OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

ws-rx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: i029 Session hijacking addressed by STR in CSR


Thanks for providing this information. The attack you outlined is pretty
much the same as the one I outlined in

There is a simpler way of protecting against this threat. As you stated
"if anyone obtains the sequence ID" they can execute this attack. There
are only two ways that an attacker can obtain someone else's sequence
ID; they can guess it or they can observe it. To protect against the
first possibility the RMD simply needs to create sequence IDs that
contain enough random information as to making guessing impractical. To
protect against the second possibility the RMS and RMD simply need to
use some underlying security mechanism that provides end-to-end message
confidentiality. This could be a WS-SecureConversation context, an
SSL/TLS session, or some other mechanism.

If people agree that the above proposal protects against the threat that
you have outlined, than I think people would also agree that the above
proposal is superior to the currently specified mechanism for the
following reasons:

1.) Although this allows WS-RM and WSS to be composed it does not bind
them together.
2.) It does not require the run-time cost of performing an authorization
check on every message.

In reality the threat we are discussing is no different than the threat
faced by web applications that use session cookies to preserve state.
Common practice is to generate random cookie values and protect these
cookies with SSL. Nobody had to tightly bind HTTP and SSL to prevent web
session hijacking.

If there are additional threats that the current mechanism defends
against, I welcome the chance to discuss those as well.

- g

> -----Original Message-----
> From: Marc Goodner [mailto:mgoodner@microsoft.com] 
> Sent: Friday, September 16, 2005 6:00 PM
> To: Gilbert Pilz
> Cc: ws-rx@lists.oasis-open.org
> Subject: i029 Session hijacking addressed by STR in CSR
> Gil,
> You asked for more information on what threats that including 
> the STR in the CSR mitigates against. For one it prevents 
> session hijacking. 
> For example, let's say that anyone in the FOO group can 
> create an RM session, then if anyone obtains the sequence ID 
> they are likely to be authorized to use the RM session. This 
> can be mitigated by a service user establishing a security 
> context with their credentials prior to creating the RM 
> session. This security context has the claims necessary for 
> creating a sequence. This security context is only known to 
> the two parties, other users in the FOO group are not part of 
> this security context. This security context is used in the 
> RM sequence creation thus binding the two at creation time. 
> With this coupling in place, the RM sequence is effectively 
> "owned" by the security context identified in the STR of the 
> CSR that establishes the security context in this example. 
> Establishing security semantics after the resource is created 
> leaves an attack window for creation attacks that is not 
> addressed by just signing the message header and body.
> Again, I believe this issue should be closed with no action. 
> The STR should not be removed from the CSR. 
> Regards,
> Marc g
BEAWorld 2005: coming to a city near you.  Everything you need for SOA and enterprise infrastructure success.

Register now at http://www.bea.com/4beaworld

Santa Clara 27-29 Sep| London 11-12 Oct| Paris13-14 Oct| Prague18-19 Oct |Tokyo 25-26 Oct| Beijing 7-8 Dec

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]