IETF Logo Mail Archive

[websec] wrt "breaking pins" aka "un-pinning" (breakv, breakc directives; draft-evans-palmer-hsts-pinning-00)

=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 14 October 2011 22:05 UTC

Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C2E21F8D0C for <websec@ietfa.amsl.com>; Fri, 14 Oct 2011 15:05:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.151
X-Spam-Level:
X-Spam-Status: No, score=-99.151 tagged_above=-999 required=5 tests=[AWL=0.744, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, J_CHICKENPOX_53=0.6, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T8Wonfk+pYxA for <websec@ietfa.amsl.com>; Fri, 14 Oct 2011 15:05:10 -0700 (PDT)
Received: from oproxy6-pub.bluehost.com (oproxy6.bluehost.com [IPv6:2605:dc00:100:2::a6]) by ietfa.amsl.com (Postfix) with SMTP id 17DCB21F8CE1 for <websec@ietf.org>; Fri, 14 Oct 2011 15:05:09 -0700 (PDT)
Received: (qmail 5877 invoked by uid 0); 14 Oct 2011 22:05:09 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy3.bluehost.com with SMTP; 14 Oct 2011 22:05:09 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=Re4Uzs/7MhHVFAmQroEVgy5Jq+8mxoXCxNujZHKGqhY=; b=M7gToga5IzmtizkWd3yM1gJn+Q9B198jzjjuKanhT+PilsJOKUPextZF0U2sHZCQGbmGVlEjlhXHQy3ehueuX2AU69zREtIfZ4yBqQWKwBfcA70I9hxqV2kJEs7zm6iQ;
Received: from outbound4.ebay.com ([216.113.168.128] helo=[10.244.136.89]) by box514.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1REpsL-0002vb-5n for websec@ietf.org; Fri, 14 Oct 2011 16:05:09 -0600
Message-ID: <4E98B215.6040700@KingsMountain.com>
Date: Fri, 14 Oct 2011 15:05:09 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
MIME-Version: 1.0
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [websec] wrt "breaking pins" aka "un-pinning" (breakv, breakc directives; draft-evans-palmer-hsts-pinning-00)
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2011 22:05:10 -0000

below is the text on "un-pinning" and the breakv & breakc directives from 
https://tools.ietf.org/html/draft-evans-palmer-hsts-pinning-00

discussion below this excerpt...

 > 2.  Server and Client Behavior
                 .
                 .
 >    The breakv directive communicates to UAs a pin break verifier, and
 >    the breakc directive communicates the pin break code.  Hosts SHOULD
 >    generate pin break codes and verifiers.  When present, UAs MUST note
 >    pin break verifiers and honor pin break codes.  See Section 2.3 for a
 >    discussion of verifiers and codes.
                 .
                 .
2.1.  Noting and Validating Pins
                 .
                 .
 >    UAs MUST cache pins and pin break verifiers for Known Pinned HSTS
 >    Hosts, and MIGHT AS WELL do so in the same manner as other HSTS
 >    metadata.
                 .
                 .
 > 2.3.  Un-pinning
 >
 >    Hosts can enable pin revocation for their previously-pinned key
 >    fingerprints by setting pin break verifiers using the breakv
 >    directive.  Then, when hosts want to break pins, they set the pin
 >    break code in their HSTS headers using the breakc directive.  (This
 >    idea is due to Perrin in [pin-break-codes].)
 >
 >    Pin break codes are short random strings, kept secret until the host
 >    operator wants to break the pins.  Pin break verifiers are simply
 >    hashes of the codes.
                 .
                 .
 >    Hosts can request that UAs forget pinned fingerprints by issuing a
 >    valid HSTS header containing the pin break code.  UAs MUST forget all
 >    pinned fingerprints associated with the matching pin break verifier,
 >    and MUST NOT forget any pinned fingerprints not associated with that
 >    verifier.
 >
 >    In the event that a host sends an HSTS header containing a breakc
 >    that does not match a breakv the UA has previously noted, the UA MUST
 >    ignore that breakc and MUST process any pins or breakv directives as
 >    normal.  This is so that hosts can break old pins but still
 >    successfully set new pins and verifiers in UAs that have not
 >    previously (or recently) noted the host.
 >
 >    Host operators SHOULD keep the pin break code secret, and SHOULD
 >    generate codes that are computationally infeasible to guess (such as
 >    by using their system's cryptographic random number generator; note
 >    that a 128-bit security level suffices).


In order for this "un-pinning" pin-break-verifier-and-code mechanism to 
generally work, the UA still connects and and makes an HTTP request and reads 
response headers. See this paragraph from S 2.1...

    Note that to validate pins, UAs must necessarily read the headers of
    a response.  In case of mismatch, UAs SHOULD NOT read the response
    body as part of failing hard.

This appears to be necessary in order to receive a break code (breakc) 
invalidating the pin(s) of a Known Pinned Host that doesn't already have its 
present cert/key, i.e. that it's showing in the TLS handshake (for whatever 
reason), cached in UAs. This situation would render the Host unavailable to 
those UAs.

So if a purported Known Pinned Host presents a cert chain in the TLS handshake 
lacking any keys on the UA's pinned key list, then it could be a bogus host (eg 
attacker), and if the UA does a HTTP GET and sends cookies (as well as receives 
a response and examines headers (e.g. the UA could be redirected further 
afield)) in any case, then this is a (non-trivial) vulnerability.

In such a situation, the way the UA can tell it is connected to the intended 
host is if the host presents a break code that properly matches a previously 
noted verifier for that host. This property holds because the break code is a 
secret held by the host until needed. This prevents any host from being able to 
unpin other hosts, which is necessary when the pin check is located up in the 
HTTP layer.


So we have a fundamental question here:

   Must the pinning mechanism provide the capability for a pinned host to
   dynamically recover from situations that otherwise render it unavailable
   (to those UAs that have noted the host as a Known Pinned Host)?


In examining the various such situations (aka "disasters") outlined in Sec 3, 
it appears that essentially all of them are mitigated if the host operators 
allocated a backup server key/cert as advised, and have properly issued a pin 
to it, along with their pin to their present operational key/cert. In this 
situation, it appears that having the pin-break-verifier-and-code mechanism 
isn't strictly necessary.

Rather, the pin-break-verifier-and-code mechanism is arguably useful only in 
the case where one doesn't have properly pinned backup server key/cert that 
chains to a different trust root than one's other key/cert(s). But it has the 
security issues noted above given its present design.


It appears that we need to decide whether this pin-break-verifier-and-code 
mechanism is worth the complexity and its vulnerability. One argument is that 
if some web app provider is willing to take the risk of pinning itself without 
proper, carefully considered recovery means and plans, then that's their 
decision. Additionally, if UAs provide users the means to clear(and set) pins, 
then worst-case, they can contact their users with instructions for how to do 
so, and perhaps along with a new pin to enter.

Providers wishing to avoid such situation will need to craft and implement 
proper, carefully considered recovery means and plans.


If we took this approach, then we could eliminate the breakc and breakv 
directives and manage pins in the a fashion similar to how HSTS works -- the UA 
notes the freshest info from a Known HSTS Host if it is different than what is 
presently cached for that host, and a "max-age = 0" will clear the cached 
metadata for that host.

( this dovetails with a discussion of using a separate header for pinning, 
"separate pinning header" )

=JeffH

ps: of course this discussion begs the question of conveying pinning 
information in the TLS channel, perhaps as data in an X.509 cert extension, as 
Adam L is doing for "DNSSEC authenticated HTTPS", or in some other fashion.

v2.23.0 | Report a Bug | By Email