OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-consider message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: RE: Some initial security consideration thoughts

Title: RE: Some initial security consideration thoughts

 Enclosed is the full set questions that I "fat-fingered" previously.

This mail is an attempt to define the SAML security problem in general, abstract terms.  At this level of discussion I am using the term document to mean either an artifact as defined in previous mails or a SAML assertion.

I'll use the traditional Alice, Bob, Carol, Trent and Mallory in my discussions.  Alice wants to talk securely with Bob and Carol. Trent is the authentication service and Mallory is the bad guy.

- Conditions to be satisfied by the protocol

(single signon) Alice will proactively authenticate once, i.e. Alice, the person or entity, will be physically involved only once by supplying some authentication evidence.

Assume that Mallory can get the document.

- Steps in the protocol

* Alice authenticates to Trent. (Outside SAML specification, This is the one and only proactive authentication.  It is a Mutual Authentication)

* Alice requests and receives a document from Trent.
* Alice uses this document to authenticate to Bob later.  Use of this same document can be repeated a number of times.
* Alice wants to use the same document to authenticate to Carol.

- Questions that the protocol has to answer. (The questions start with an asteric.  The indented sentence following some questions are conditions that may help in resolving the previous question.)

* What needs to be in the document to assure Bob that it comes from Alice?
        Some secret that only Alice knows or has and which only she can prove possession.

* How can the document be used to talk to Bob multiple times?

* Can the same document be used to talk to both Bob and Carol?

* What needs to be in the document to assure Carol that it comes from Alice?
        Some secret that only Alice knows or has and which only she can prove possession.

* How is Mallory prevented from using the document to impersonate Alice? 
        Mallory can't prove he has Alice's secret.

* How do we prevent replay?
        We can prevent replay if we have a nounce that can't be changed in the artifact.

* What is Alice's secret?
        The $64 question -:)

* Is Mutual Authentication between Alice and Bob or Carol necessary?

* What are the limits on replay by Alice?

* Can Bob or Carol impersonate Alice and if so what are the consequences?

* What happens if Trent is not available when Bob or Carol needs him?

* Does Bob or Carol have to talk to Trent? (Push vrs. Pull)

* What, if anything, does Trent have to know about any of the parties in advance of the conversations?

* Does this conversation need to be available for later decisions? (Non-repudiation or audit)

* What does Alice or Bob or Carol have to know in advance?

* What if the parties are not unique, e.g. there is more than one Alice or Bob or Carol?

* Can Trent not be involved?



Don

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC