[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [NEW ISSUE] Signature replacement threat
Title: Signature replacement threat Description: Signature confirmation for an RM session is important so that signature
replacement can be quickly detected. This is important to protect against the
unintended processing of user data. If an attacker replaces the signature on
the CS message, then the signature confirmation will indicate the replacement
and the initiator knows not to use the sequence. Assume there is an RM session
initiated without having its signature compromised, the associated signature
has specifically chosen privileges required for the service. In this case the
signature could be replaced with a new signature that has different privileges
associated with it to execute functions at the service other than what the
provider intends. In this case the initiator would be able to detect this on
confirmation (if they receive it) but the service would have already processed
the compromised message. However, if the token (keys) were bound to the sequence during the RM
sequence creation the service would detect that the message was altered before
processing it. This is because a different token will not be allowed for the
entire RM session which would prevent an attacker from being able to replace a
signature and have the message processed before the signature was confirmed by
the initiator (if at all). On a related note there is also the threat of associating the wrong or
superset credentials in scenarios where messages require multiple signatures
because of other headers and message aspects. Binding a token to the RM
sequence at creation also disambiguates which token is intended for the RM
CreateSequence message if there is more than one primary token. The binding of a token to
the RM sequence creation can be done by including a STR to the token in the CS
message. Target: core Type: design Proposal: Add the threat as described in the issue description to
the security considerations as “Signature replacement” in the list
of enumerated threats after line 817. Marc Goodner Technical Diplomat Microsoft Corporation Tel: (425) 703-1903 Blog: http://spaces.msn.com/mrgoodner/
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]