No subject
Mon Feb 1 04:45:21 CET 2010
header), whether one is digesting the concrete or transfer syntax of
querystring values, etc etc.
From: foaf-protocols-bounces at lists.foaf-project.org
[mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Akbar
Hossain
Sent: Thursday, February 04, 2010 1:48 PM
To: Story Henry
Cc: foaf-protocols at lists.foaf-project.org
Subject: Re: [foaf-protocols] security problem with libAuthenticate
Hi,
Correct libAuthentication.php doesn't verify the ts (date) in the redirect
from testssl.org.
I will add some code to narrow the replay time window (but there will still
be a window).
I think some people are paranoid about logging/usage of IP addresses so
maybe not a good thing to add - not sure.
I guess most people are behind a NAT so maybe we are just narrowing.
Hardening the calls and responses is proabably a good idea by trying to
introduce some one time usage ideas.
Perhaps via a nonce of some description. I guess if we optionally allowed
the client to send a nonce.
I dont think we need to over specify it. The delegated authentication server
(foafssl.org) could return and sign it.
The client can then come up with its own scheme if it wants to prevent
multiple use.
(It might be interesting if foafssl.org signs anything it is sent ...)
We might want to have a think about some cross site redirection too.
(phishing).
Thanks
On Thu, Feb 4, 2010 at 5:51 PM, Story Henry <henry.story at bblfish.net> wrote:
On 4 Feb 2010, at 18:28, Pierre-Antoine Champin wrote:
> On 04/02/2010 18:13, Story Henry wrote:
>>
>> On 4 Feb 2010, at 17:59, Pierre-Antoine Champin wrote:
>>
>>> Hi,
>>>
>>> I supervise some students working on a FOAF+SLL project.
>>>
>>> They played a little with foaf.me, and discovered what seems like a
>>> bug in foaf.me, probably in libAuthenticate:
>>>
>>> the URI produced by foafssl.org (with the webid, the date and the
>>> signature), seems to be accepted forever, as if foaf.me didn't take
>>> the date into account.
>>
>> Do you mean that it does not take the time limit of the certificate
>> into account? (That's quite possible, and we have recently argued
>> that we should take those into account, so that one can produce
>> certificate that are only valid for an hour or less even)
>
> No, that is not what I meant.
>
> When you log in with foafssl.org, it redirects you to a URI of the type
> (I add spaces for readability)
>
> http://original.site/? webid=xxxx & date=yyyy & signature=zzzz
>
> Now, if yyyy is actually 2010-02-04T18:21:43, then on the next day (or
> even the next hour), this URI should not be working anymore. Or else,
> anybody intercepting the URI would be able to log in as xxxx at any
> time, without even connecting to foafssl.org, just pretending to have
> done so, since the signature zzzz would still be valid.
>
> And that is actually what my students did. One of them put the URI in a
> PDF document, as an example. Then, the week after, when reading the PDF,
> I clicked on the URI, and was logged in to foaf.me as my student!
Ah yes :-)
That is what we put the time stamp in there for. And also the signature=""
signs the redirected to URL (ie all - the signature) with the private key of
foafssl.org, so that one cannot fake that.
So yes, foaf.me should not allow that URL to be used for more than a certain
amount of time (5 minutes?). I think because foaf.me currently does not have
much in the way of security, that this functionality may not have been
implemented. (Meaning that I don't know if the code on foafssl.org is really
correct).
> So I think limiting the validity of those URIs is a must. And in
> addition, putting the IP address of the client in the URI would make it
> even less "reusable" -- though I know that IP spoofing is possible, of
> course...
