review of draft-wierenga-ietf-sasl-saml-00
Sam Hartman <hartmans-ietf@mit.edu> Tue, 25 May 2010 20:37 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: kitten@core3.amsl.com
Delivered-To: kitten@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E69353A6819 for <kitten@core3.amsl.com>; Tue, 25 May 2010 13:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.335
X-Spam-Level:
X-Spam-Status: No, score=0.335 tagged_above=-999 required=5 tests=[BAYES_50=0.001, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qgt4o1o8G32r for <kitten@core3.amsl.com>; Tue, 25 May 2010 13:37:12 -0700 (PDT)
Received: from mail.suchdamage.org (permutation-city.suchdamage.org [69.25.196.28]) by core3.amsl.com (Postfix) with ESMTP id CBC433A680A for <kitten@ietf.org>; Tue, 25 May 2010 13:37:08 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (carter-zimmerman.suchdamage.org [69.25.196.178]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id F059C20239; Tue, 25 May 2010 16:36:55 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 4B31243EF; Tue, 25 May 2010 16:36:30 -0400 (EDT)
From: Sam Hartman <hartmans-ietf@mit.edu>
To: kitten@ietf.org, tim.polk@nist.gov
Subject: review of draft-wierenga-ietf-sasl-saml-00
Date: Tue, 25 May 2010 16:36:30 -0400
Message-ID: <tslzkzn67n5.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: moonshot-community@jiscmail.ac.uk, draft-wierenga-ietf-sasl-saml@tools.ietf.org
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/kitten>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2010 20:37:13 -0000
[Tim copied because this document came up on a recent call] Hi. I've been promising the authors of the SASL SAML mechanism a review for a while and I realized that the only way it would happen is if I sit down and write it up. For those who haven't read the document, the idea is to permit the use of an existing SAML IDP for SASL authentication. The flow is as follows: 1) The server sends a URI to redirect to to the client. 2) The client pops up a browser and sends it to that URI 3) The client sends an empty response to the server 4) At some later point the server says authentication succeeded or failed. What's presumably happening behind the covers is that the client is interacting with a browser and an identity provider. Eventually if authentication is successful the client will be directed back to a URI on the server. Once the authentication is received over this URI then the server will respond that SASL has succeeded. I think this mechanism may be the best approach possible given the technical constraints, especially in the case where the IDP URI is provided by the server or where an IDP discovery mechanism is used. However the security properties of this mechanism are a lot closer to SASL plain or anonymous than more modern SASL mechanisms such as SCRAM. It's not as bad as plain: long-term secrets are not sent over the wire in the clear. However it seems vulnerable to the following attacks: 1) The client has no assurance provided by this mechanism that it is talking to the intended server. So, this mechanism provides no protection against man-in-the-middle attacks. 2) There is no channel binding or security layer provided. If this mechanism is used with TLS, there is no assurance that the endpoints of TLS are related to the endpoints of SASL. 3) The client has no to weak assurance that authentication actually happened. The server could return successful authentication at any point after the client sends the empty response. We've learned from discussion of phishing attacks that often it's valuable to force someone to believe they have authenticated to a site when they have not done so. They will be willing to enter confidential information--after all, they did manage to log in. 4) The fact that the server provides the IDP or IDP discovery URI opens the system to fairly classic phishing attacks. Some of these attacks are addressed by using TLS between the client and server. That's only true if certificates are validated and if the user does not accept invalid certificates. It's also important that the name in the certificate be properly checked. A mechanism similar to this could provide significantly better security guarantees if the client knew its own IDP URI. 1) Channel binding could be provided. In some portion of the authentication request covered by the signature, the SASL server includes the channel binding data for the channel. The client can verify that the correct channel binding data is included. The client cannot yet tell that there is no man in the middle. 2) The return URI should provide some space for the client to include some token. The client includes this token in the return URI as it passes the authentication request to the browser. The server echoes this returned token back to the client in the success message. Because the server has never seen this token before it provides some assurance that the server interacted with the IDP. Naturally this only provides value if the IDP is selected by the client rather than the server. I think that if these two additions can be fleshed out and if there are significant use cases where clients could know their IDP, then the mechanism should be modified to support these use cases. However, as I mentioned, I don't know how to do better than the current mechanism given the common requirement that the server provide an IDP discovery URI. I do understand that requirement is important. Any mechanism we publish in this space should have a clear applicability statement and a good explanation of these attacks in the security considerations section.
- review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson
- RE: review of draft-wierenga-ietf-sasl-saml-00 Scott Cantor
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Klaas Wierenga
- Re: review of draft-wierenga-ietf-sasl-saml-00 Martin Rex
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson
- Re: review of draft-wierenga-ietf-sasl-saml-00 Sam Hartman
- Re: review of draft-wierenga-ietf-sasl-saml-00 Simon Josefsson