OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] FW: <fyi> HMAC flaw in XML DSig, Redux (W3C Blog)

robert.philpott@rsa.com wrote on 2009-07-16:
> I'm not aware of any implementations that generate messages using
> signatures.  However, the issue isn't so much what SAML implementations
> might send out, it's how they would respond if they received a hacked
> message that contained an HMAC-based signature.  Depending on the
> implementation's underlying DSIG package, it could conceivably accept such
> message as having a valid signature and attempt to process its contents.

Sure, but only if it were actually using HMAC explicitly as a RP, since it
would have to validate the signing key. Obviously the attack lets you spoof
the key, but you'd have to be expecting to validate a symmetric key to begin

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]