sslpublic-key-encryptioncertificate-pinningpublic-key-pinning

SSL - Public key pinning confusion


How SSL key pinning prevents MITM attacks when some CA is compromised?

What I understand from comprising CA is, private keys are compromised and an attacker can easily get symmetric key used to encrypt data. Am I right?

Another thing, if public key remains same when certificates are rotated and in key pinning we match the public keys, how can we know that, key (we are getting) is from original certificate?

I don't really get the concept. Can anyone elaborate it step by step?

I have gone through this question but couldn't really get the answer.


Solution

  • When a CA is compromised, the attacker has the CA's private key. Then the attacker has the same power as a trusted CA, meaning that he can issue certificates for any domains. If this happens, without public key pinning (HPKP), all sites are immediately vulnerable to MITM attacks by this attacker, until clients distrust the compromised CA.

    HPKP tries to mitigate this issue by allowing site operations to designate which root CA or which leaf certificate's public keys you want browsers to trust. For instance, if you pin Let's Encrypt and GlobalSign's root certificates, then a compromise of any other CA won't affect you at all.

    To answer your questions:

    1) No, not symmetric keys. It is the private key of the CA, used for signing not encrypting, that gets compromised.

    2) It doesn't matter, because the site is not compromised; only the CA is compromised. In other words, the attacker doesn't have the private keys of your site. If he wants to attack, he will have to present a different public key that he generates himself.

    I hope this answer helps to clarify.