OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

ws-rx message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [NEW ISSUE] Signature replacement threat


Title: Signature replacement threat

 

Description:

Signature confirmation for an RM session is important so that signature replacement can be quickly detected. This is important to protect against the unintended processing of user data. If an attacker replaces the signature on the CS message, then the signature confirmation will indicate the replacement and the initiator knows not to use the sequence. Assume there is an RM session initiated without having its signature compromised, the associated signature has specifically chosen privileges required for the service. In this case the signature could be replaced with a new signature that has different privileges associated with it to execute functions at the service other than what the provider intends. In this case the initiator would be able to detect this on confirmation (if they receive it) but the service would have already processed the compromised message.

 

However, if the token (keys) were bound to the sequence during the RM sequence creation the service would detect that the message was altered before processing it. This is because a different token will not be allowed for the entire RM session which would prevent an attacker from being able to replace a signature and have the message processed before the signature was confirmed by the initiator (if at all).

 

On a related note there is also the threat of associating the wrong or superset credentials in scenarios where messages require multiple signatures because of other headers and message aspects. Binding a token to the RM sequence at creation also disambiguates which token is intended for the RM CreateSequence message if there is more than one primary token.

 

The binding of a token to the RM sequence creation can be done by including a STR to the token in the CS message.

 

Target: core

 

Type: design

 

Proposal:

 

Add the threat as described in the issue description to the security considerations as “Signature replacement” in the list of enumerated threats after line 817.

 

Marc Goodner

Technical Diplomat

Microsoft Corporation

Tel: (425) 703-1903

Blog: http://spaces.msn.com/mrgoodner/

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]