I understand you now. Yes, that could be added.... (I wonder if it could
also lead to some weird behaviours too)
In the end of course it is better for foaf.me and similar sites to implement
all in https. (Foaf.me can do that, they were just helping us test the
concept of an idp)
Thanks for the feedback! Well spotted by your student. He deserves extra
points for that. :-)
Henry
> pa
_______________________________________________
foaf-protocols mailing list
foaf-protocols at lists.foaf-project.org
http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
------=_NextPart_000_0062_01CAA5B1.CC143030
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" =
xmlns:rtc=3D"http://microsoft.com/officenet/conferencing" =
xmlns:D=3D"DAV:" xmlns:Repl=3D"http://schemas.microsoft.com/repl/" =
xmlns:mt=3D"http://schemas.microsoft.com/sharepoint/soap/meetings/" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" =
xmlns:ppda=3D"http://www.passport.com/NameSpace.xsd" =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:udcs=3D"http://schemas.microsoft.com/data/udc/soap" =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" =
xmlns:udcp2p=3D"http://schemas.microsoft.com/data/udc/parttopart" =
xmlns:wf=3D"http://schemas.microsoft.com/sharepoint/soap/workflow/" =
xmlns:dsss=3D"http://schemas.microsoft.com/office/2006/digsig-setup" =
xmlns:dssi=3D"http://schemas.microsoft.com/office/2006/digsig" =
xmlns:mdssi=3D"http://schemas.openxmlformats.org/package/2006/digital-sig=
nature" =
xmlns:mver=3D"http://schemas.openxmlformats.org/markup-compatibility/2006=
" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relationshi=
ps" xmlns:spwp=3D"http://microsoft.com/sharepoint/webpartpages" =
xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/types"=
=
xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/messag=
es" =
xmlns:pptsl=3D"http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/=
" =
xmlns:spsl=3D"http://microsoft.com/webservices/SharePointPortalServer/Pub=
lishedLinksService" xmlns:Z=3D"urn:schemas-microsoft-com:" =
xmlns:st=3D"" xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>I may need to retake crypto 101, as I cannot verify the =
signature.<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Any chance of producing some test =
cases?<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Just make 10 runs, and publish the event =
logs…<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Need: Bytes of the to be signed by RSA the digest value =
in
bytes, and the signature<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>From those, I can figure out what UTF is being assumed =
(with or
without header), whether one is digesting the concrete or transfer =
syntax
of querystring values, etc etc.<o:p></o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span =
style=3D'font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt =
0in 0in 0in'>
<p class=3DMsoNormal style=3D'margin-left:.5in'><b><span =
style=3D'font-size:10.0pt;
font-family:"Tahoma","sans-serif"'>From:</span></b><span =
style=3D'font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> =
foaf-protocols-bounces at lists.foaf-project.org
[mailto:foaf-protocols-bounces at lists.foaf-project.org] <b>On Behalf Of =
</b>Akbar
Hossain<br>
<b>Sent:</b> Thursday, February 04, 2010 1:48 PM<br>
<b>To:</b> Story Henry<br>
<b>Cc:</b> foaf-protocols at lists.foaf-project.org<br>
<b>Subject:</b> Re: [foaf-protocols] security problem with =
libAuthenticate<o:p></o:p></span></p>
</div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><o:p> </o:p></p>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'>Hi,<br>
<br>
Correct libAuthentication.php doesn't verify the ts (date) in the =
redirect from
<a href=3D"http://testssl.org">testssl.org</a>.<br>
I will add some code to narrow the replay time window (but there will =
still be
a window).<br>
<br>
I think some people are paranoid about logging/usage of IP addresses so =
maybe
not a good thing to add - not sure. <br>
I guess most people are behind a NAT so maybe we are just narrowing. =
<br>
<br>
Hardening the calls and responses is proabably a good idea by trying to
introduce some one time usage ideas.<br>
Perhaps via a nonce of some description. I guess if we optionally =
allowed the
client to send a nonce. <br>
I dont think we need to over specify it. The delegated authentication =
server (<a
href=3D"http://foafssl.org">foafssl.org</a>) could return and sign it. =
<br>
The client can then come up with its own scheme if it wants to prevent =
multiple
use. <br>
(It might be interesting if <a =
href=3D"http://foafssl.org">foafssl.org</a> signs
anything it is sent ...)<br>
<br>
We might want to have a think about some cross site redirection too.
