[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] FW: <fyi> HMAC flaw in XML DSig, Redux (W3C Blog)
robert.philpott@rsa.com wrote on 2009-07-16: > I'm not aware of any implementations that generate messages using HMAC-based > signatures. However, the issue isn't so much what SAML implementations > might send out, it's how they would respond if they received a hacked > message that contained an HMAC-based signature. Depending on the > implementation's underlying DSIG package, it could conceivably accept such a > message as having a valid signature and attempt to process its contents. Sure, but only if it were actually using HMAC explicitly as a RP, since it would have to validate the signing key. Obviously the attack lets you spoof the key, but you'd have to be expecting to validate a symmetric key to begin with. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]