{"id":61170,"date":"2024-04-10T10:12:40","date_gmt":"2024-04-10T04:42:40","guid":{"rendered":"https:\/\/www.tothenew.com\/blog\/?p=61170"},"modified":"2024-04-12T10:25:08","modified_gmt":"2024-04-12T04:55:08","slug":"prevent-mitm-attack-by-ssl-public-key-pinning-part-2","status":"publish","type":"post","link":"https:\/\/www.tothenew.com\/blog\/prevent-mitm-attack-by-ssl-public-key-pinning-part-2\/","title":{"rendered":"Prevent MITM Attack by SSL Public Key Pinning : Part – 2"},"content":{"rendered":"

In this blog, we are going to learn about public key pinning and how we can achieve it with URLSession.\u00a0<\/span>Before that, let’s briefly discuss<\/span>\u00a0SSL certificate pinning.<\/span><\/p>\n

SSL pinning is a security technique used in mobile and web applications to ensure that the client only communicates with servers via a specific SSL certificate or public key, which prevents man-in-the-middle attacks where an attacker intercepts communication between the client and the server.<\/span><\/p>\n

How does MITM work?<\/b><\/h2>\n

Hackers use MITM attacks to access confidential personal information by pretending to be known users or webpages. They spy on users’ private meetings or confidential data and extract useful information.<\/span><\/p>\n

\"\"<\/p>\n

Real-life Instances of MITM Attack\u00a0<\/b><\/h2>\n

In previous blog, we performed certificate pinning (Check out this link for more.<\/span><\/a>)<\/span>, here are the differences and benefits:<\/b><\/p>\n

Benefits:<\/b><\/h2>\n
    \n
  1. Certificate Pinning : Add an SSL certificate to your app bundle and bind this certificate to your application.\u00a0<\/span><\/li>\n<\/ol>\n
      \n
    1. Public Key Pinning: In this pinning method, we are going to generate a public key, which we are going to use in our application. In this method, we don\u2019t have to change the certificate if it expires.<\/span><\/li>\n<\/ol>\n

      Certificate pinning is easy to implement but has some limitations:<\/b><\/h2>\n
        \n
      1. When the certificate expires, we need to update it, and then we can release the app with the newer one, which results in less flexibility when we are using it.<\/span><\/li>\n
      2. The app will not work when the backend or server changes the certificate on their end, unless we replace the certificate with a new one.<\/span><\/li>\n<\/ol>\n

        Let’s start:<\/b><\/h2>\n

        Now, we are going to download the certificate using OpenSSL command:<\/b><\/p>\n

          \n
        1. We need a copy of the certificate from the server, <\/span>isro.vercel.app.<\/b> Now we are going to use the terminal using OpenSSL commands.<\/span><\/li>\n
        2. It is safer to use public key pinning because it will not affect the application’s working if there is any change from the server side until the server maintains the same public key.<\/span><\/li>\n<\/ol>\n

          Let’s check out these steps:<\/p>\n

          \u25d9 We can fetch the local certificate\u2019s public key, which has been downloaded and will be included in your code as a string. The app is going to compare the remote public key, which will be received during a network request at run time, with the local one, which is stored somewhere in the project as a string.<\/span><\/p>\n

