0700 (PDT)
Received: by with HTTP; Mon, 15 Apr 2013 17:23:34 -0700 (PDT)
X-Originating-IP: []
Date: Mon, 15 Apr 2013 17:23:34 -0700
Message-ID: <CAGZ8ZG2L0E-Ya0hWmZ5jMrB6rqFBsnwY6Y-2rieP8arSGYoR8Q@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQk29ygC+vAbh8rq/5/hNkBxO157vN32u6vQQ+28sJnR3jaUvtE9zVEyURqXGQCTWKAXHXP/
Subject: [websec] Pin activation in HPKP
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2013 00:23:39 -0000

Hi websec,

Long email, sorry!

TLDR:  HPKP could do TACK-like "pin activation" for safer pinning.


At one point, the HPKP draft mentioned "pin activation" a la TACK [1].
 In TACK's algorithm, a client has to observe a pin assertion multiple
times before "activating" a pin.  After the first observation,
subsequent observations cause the pin to be activated for a period
equal to the span in which the client has observed the assertion, or a
max of 30 days.

The goal of this is to limit damage from malicious or mistaken "bad
pins", with a side benefit of simplifying deployment:

 * If connections to a domain are being hijacked (due to DNS
hijacking, domain name theft, an intercepted Wifi connection, etc.),
and the attacker is atttempting to set a malicious pin, the resultant
pin will not last longer than the attacker has already controlled the
connection for (e.g., if you're at a coffee-shop for 2 hours, it can't
set bad pins that last more than 2 hours; if a domain name is hijacked
for 2 days, bad pins will expire 2 days afterwards; etc.)

 * If a site advertises bad pins for itself, perhaps due to a
configuration mistake, a hacker, or a disgruntled system
administrator, damage will be limited if the mistake is noticed and
corrected quickly.

 * Since pin lifetimes are automatically scaled in a way which allows
safe rollout (with quick removal an option if things go wrong), we can
potentially do without an explicit max-age, making deployment simpler
(one less knob the deployer has to turn).


I had discussed this with Chris and Ryan, and applying this algorithm
to HPKP seemed difficult.  The algorithm requires clients make
observations which either "confirm" or "contradict" an existing pin.
This has three complications in HPKP:

First, an HPKP header may assert a list of pinned keys which overlaps
but doesn't exactly match a previous header.  It's not instantly
obvious how to handle this.

Second, a TACK pin requires a matching tack to be present in every
(non-resumed) TLS handshake, or the pin is contradicted.  Thus, a bad
pin set by an attacker can be contradicted when the client visits the
legitimate site, whether the legitimate site is aware of TACK or not.
In HPKP, on the other hand, HPKP headers are *not* required to be
present in HTTP responses from pinned sites, so there wouldn't be as
much benefit from regular sites "contradicting" bad pins.

Third, "include_subdomains" (which TACK does not have) adds a wrinkle
(if a pin is set at A.com, can B.A.com activate it?, etc.)


On further thought, I think the first problem can be solved by
adapting TACK's "overlapping pins" notion, where a client can have 2
pins active at once: this allows the new pin to be activated *prior
to* removing the old one.

The second problem may or may not be solvable, depending on whether
HPKP is willing to require HPKP headers be present in responses from a
pinned site.  However, I think the algorithm has value even without

The third problem (include_subdomains) needs more analysis.  There are
ways pin activation could work with include_subdomains, but it adds
more complexity.  I'm not quite sure the value of
"include_subdomains".  According to HSTS [2] section 14.4, it protects
cookies.  But there are other ways to protect cookies (see the TACK
draft section 8.1) which are usable by all sites, not just those
willing to pin their subdomains.  And cookies should be replaced
anyways, which I believe this WG is looking into.


Anyways, here's a sketch of a "pin activation" algorithm for HPKP.
This algorithm is basically the same as TACK (section 4.3.4), so it
creates opportunites for sharing code / analysis / deployment advice
etc.  I'm omitting "max-age" and "includeSubdomains", but if the group
is interested, we can discuss how to do them.

Definition of "HPKP pin":
 - a set of public-key hashes
 - "initial time" when pin was created
 - "end time" when pin ceases to be active (or 0)

Definition of "HPKP pin assertion":
 - A set of public key hashes presented in an HPKP header

A client may store 0, 1, or 2 HPKP pins for a single domain name.  A
server may present 0, 1, or 2 HPKP pin assertions in a single HTTP
response header (syntax TBD).

Client connections to domains with an active pin or pins MUST match
these pins or the connection is considered "contradicted" by the pin
(e.g. if a client has 2 active pins for "example.com", the connection
must have a certificate path that overlaps at least one key from each

If the connection is not contradicted, then the following steps are performed:
 1. Any inactive pins are deleted if they don't overlap the
certificate chain, or if there is an HPKP header that doesn't reassert
the inactive pin.
 2. If there are pins that are re-asserted by the HPKP header (i.e. a
pin assertion lists the exact same keys as the pin), their active
period is set by:

  end_time = current + MIN(30 days, current - initial_time)

 3. Any new pin assertions create new inactive pins with initial_time
= current and end_time = 0.


So on deploying an initial pin assertion, clients will begin creating
and activating pins.  If problems are detected in the first (minutes /
hours / days) of rollout, the assertion can be taken down, and
problems will subside fairly quickly, as no client will have yet
activated a long-lived pin.

To change pins, the server simply deploys the new assertion alongside
the old one.  After 60 days, the old assertion may be removed.  This
guarantees that a client who is contacting the server at intervals of
30 days or less will never receive less than a full 30-day active
period, to either the new or old pin, during the transition.

If the server needs to switch more quickly from the old to new
assertion it can do so, but this may create a window where clients
have deleted the old pin but the new one is not yet receiving full
30-day active periods.  By allowing "overlapping" pins and pin
assertions, we avoid this in the case where servers are making
carefully-planned transitions from one pin to another.

Anyways, yes, this is complicated to analyze but it's fairly simple to
implement.  I'm sure I explained some of this badly, so please ask
questions!  I hope we can discuss this more...