Re: [security-services] Minutes for SSTC Telecon (18 Oct 2011)

["Cantor, Scott" <cantor.2@osu.edu>]

On 10/21/11 7:12 AM, "Massimiliano Masi"
<massimiliano.masi@tiani-spirit.com> wrote:
>
>and here the public link:

Thanks for finding that!

>opening etc. The error messages returned to the MITM are meaningful so
>that,
>the MITM, can guess with high probability to have produced a well formed
>ciphertext (w.r.t. their definition of ``well formed''ness).

Unfortunately it's not just error messages (that's easy to prevent), it's
also a timing attack.

>It is more or less related to the assumptions to sign before encrypt,
>encrypt-before-sign, sign-before-encrypt-than-sign again.

SAML unfortunately followed the advice of the industry and encouraged sign
before encrypt, and that's turned out to be a mistake. I think we will
have to rectify that in errata. A fix in many scenarios is going to be to
start signing responses instead of assertions, but that's a disruptive
change since the relying party has to enforce that.

>What I see very interesting (and I don't see any countermeasures on that)
>are the links in the ``countermeasures'' section, to kind of XML Rewrite
>Attacks[1] 
>and what they call XML Encryption wrapping,  in which the MITM can change
>the 
>structure of the soap message to have the signature validation useless.

Maybe for web services, but that's not a SAML problem.

-- Scott