          \u25d9 Use this command to download this to the project bundle.<\/p>\n

          openssl s_client -connect isro.vercel.app:443 -showcerts < \/dev\/null | openssl x509 -outform der > vercel.der<\/strong><\/em><\/span><\/span><\/pre>\n
          Use the above command on the terminal.<\/p>\n
          \"\"<\/p>\n
          \u25d9 Then, we need to create .pem\u00a0from the downloaded <\/span>vercel.der<\/b> and convert it to the<\/span> vercel_public_key.pem<\/b> format by extracting and saving its public key. Use the below commands to get it done.\u00a0<\/span><\/span><\/p>\n
          \u00a0 openssl x509 -inform der -in vercel.der -pubkey -noout >\u00a0 vercel_public_key.pem<\/strong><\/em><\/pre>\n
          \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0Or,<\/b><\/p>\n
          \u00a0openssl x509 -inform der -in vercel.cer -pubkey -noout > vercel_public_key.pem<\/strong><\/em><\/pre>\n
          \u25d9 After saving the .pem file, generate a hash and encode it using base64 encoding. Here, we can use this command, which is much easier to save and more readable. For hashing, I\u2019m going to use SHA256. Use the command below to generate the hash<\/span><\/p>\n
          cat vercel_public_key.pem | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64<\/strong><\/em><\/pre>\n
          Use the above command on the terminal.\u00a0<\/span><\/strong><\/em><\/p>\n
          \"\"  <\/strong><\/em><\/p>\n
          Your public key will be something like this<\/span><\/p>\n
          u\/joKCLcfT2khmv\/jPpWcsbUx1mBQ1PY0QXYg5cHonE=<\/strong><\/p>\n
          Or,<\/b><\/p>\n
          We can use the below command to do all these processes in one command (I have used <\/span>isro.vercel.app<\/b> for this sample project). It will generate the hash code from the certificate, which we will use in our demo project.<\/span><\/p>\n
          openssl s_client -servername isro.vercel.app -connect\u00a0 isro.vercel.app:443 | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64<\/strong><\/em><\/pre>\n
          Use the above command on the terminal. <\/span><\/strong><\/em><\/p>\n
          \"\" <\/span><\/strong><\/em><\/p>\n
          Now we are ready with a hash key. It\u2019s time to write some code now. Put the code below in our <\/span>NetworkManagerWithPublicKey.swift<\/b> class.<\/span><\/p>\n
          \"\"<\/p>\n
          Here,<\/span> localPublicKey<\/b> is the hash key that we get from our certificate.<\/span><\/p>\n
            \n
          1. An array of unsigned integers, which indicates the algorithm and any algorithm parameters with which the public key is to be used, is represented by <\/span>rsa2048Asn1Header<\/b>.<\/span><\/li>\n
          2. Let’s check this method; we used the OpenSSL-sdgst function with <\/span>sha256<\/b> hashing to create our hashes. To recreate the same hashes in our code, the <\/span>rsa2048Asn1Header<\/b> bytes are needed.<\/span><\/li>\n
          3. This function will create a hash from the received Data using the <\/span>sha256<\/b> algorithm and return the base64 encoded representation of the hash.<\/span><\/li>\n<\/ol>\n
            And now, we have to implement the URLSessionDelegate function. Please see the code below. Please check out the screenshots attached.<\/span><\/p>\n
            \"\" \"\"<\/p>\n
            Summary:<\/b><\/p>\n
            Nowadays, it is mandatory to implement SSL\/TLS while communicating with the server. We rely on a chain of trust to verify the identity of the client or server, which is not enough; MITM (Man in the Middle) attacks may still be a possibility. So what we do is add layer of protection by adding a certificate or public key, which is needed on the other side as well. We’ve learned how to extract a server key and implement pinning on iOS.<\/span><\/p>\n
            I have written the code in <\/span>Swift<\/b> language. Feel free to comment below with any queries. You can access the complete code at <\/span>GitHub<\/b><\/a><\/span>.<\/span> You can check this URL:\u00a0<\/span><\/p>\n
            Part-1 Certificate Pinning: <\/span>https:\/\/github.com\/Vibhashkumar2022\/SSLPinningUsingURLSession.<\/b><\/a>\u00a0<\/b><\/span><\/p>\n
            Part-2 Public Key Pinning:<\/span>\u00a0 <\/span>https:\/\/github.com\/Vibhashkumar2022\/MITM-Project-Part-2<\/b><\/a><\/span><\/p>\n
            Note: The certificate added in my repository can expire, so if you are not able to get a response from API, then check for the certificate and get a new one by following the above steps<\/b>
            \n<\/strong><\/em><\/span><\/p>\n
            <\/div>","protected":false},"excerpt":{"rendered":"
            In this blog, we are going to learn about public key pinning and how we can achieve it with URLSession.\u00a0Before that, let’s briefly discuss\u00a0SSL certificate pinning. SSL pinning is a security technique used in mobile and web applications to ensure that the client only communicates with servers via a specific SSL certificate or public key, […]<\/p>\n","protected":false},"author":1630,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":115},"categories":[2026,1400,1772],"tags":[5797,5796,2574,5794,5795],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/61170"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/1630"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=61170"}],"version-history":[{"count":2,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/61170\/revisions"}],"predecessor-version":[{"id":61264,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/61170\/revisions\/61264"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=61170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=61170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=61170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}