[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Defective sign & encrypt vis-a-vis SAML?
> I'm sure many of you have heard about Don Davis' moderately > controversial paper on defective sign & encrypt in S/MIME, XML > Signature, and other standards (see > http://www.usenix.org/publications/library/proceedings/usenix01/davis.html > for the paper). It's not that the crypto algorithms are broken, it's > that they're being used in broken ways that allow surreptitious > forwarding, among other things. > > Has anyone given any thought to the way SAML specifies signing & > encrypting of assertions and other stuff? This has been discussed > briefly on the XML Encryption list... There was a long thread about this on the cryptography list; I append one thoughtful message below that I think sums up the situation pretty well. There may be material here for our security considerations doc, particular if we're going to try to cover SAML assertions embedded in other protocols. But the concerns Davis raises about PGP, S/MIME, etc don't seem to me to apply to the base SAML assertions, as we know them at this point. Davis's point (OK, I'll admit I only glanced at the paper and only read the commentaries about it, so sue me) is that secure email protocols only protect message bodies, and message bodies don't necessarily include relevant context needed to understand the intent of the signer, or constrain later use of the signed info. Whereas SAML assertions contain validity period values, and other constraining conditions, and presumably will be generated by authorities that are clever enough to say exactly what they mean. Though, one might say that SAML assertions with the "bearer" subject raise some of these same issues ... And one might further wonder whether SAML assertions in general will want to explicitly identify the intended receiver of the assertion. - RL "Bob" --- Date: Fri, 22 Jun 2001 12:58:10 -0700 From: Jon Callas <jon@callas.org> To: Don Davis <dtd@world.std.com>, cryptography@wasabisystems.com Subject: Re: crypto flaw in secure mail standards This is a really good issue you've brought up, brilliant and creative. However, like Derek said, this isn't a crypto problem. I'm going to go further and say that it isn't even an engineering problem. You demonstrate some interesting problems with secure messaging, but *none* of them have anything to do with cryptography. They all have to do with semantics, expectation, and human behavior. Both of the scenarios you give are perfectly plausible. They could happen. However, they don't *have* to happen that way and presume certain conditions that are at best specialized. Let's take the first one. This one presupposes that Alice's signed message says, "The Deal is off." Note that if Alice had said a number of other things, there would be no problem. Suppose Alice's message to Bob is: "Dear, Bob, I'm sorry to send you some bad news, but my company has had a reorganization, and we cannot pursue our deal with XYZcorp at this time. I enjoy working with you, and hope that we will be able to re-activate this deal at a future date." Now there's no attack. If Bob sends *this* message to Charlie, then Charlie's going to scratch his head and call Alice by phone. Then they'll check the email headers, and see that it came from a hijacked IIS server in Elbonia. The real problem here is that there are some terse messages that it's a very bad idea to sign. For example, "The deal's off." Also, "Your mother wears army boots," "So's your old man," and "Take a long walk off a short pier." Cryptography cannot solve the problem of appropriate use of the technology. Let me give a related "attack." Suppose before she cancels the deal Alice sends Bob a message that says, "I'm really glad I'm working with you and not Charlie. He's a real twit, and I have to grit my teeth every time I deal with him." After canceling the deal, Bob then sends *that* message with Alice's signature to Charlie. Cryptography can't solve *that* problem, either. My dear, late friend, Marin Minow had a maxim, and that maxim is, "Don't send anything by email that you don't want to see attached to your resume." That can be extended to really, really, not sending a signed document that you don't want to see attached to your resume. I will also point our here, that the attack you give needs no encryption. This is why I say it isn't even an engineering problem. It works equally well with a clearsigned message. Adding in encryption weakens your case. It's a more powerful attack on signing alone because anyone who finds that message can retarget it. My response, simply put, is don't sign a vague message like this: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The deal's off -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBOzOb9HwuAgBhK7KNEQLRSwCeMNxIiaf04ZejMbkmcxjhTX7R/10AoJKs LbL3yWM4BrjmfvOYCGIdl0YG =h7ZQ -----END PGP SIGNATURE----- because you'll be subject to retargeting. There is nothing a cryptographer or engineer can do to protect such an easily misunderstood message. The next problem you give is more interesting. It's again, misuse rather a crypto problem, but it strikes at the heart of two unsolved issues with digital signatures: (1) What does a signature mean? (2) Can a signature be misused? The answers to those questions are in my opinion, "Whatever you want them to" and "Yes." Again, your demonstrations are brilliant examples of how you can misuse a signature into some sort of semantic attack. The first question is a swamp, so I'll only dance around it. I know people who regularly sign all their email. I know people who refuse to sign email (or rarely do). Each of them has a good explanation for why they do what they do. For full disclosure, I rarely sign messages. Since I rarely sign messages, it's relatively easy for someone to forge one coming from me. On the other hand, since I don't sign messages out of habit, I'm not going to accidentally create a retargetable message. But what this shows is that if you find a signed document in the wrong hands, the assumption that the signer sent it is flat silly. The second question strikes at the very heart of one of the biggest fantasies there is with digital signatures: non-repudiation. I don't believe that non-repudiation exists. This second example is not an attack on cryptography, but a brilliant attack on the notion of non-repudiation. Stan Kelley-Bootle has a marvelous definition in "The Devil's DP Dictionary" for "GIGO" that is, "Garbage In, Gospel Out." Sheer brain-dead fantasies having been run through a computer become holy and divinely inspired. Similarly, people think that a digital signature makes real-world considerations go away, and alas, the people who believe this most are lawyers (who should know better). Let's analyze that second problem. Someone goes to Alice and says, "Hey, Charlie has a catalog signed by you." Alice says, "Who's Charlie? I've never heard of Charlie. I've never sent sensitive company material outside the company." We all know that it's true. Alice didn't. Bob did. But we also know that it's plausible for the corporate investigator to think Alice did because of this Garbage In, Gospel Out fantasy as applied to signatures. When I go on my "there's no such thing as non-repudiation" rant, I usually focus on the difficulty of securing a private key. I really like this scenario, because it shows another attack on non-repudiation -- taking things out of context. Thank you! This is the true attack, that it's a semantic attack on what the message *means*, not how it's constructed. A signed message (because again, it works just as well if it's signed without being encrypted) out of context means nothing. Signatures do not grant meaning, and in fact can easily misdirect or obscure it. The real problem is not one of cryptography, it's one of belief. It is believing that a message containing a signed object came from the person who signed it. It is believing that cryptography protects meaning, not merely bits. It is believing that real-world problems with the interactions of people can be solved with a bit of fancy math. These are all ludicrous, and thank you for coming up with another attack on them. Jon --
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC