SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune againstman-in

saml-dev message

Subject: SAML V2.0 Holder-of-Key Web Browser SSO Profile not immune againstman-in-the-middle attack

From: Marc Stern <marc.stern@approach.be>

To: saml-dev@lists.oasis-open.org

Date: Thu, 16 Apr 2009 15:52:06 +0200

Hello,

I'd like to point out that man-in-the-middle attack is still possible with this profile (I suppose some are aware about this, as it is stated in the document "virtually eliminates man-in-the-middle attacks"). If an attacker can sit in the middle of both connections (to IdP & SP), it could act as a proxy, and use its own key in both cases, which will be consistent with the SAML request.
The only solution is to use a known key to connect to the IdP (with an official certificate), which poses a privacy problem, as you will be obliged to connect to the SP with your "official" credentials.

Any envisioned work on this (double key authentication or equivalent)?

Thanks,

Marc Stern
Senior Consultant - Security Group Head
Approach Belgium - http://www.approach.be
Avenue Einstein, 2A - B-1348 Louvain-la-Neuve - Belgium
LinkedIn

Disclaimer_____________________________________________________________________________
1. This message is intended for the use of the addressee only and may contain information that is privileged and confidential.
2. If you are not the intended recipient, you are notified that any dissemination of this Communication is strictly prohibited.
3. If you have received this communication in error, please notify us immediately by return of this e-mail.
4. E-mail quotations and proposals are for information only, and are subject to confirmation by the Signature of the appropriate contractual documentation by the authorized persons or both