OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] potential errata in SSO Profile

> Lines 602-604 of Profiles describe how bearer assertion 
> replay attacks must be prevented when using the POST binding. 
>  I contend that this is not just a POST binding-specific 
> issue and that assertion replays must be prevented 
> independent of the binding.

Well, only to a degree. It depends on your threat model. The usual replay
issue with POST (and artifact) is theft by a MitM who then replays them to
that intended site.

> For example, it seems feasible 
> to actually replay an assertion when using an artifact 
> binding by simply ensuring that different Response messages 
> are used to carry the same assertion each time. thus 
> different artifacts are used, but the assertion could get 
> replayed since there is no artifact binding-specific 
> requirement to make the check.

But to do that you need the cooperation of the IdP or you need to completely
hack the artifact resolution step in which case replay is irrelevant,
especially when you consider that things might not be signed in that case.
So I can just forge an assertion with whatever new ID I want.

> This wasn't an issue in SAML 1.x since artifacts referred to 
> assertions, not protocol messages. Thus the artifact replay 
> check would prevent the assertion replay.

It was never really intended to do that, even in 1.x. It was something done
in place of the assertion check.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]