OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Solving a potential SAML MITM-problem

"Reprinted" from the PKIX-list

Hi All,

I wonder if you security experts could take some of your precious time to look 
on a problem that affect systems based on domain security in conjunction
with user's with web-browsers.  To this category belong: Purple, Shibboleth, 
MSFT's Passport(!), VISA's 3D Secure, and the coming OAISIS security services
standard (some use-cases).

ENTITIES:

Client: browser-user associated with an Attribute Authority (AA). 
Relying Party (RP).  The RP has a trust relationship with the AA.
The client's relation to the RP is indirect (typically an AA representative).

SCENARIO: 

The client wants to logon on a RP-controlled web-server with the use of an on-the-fly
created "ticket" that an AA web-server issues to the client on demand.  The ticket
contains a redirect to an RP URL.

PROBLEM DESCRIPTION:

The client (user) will (hopefully) to his/her "own" organization (AA), long-term authenticate using
client-certificates which eliminates MITM-attacks using SSL.  At least the AA is protected from fake clients.

A potential problem with MITM SSL-attacks remains with the redirected client-to-RP server connection 
as it is not terminated by client-certificates as they are replaced by "tickets" that has no
key/cert-binding to the client.  I.e. a MITM-attacker could during the redirected SSL-connect to
the RP (ticket consumer) "snatch" the ticket and get access to the client's resources at the RP.
This attack on SSL has been described by others so it exists although it normally requires user
to accept a rogue cert.

So what to do? 

"Tweaking" SSL seems highly unlikely and I haven't come up with any nice tweaks that 
would work anyway. 

But I have found one *possible* way that could be implemented if schemes like Purple,
Shibboleth and OASIS security services become mainstream: 

The AA (Attribute authority making redirected tickets) could in the redirect indicate 
that it expects the RP server-cert to be signed by a CA known/accepted by the AA through the
use of an OCSP lookup URL + certID for the OCSP signer cert which is specified by the AA and
that there must be one-to-one redirect host-name correlation or  the redirect will not be carried out.
I.e. this would be a [technically] rather simple "fix" in a browser.  Could be migrated into
browsers any day without giving unwanted side-effects or incompatibilities.

What do U think? 

Regards 
Anders Rundgren

SAML "lurker"

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC