http-header : http-public-key-pinning

http-header : http-public-key-pinning

This header is considered as a security based feature which tells web client to create an association between a particular cryptographic public key along with any specific web server so as to decrease risks of MITM attacks dealing with forged certificates.

HPKP is regarded as an security mechanism for Internet that is delivered through a HTTP header that helps by allowing HTTPS websites so as to resist impersonation carried out by attackers who use mis-issued or something known as fraudulent certificates. To make it happen, it helps in delivering set of public keys to client (that is, the browser), that must be only trusted for making connections to this domain.

As an example, a certificate authority may be compromised by the attackers, which they would then mis-issue certificates for any particular web origin. To prevent such a risk, HTTPS web server provides a list of “pinned” public key hashes which are valid for a specific time; for subsequent connections, within the specified validity time, the clients expect server to use maybe one or more of the mentioned public keys in its certificate chain. If this doesn’t happen, an error message is displayed, that can’t be bypassed by user easily.

The technique so described doesn’t pin the certificates rather the public keys. This indicates that one can make use of the key pair so as to get a certificate from any of the certificate authority, if one has got access to the private key.

This header provides the domain operators with the ability for reducing risk of MITM attacks along with other types of false-authentication problems. This is really of importance because there are websites that deal with a lot sensitive information such as financial or healthcare records.

Enablement in Apache:

The below mentioned syntax is added to our web server’s “config” file. This also requires the enablement of mod_headers.

Header always set Public-Key-Pins “pin-sha256=\”base64+primary==\”; pin-sha256=\”base64+backup==\”; max-age=5184000; includeSubDomains”

Enablement in Nginx:

Addition of the below mentioned syntax would enable HPKP on our nginx. This also requires ngx_http_headers_module.

add_header Public-Key-Pins ‘pin-sha256=”base64+primary==”; pin-sha256=”base64+backup==”; max-age=5184000; includeSubDomains’ always;

Enablement in IIS:

The following syntax is added to “web.config” file.

<system.webServer>

<httpProtocol>

<customHeaders>

<add name=”Public-Key-Pins” value=”pin-sha256=&quot;base64+primary==&quot;; pin-sha256=&quot;base64+backup==&quot;; max-age=5184000; includeSubDomains” />

</customHeaders>

</httpProtocol>

</system.webServer>

 

Copyrights ©2008: Valency Networks Pvt Ltd.