Microsoft Corporation
Achieving certificate pinning security in reduced trust networks

Abstract:

Achieving certificate pinning security in reduced trust networks. A client establishes a first communications channel with a server only upon verifying that a first certificate offered by the server is certified by a pinned certificate. The client receives a second certificate from the server over the first communications channel. The server and the client establish second communications channels with an untrusted computer system. The client sends a request towards the server via the second communications channels, and the request is received by the server. The server generates a response comprising a payload, a timestamp, a URI portion, and a signature that is generated using the second certificate, and sends the response via the second communications channels. The client receives the response and uses the second certificate to verify that the response is authentic and that the timestamp and URI portion are valid. The client then processes the payload.