Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

More documents

Recommendations

Info

Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.0216921702171• Collusion among two or more Principals• Collusion between two or more service providers• Collusion between two or more identity providers21722173217421752176217721782179• Denial-of-Service Attacks: The prevention of authorized access to a system resource or the delaying of systemoperations and functions.• Man-in-the-Middle Attacks: A form of active wiretapping attack in which the attacker intercepts and selectivelymodifies communicated data to masquerade as one or more of the entities involved in a communication association.• Replay Attacks: An attack in which a valid data transmission is maliciously or fraudulently repeated, either by theoriginator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack.• Session Hijacking: A form of active wiretapping in which the attacker seizes control of a previously establishedcommunication association.2180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222034.4. Threat Scenarios and CountermeasuresIn this section, threats that may apply to all the Liberty profiles are considered first. Threats that are specific toindividual profiles are then considered. In each discussion the threat is described as well as the countermeasures thatexist in the profile or the additional countermeasures that may be implemented to mitigate the threat.4.4.1. Common Threats for All ProfilesThreat: Request messages sent in cleartextDescription: Most profile protocol exchanges do not mandate that all exchanges commence over a secure communicationchannel. This lack of transport security potentially exposes requests and responses to both passive and activeattacks.One obvious manifestation is when the initial contact is not over a secure transport and the Liberty profile begins toexchange messages by carrying the request message back to the user agent in the location header of a redirect.Another such manifestation could be a request or response message which carries a URI that may be resolved on asubsequent exchange, for instance lib:AuthnContextClassRef. If this URI were to specify a less or insecure transport,then the exchange may be vulnerable to the types of attacks described above.Countermeasure: Ensure that points of entry to Liberty protocol exchanges utilize the https URL and thatall interactions for that profile consistently exchange messages over https.Threat: Malicious redirects into identity or service provider targetsDescription: A spurious entity could issue a redirect to a user agent so that the user agent would access a resourcethat disrupts single sign-on. For example, an attacker could redirect the user agent to a logout resource of a serviceprovider causing the Principal to be logged out of all existing authentication sessions.Countermeasure: Access to resources that produce side effects could be specified with a transient qualifier that mustcorrespond to the current authentication session. Alternatively, a confirmation dialog could be interposed that relieson a transient qualifier with similar semantics.Threat: Relay state tampering or fabricationLiberty Alliance Project64
Liberty Alliance Project:Liberty ID-FF Bindings and Profiles SpecificationVersion: 1.2-errata-v2.022042205220622072208220922102211Description: Some of the messages may carry a element, which is recommended to be integrityprotectedby the producer and optionally confidentiality-protected. If these practices are not followed, an adversarycould trigger unwanted side effects. In addition, by not confidentiality-protecting the value of this element, a legitimatesystem entity could inadvertently expose information to the identity provider or a passive attacker.Countermeasure: Follow the recommended practice of confidentiality- and integrity-protecting the data. Note: Because the value of this element is both produced and consumed by thesame system entity, symmetric cryptographic primitives could be utilized.4.4.2. Single Sign-On and Federation221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222434.4.2.1. Common Interactions for All Single Sign-On and Federation ProfilesThreat: sent over insecure channelDescription: It is recommended that the initial exchange to access the intersite transfer service be conducted overa TLS-secured transport. Not following this recommendation can expose the exchange to both passive and activeattacks.Countermeasure: Deploy the intersite transfer service under an https scheme.Threat: Unsigned messageDescription: The signature element of an is optional and thus the absence of the signaturecould pose a threat to the identity provider or even the targeted service provider. For example, a spurious system entitycould generate an unsigned and redirect the user agent to the identity provider. The identityprovider must then consume resources.Countermeasure: Sign the . The IDP can also verify the identity of the Principal in theabsence of a signed request.Threat: Replay of an authentication assertionDescription: After obtaining a valid assertion from an identity provider, either legitimately or surreptitiously, theentity replays the assertion to the Service at a later time. A digital signature must cover the entire assertion, thuselements within the assertion cannot be corrupted without detection during the mandatory verification step. However,it is possible to fabricate an with the valid assertion.Countermeasure: The issuer should sign messages. Signing binds the of the response message to the assertion it contains. This binding accords the relyingparty the opportunity to temporally judge the response. Additionally, a valid signature over the responsebinds the element to the corresponding . (Specifying a shortperiod that the authentication assertion can be relied upon will minimize, but not mitigate this threat. Binding the to the request element may also be handy.)Threat: Fabricated denial of serviceDescription: An attacker captures the sent in an message by a serviceprovider to an identity provider, and sends several spurious messages to the service providerwith the same . Because the matches a that the service provider had used, the service provider goes through the process of validating the signature in themessage. Thus, it is subject to a denial of service attack.Countermeasure: A secure communication channel should be established before transferring requests and responses.Threat: Collusion between two PrincipalsLiberty Alliance Project65
Page 1 and 2:
Liberty Alliance Project:Version: 1
Page 3 and 4:
Liberty Alliance Project:Liberty ID
Page 5 and 6:
Page 7 and 8:
Page 9 and 10:
Page 11 and 12:
Page 13 and 14: Liberty Alliance Project:Liberty ID
Page 33: Liberty Alliance Project:Liberty ID
Page 70: Liberty Alliance Project:Liberty ID
show all

Liberty ID-FF Bindings and Profiles Specification - Liberty Alliance

Create successful ePaper yourself

Delete template?

Save as template?