(phishing).<br>
<br>
Thanks<o:p></o:p></p>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'>On Thu, Feb 4, 2010 at =
5:51 PM,
Story Henry <<a =
href=3D"mailto:henry.story at bblfish.net">henry.story at bblfish.net</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'><br>
On 4 Feb 2010, at 18:28, Pierre-Antoine Champin wrote:<br>
<br>
> On 04/02/2010 18:13, Story Henry wrote:<br>
>><br>
>> On 4 Feb 2010, at 17:59, Pierre-Antoine Champin wrote:<br>
>><br>
>>> Hi,<br>
>>><br>
>>> I supervise some students working on a FOAF+SLL =
project.<br>
>>><br>
>>> They played a little with <a href=3D"http://foaf.me" =
target=3D"_blank">foaf.me</a>,
and discovered what seems like a<br>
>>> bug in <a href=3D"http://foaf.me" =
target=3D"_blank">foaf.me</a>,
probably in libAuthenticate:<br>
>>><br>
>>> the URI produced by <a href=3D"http://foafssl.org" =
target=3D"_blank">foafssl.org</a>
(with the webid, the date and the<br>
>>> signature), seems to be accepted forever, as if <a
href=3D"http://foaf.me" target=3D"_blank">foaf.me</a> didn't take<br>
>>> the date into account.<br>
>><br>
>> Do you mean that it does not take the time limit of the =
certificate<br>
>> into account? (That's quite possible, and we have recently =
argued<br>
>> that we should take those into account, so that one can =
produce<br>
>> certificate that are only valid for an hour or less even)<br>
><br>
> No, that is not what I meant.<br>
><br>
> When you log in with <a href=3D"http://foafssl.org" =
target=3D"_blank">foafssl.org</a>,
it redirects you to a URI of the type<br>
> (I add spaces for readability)<br>
><br>
> http://original.site/? webid=3Dxxxx & date=3Dyyyy &
signature=3Dzzzz<br>
><br>
> Now, if yyyy is actually 2010-02-04T18:21:43, then on the next day =
(or<br>
> even the next hour), this URI should not be working anymore. Or =
else,<br>
> anybody intercepting the URI would be able to log in as xxxx at =
any<br>
> time, without even connecting to <a href=3D"http://foafssl.org"
target=3D"_blank">foafssl.org</a>, just pretending to have<br>
> done so, since the signature zzzz would still be valid.<br>
><br>
> And that is actually what my students did. One of them put the URI =
in a<br>
> PDF document, as an example. Then, the week after, when reading the =
PDF,<br>
> I clicked on the URI, and was logged in to <a =
href=3D"http://foaf.me"
target=3D"_blank">foaf.me</a> as my student!<o:p></o:p></p>
</div>
</div>
<p class=3DMsoNormal style=3D'margin-left:.5in'>Ah yes :-)<br>
<br>
That is what we put the time stamp in there for. And also the
signature=3D"" signs the redirected to URL (ie all - the =
signature)
with the private key of <a href=3D"http://foafssl.org" =
target=3D"_blank">foafssl.org</a>,
so that one cannot fake that.<br>
<br>
So yes, <a href=3D"http://foaf.me" target=3D"_blank">foaf.me</a> should =
not allow
that URL to be used for more than a certain amount of time (5 minutes?). =
I
think because <a href=3D"http://foaf.me" target=3D"_blank">foaf.me</a> =
currently
does not have much in the way of security, that this functionality may =
not have
been implemented. (Meaning that I don't know if the code on <a
href=3D"http://foafssl.org" target=3D"_blank">foafssl.org</a> is really =
correct).<o:p></o:p></p>
<div>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:0in;margin-right:0in;margin-bottom:
12.0pt;margin-left:.5in'><br>
> So I think limiting the validity of those URIs is a must. And =
in<br>
> addition, putting the IP address of the client in the URI would =
make it<br>
> even less "reusable" -- though I know that IP spoofing is
possible, of<br>
> course...<o:p></o:p></p>
</div>
<p class=3DMsoNormal style=3D'margin-left:.5in'>I understand you now. =
Yes, that
could be added.... (I wonder if it could also lead to some weird =
behaviours
too)<br>
<br>
In the end of course it is better for <a href=3D"http://foaf.me" =
target=3D"_blank">foaf.me</a>
and similar sites to implement all in https. (Foaf.me can do that, they =
were
just helping us test the concept of an idp)<br>
<br>
Thanks for the feedback! Well spotted by your student. He deserves extra =
points
for that. :-)<br>
<span style=3D'color:#888888'><br>
Henry</span><o:p></o:p></p>
<div>
<div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><br>
<br>
> pa<br>
<br>
_______________________________________________<br>
foaf-protocols mailing list<br>
<a =
href=3D"mailto:foaf-protocols at lists.foaf-project.org">foaf-protocols at list=
s.foaf-project.org</a><br>
<a =
href=3D"http://lists.foaf-project.org/mailman/listinfo/foaf-protocols"
target=3D"_blank">http://lists.foaf-project.org/mailman/listinfo/foaf-pro=
tocols</a><o:p></o:p></p>
</div>
</div>
</div>
<p class=3DMsoNormal style=3D'margin-left:.5in'><o:p> </o:p></p>
</div>
</body>
</html>
------=_NextPart_000_0062_01CAA5B1.CC143030--
More information about the foaf-protocols
mailing list