OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: [security-services] Suggest adding IssueInstant attribute toRequest and Response

>The more important issue is the security considerations. You have
claimed
>that there are threats to the SOAP binding, (or perhaps you had in mind
>some other binding or profile) due to replay, other than denial of
service.

I'll be as direct as I can. The current SOAP binding that is expected to
be in SAML 1.0 is *not* subject to a replay attack. What I claim is that
other, obvious, potential SAML bindings *will* be subject to replay
attacks unless they add a timestamp on their own behalf (by extending
the schema or some other means).

>The current document says this is not the case. You should publish the
>attack so we can include it in security considerations.

You have a request format that is not timestamped. The obvious
implication is that a plaintext signed request can be stolen and
replayed if the binding in use permits the act of signing to be used
alone to authenticate and insure the integrity of the request.

The SOAP binding does not permit this, because it requires that message
integrity be provided by SSL, therefore there's no such attack.

An example future binding that *would* be subject to this attack is one
in which requests are signed, with or without encryption, and sent over
HTTP or some other open protocol, such as SMTP. The request is
authenticated solely by the signature and the message integrity comes
from the same signature.

If you want to rule out such bindings, that's fine. I don't see why
you'd want to do that, but that's the sole motivation I had for saying
anything about it.

>I object to adding potentially complex bells and whistles on "general
>principles." (Based on my experience, any algorithm involving either
>caching or time comparisons is potentially complex, and this involces
>both.) How can somebody design a correct algorithm if we don't identify
>the attacks we are trying to prevent?

I'm hardly going to dispute that building a replay cache isn't more
complex than not building one. Note that there's already one in SAML
(see the Browser POST profile).

But as for the implications? If you don't want to ever support any
bindings that would require one, then there's a simple answer. Just
ignore the IssueInstant utterly, and it won't cost you a thing apart
from a line of code to create it. Voila, no replay cache.

Personally, I think having IssueInstant baked in for people that might
want to support such a binding without having to extend the schema is
worth that line of code, but YMMV.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC