Cert pinning

Gary E. Miller gem at rellim.com
Thu Mar 28 20:01:41 UTC 2019 

Yo Hal!

On Wed, 27 Mar 2019 22:08:14 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> > Only if the cert is not pinned.  Pretty much every else I do with
> > certs eventually requires pinning.  NTPsec will be no different.   
> 
> Could somebody please give me a lesson on this area?

google and wikipedia are good places to start:

https://en.wikipedia.org/wiki/Transport_Layer_Security#Certificate_pinning

https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning

etc.

> What is pinning?  Why have I not encountered it before?

You have.  Just did not grok it happening.

All the browsers do it.  Ever noticed when a cert fails with https you
are given the option to accept the cert?  That is pinning.

Browsers also use HPKP, HTTP Public Key Pinning (RFC 7469):

https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

Many chat clients do it.  Ever notice in pidgin how every time google
changes there cert you are asked to approve the new one?  That is
pinning.

Ever notice how when a email to an email list is directed to another
email list and it bounces with a DANE error?  That is pinning.

DANE uses TLSA records in DNS that contain the cert pin hashs.  There
are many online tools to generate the hash per RFC 6698;

https://ssl-tools.net/tlsa-generator

> If ntpsec supported it, what would it look like and what would you do
> to use it?

Right now ostfalia uses a private CA.  So to connect I do this:

server nts3-e.ostfalia.de:443 nts noval

I happen to know the root CA for LE has this pin hash:

    60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18

Since I use LE certs, I have pinning records in my DNS so end users
have another way to validate the certs I use:

# dig _443._tcp.www.rellim.com ANY

; <<>> DiG 9.12.3-P4 <<>> _443._tcp.www.rellim.com ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39525
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0b91fbce1dcc17f0b1a287195c9d25e1690aeb81b3edcb63 (good)
;; QUESTION SECTION:
;_443._tcp.www.rellim.com.	IN	ANY

;; ANSWER SECTION:
_443._tcp.www.rellim.com. 86400	IN	RRSIG	TLSA 8 5 86400 20211216234627 20190322234627 6366 rellim.com. UEtz0oHRGpezsZSHox8NAj2GwZQFeW+MWnf9ioe1nSEn2OBaNnFx7WFB 93UcYdVx9i0XH/oR5FM49MsaJP/9Qb9qLfXSsZAp6KSEgwEOwAOO2uq3 svDjA3Rml3XLXugw49J7WJYNNvbleHb2msv4UakrQeWm53Pj6UVqNYvR D2E=
_443._tcp.www.rellim.com. 86400	IN	RRSIG	TLSA 8 5 86400 20211216234627 20190322234627 9234 rellim.com. lWQN0pFrXwwuyG3ksCou9LVa1WmDWF/eGN0Ypz/+HGoFe7sZYyy58yS4 xP+ruMbjHxM5IxxxeYNcMGnZqm8rNYLxho/4QUXqV9JjYYkGphULivj1 DnV/Bi5u8jmYYPtg6OJq4b0/h35fSI/hDtaAmwEOC9pZ16fhhOh8UDJC OZw=
_443._tcp.www.rellim.com. 86400	IN	RRSIG	TLSA 8 5 86400 20211216234627 20190322234627 14625 rellim.com. F8NQNAIFrv1AEr+Vy817LAAFcLbqpueBPX9VLzlWiOC0kecHcro1SQl9 zdvD6D1x0z5qbfkUBoLQ0e6nfnYrli/Vl8nTzEH9f/4LCjy/lFkcou1c HSiPfqEGq8HvDdxzcPsZF8bbwHAfxPw8AlUGzapb92VK0f43EWjwRTXo Poc=
_443._tcp.www.rellim.com. 86400	IN	RRSIG	TLSA 13 5 86400 20211216234627 20190322234627 10167 rellim.com. wc+u0lQE3nTPLkoK11J9urVamjQbGeSDkR+wvtzYYLnIjPe9Ph5ujSSw eys0uf6iSJ1ZGKi5qfR1SRQ69un5Yw==
_443._tcp.www.rellim.com. 86400	IN	TLSA	2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517 616E8A18


So, if I was going to pin the ostfalia server, I could check to see if they
pin in DNS.  They do not.   So I would generate their pin has, and
attach it to their server record:

server nts3-e.ostfalia.de:443 nts noval pin 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18

To make it eay, NTSs could always generate the hash and put it in the
logs.

On that note, I'd also like the logs to show the NTPD server and port from
the NTS-KE exchange.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190328/c1b5f1ba/attachment.bin>

More information about the devel mailing list