OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Subject: Re: Defective sign & encrypt vis-a-vis SAML?



> I'm sure many of you have heard about Don Davis' moderately
> controversial paper on defective sign & encrypt in S/MIME, XML
> Signature, and other standards (see
> http://www.usenix.org/publications/library/proceedings/usenix01/davis.html
> for the paper).  It's not that the crypto algorithms are broken, it's
> that they're being used in broken ways that allow surreptitious
> forwarding, among other things.
>
> Has anyone given any thought to the way SAML specifies signing &
> encrypting of assertions and other stuff?  This has been discussed
> briefly on the XML Encryption list...

There was a long thread about this on the cryptography list; I append one
thoughtful message below that I think sums up the situation pretty well.

There may be material here for our security considerations doc, particular
if we're going to try to cover SAML assertions embedded in other
protocols.  But the concerns Davis raises about PGP, S/MIME, etc don't
seem to me to apply to the base SAML assertions, as we know them at this
point.  Davis's point (OK, I'll admit I only glanced at the paper and only
read the commentaries about it, so sue me) is that secure email protocols
only protect message bodies, and message bodies don't necessarily include
relevant context needed to understand the intent of the signer, or
constrain later use of the signed info.  Whereas SAML assertions contain
validity period values, and other constraining conditions, and presumably
will be generated by authorities that are clever enough to say exactly
what they mean.

Though, one might say that SAML assertions with the "bearer" subject raise
some of these same issues ...  And one might further wonder whether SAML
assertions in general will want to explicitly identify the intended
receiver of the assertion.

 - RL "Bob"

---

Date: Fri, 22 Jun 2001 12:58:10 -0700
From: Jon Callas <jon@callas.org>
To: Don Davis <dtd@world.std.com>, cryptography@wasabisystems.com
Subject: Re: crypto flaw in secure mail standards

This is a really good issue you've brought up, brilliant and creative.
However, like Derek said, this isn't a crypto problem. I'm going to go
further and say that it isn't even an engineering problem.

You demonstrate some interesting problems with secure messaging, but *none*
of them have anything to do with cryptography. They all have to do with
semantics, expectation, and human behavior.

Both of the scenarios you give are perfectly plausible. They could happen.
However, they don't *have* to happen that way and presume certain
conditions that are at best specialized.

Let's take the first one. This one presupposes that Alice's signed message
says, "The Deal is off." Note that if Alice had said a number of other
things, there would be no problem.

Suppose Alice's message to Bob is: "Dear, Bob, I'm sorry to send you some
bad news, but my company has had a reorganization, and we cannot pursue our
deal with XYZcorp at this time. I enjoy working with you, and hope that we
will be able to re-activate this deal at a future date."

Now there's no attack. If Bob sends *this* message to Charlie, then
Charlie's going to scratch his head and call Alice by phone. Then they'll
check the email headers, and see that it came from a hijacked IIS server in
Elbonia.

The real problem here is that there are some terse messages that it's a
very bad idea to sign. For example, "The deal's off." Also, "Your mother
wears army boots," "So's your old man," and "Take a long walk off a short
pier."

Cryptography cannot solve the problem of appropriate use of the technology.
Let me give a related "attack." Suppose before she cancels the deal Alice
sends Bob a message that says, "I'm really glad I'm working with you and
not Charlie. He's a real twit, and I have to grit my teeth every time I
deal with him." After canceling the deal, Bob then sends *that* message
with Alice's signature to Charlie. Cryptography can't solve *that* problem,
either. My dear, late friend, Marin Minow had a maxim, and that maxim is,
"Don't send anything by email that you don't want to see attached to your
resume." That can be extended to really, really, not sending a signed
document that you don't want to see attached to your resume.

I will also point our here, that the attack you give needs no encryption.
This is why I say it isn't even an engineering problem. It works equally
well with a clearsigned message. Adding in encryption weakens your case.
It's a more powerful attack on signing alone because anyone who finds that
message can retarget it.

My response, simply put, is don't sign a vague message like this:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The deal's off

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOzOb9HwuAgBhK7KNEQLRSwCeMNxIiaf04ZejMbkmcxjhTX7R/10AoJKs
LbL3yWM4BrjmfvOYCGIdl0YG
=h7ZQ
-----END PGP SIGNATURE-----

because you'll be subject to retargeting. There is nothing a cryptographer
or engineer can do to protect such an easily misunderstood message.

The next problem you give is more interesting. It's again, misuse rather a
crypto problem, but it strikes at the heart of two unsolved issues with
digital signatures:

	(1) What does a signature mean?
	(2) Can a signature be misused?

The answers to those questions are in my opinion, "Whatever you want them
to" and "Yes." Again, your demonstrations are brilliant examples of how you
can misuse a signature into some sort of semantic attack.

The first question is a swamp, so I'll only dance around it. I know people
who regularly sign all their email. I know people who refuse to sign email
(or rarely do). Each of them has a good explanation for why they do what
they do. For full disclosure, I rarely sign messages. Since I rarely sign
messages, it's relatively easy for someone to forge one coming from me. On
the other hand, since I don't sign messages out of habit, I'm not going to
accidentally create a retargetable message. But what this shows is that if
you find a signed document in the wrong hands, the assumption that the
signer sent it is flat silly.

The second question strikes at the very heart of one of the biggest
fantasies there is with digital signatures: non-repudiation. I don't
believe that non-repudiation exists. This second example is not an attack
on cryptography, but a brilliant attack on the notion of non-repudiation.
Stan Kelley-Bootle has a marvelous definition in "The Devil's DP
Dictionary" for "GIGO" that is, "Garbage In, Gospel Out." Sheer brain-dead
fantasies having been run through a computer become holy and divinely
inspired. Similarly, people think that a digital signature makes real-world
considerations go away, and alas, the people who believe this most are
lawyers (who should know better).

Let's analyze that second problem. Someone goes to Alice and says, "Hey,
Charlie has a catalog signed by you." Alice says, "Who's Charlie? I've
never heard of Charlie. I've never sent sensitive company material outside
the company." We all know that it's true. Alice didn't. Bob did. But we
also know that it's plausible for the corporate investigator to think Alice
did because of this Garbage In, Gospel Out fantasy as applied to signatures.

When I go on my "there's no such thing as non-repudiation" rant, I usually
focus on the difficulty of securing a private key. I really like this
scenario, because it shows another attack on non-repudiation -- taking
things out of context. Thank you! This is the true attack, that it's a
semantic attack on what the message *means*, not how it's constructed. A
signed message (because again, it works just as well if it's signed without
being encrypted) out of context means nothing. Signatures do not grant
meaning, and in fact can easily misdirect or obscure it.

The real problem is not one of cryptography, it's one of belief. It is
believing that a message containing a signed object came from the person
who signed it. It is believing that cryptography protects meaning, not
merely bits. It is believing that real-world problems with the interactions
of people can be solved with a bit of fancy math. These are all ludicrous,
and thank you for coming up with another attack on them.

	Jon
-- 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


Powered by eList eXpress LLC