Shulou(Shulou.com)05/31 Report--

This article mainly introduces the certificate locking Certificate Pinning technology example analysis, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let Xiaobian take you to understand.

Certificate locking Certificate Pinning Technology

In man-in-the-middle attacks, the attacking host usually truncates the encrypted communication between the client and the server. The attack plane replaces the certificate issued by the server to the client with its own certificate. Typically, the client does not verify the certificate and accepts it directly, thus establishing a secure connection with the attack plane. In this way, the data sent by the client will be obtained and decrypted by the attack machine.

Certificate locking Certificate Pinning is an additional guarantee of SSL/TLS encryption. It saves the certificate public key of the server in advance in the client. During the process of establishing a secure connection, the client compares the preset public key with the accepted certificate. If consistent, a connection is established, otherwise the connection is rejected.

Certificate Pinning is widely used in mobile phone software. Because the server to which these applications are connected is relatively fixed, the server's X509 certificate or public key can be saved in advance in App. Apple's App Store Apple App Store, for example, has this feature pre-built. When a man-in-the-middle tool or a tool such as Fiddler is used to intercept data, the app store is unable to connect to the Internet.

In penetration testing, there are three solutions to this type of technology. The first is to disable certificate lock verification at the system level. The second is decompiler software, which replaces its saved public key with the certificate of the attack machine. Third, if the target is not the object of analysis, you can set the proxy to ignore the server to which it is connected without intercepting and modifying it.

PS: if you use the first or second method on your phone, you will need your phone to root or jailbreak.

Thank you for reading this article carefully. I hope the article "sample Analysis of Certificate locking Certificate Pinning Technology" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.