[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WS-I BSP WG comments - Part 2
Please find below an additional comment on the WS-Security specifications from the WS-I Basic Security Profile WG. Please contact me if you have any difficulty interpreting our comments. /paulc Chair, WS-I BSP WG Paul Cotton, Microsoft Canada 17 Eleanor Drive, Nepean, Ontario K2E 6A3 Tel: (613) 225-5445 Fax: (425) 936-7329 mailto:pcotton@microsoft.com WSS Username Token Profile Comments on Working Draft 4 dated 11 Aug 2003. In lines 126-134 of the Username Token Profile, counter measures are given to thwart replay attacks. The counter measures involve timestamps and nonces. This works as a counter measure when the attacker attempts to replay the token to the same receiver that legitimately received the token previously. However, it does not cover the case where the token is replayed to a different receiver. There are several possible approaches for this latter case: - including the username in the hash, to thwart cases where multiple user accounts have matching passwords (e.g. passwords based on company name) - including the domain name in the hash, to thwart cases where the same username/password is used in multiple systems - including some indication of the intended receiver in the hash, to thwart cases where receiving systems don't share nonce caches (e.g., two separate application clusters in the same security domain).
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]