a potential security problem for metadata

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

a potential security problem for metadata

reason-4
Hi all,
I have a question for metadata
Metadata provides the basis for all trust between providers in Shibboleth and Shibboleth provides two kings of way for loading meatadata file:local and remote
Whatever kind of way for loading metadata adopted, the metadata file is finally stored in local
Such an important file is stored in local, is there any potential problem? if it is modified
hostilely, the trust will be damaged
Does Shibboleth provide some strategies for protecting metadata file?

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: a potential security problem for metadata

Chad La Joie
When fetching metadata remotely the metadata should be signed and the
signature validated.  When reading metadata locally this is not
necessary.  If some one compromises you're server then all trust, in all
applications, on that server is lost.

Reason wrote:

> Hi all,
> I have a question for metadata
> Metadata provides the basis for all trust between providers in Shibboleth
> and Shibboleth provides two kings of way for loading meatadata file:local
> and remote
> Whatever kind of way for loading metadata adopted, the metadata file is
> finally stored in local
> Such an important file is stored in local, is there any potential problem?
> if it is modified hostilely, the trust will be damaged
> Does Shibboleth provide some strategies for protecting metadata file?
>
> Thanks
>

--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch

Reply | Threaded
Open this post in threaded view
|

Re: a potential security problem for metadata

reason-4
Thanks Chad,
But according to the Shibboleth configuration
When fetching metadata remotely,there will be a temporary file of the meatdata in local
If someone add some additional info(including entityid and credentials) into this temp file,such as an untrusted IdP was added
Does it possible this IdP become trusted?

2009/6/14 Chad La Joie <[hidden email]>
When fetching metadata remotely the metadata should be signed and the signature validated.  When reading metadata locally this is not necessary.  If some one compromises you're server then all trust, in all applications, on that server is lost.


Reason wrote:
Hi all,
I have a question for metadata
Metadata provides the basis for all trust between providers in Shibboleth
and Shibboleth provides two kings of way for loading meatadata file:local
and remote
Whatever kind of way for loading metadata adopted, the metadata file is
finally stored in local
Such an important file is stored in local, is there any potential problem?
if it is modified hostilely, the trust will be damaged
Does Shibboleth provide some strategies for protecting metadata file?

Thanks


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch


Reply | Threaded
Open this post in threaded view
|

Re: a potential security problem for metadata

Rod Widdowson
> If someone add some additional info(including EntityID and credentials ) into this temp file,such as an untrusted IdP was added
Indeed, but at that point your server is compromised and as Chad says that's game over.
 
In other words it is up to you to make sure that the file or location or whatever cannot be written to by untrusted applications, just as you ensure that your key information cannot be read by untrusted applications.  This is no different from ensuring that the critical parts of your registry is protected or that your init scripts are tamper proof.
----- Original Message -----
Sent: Sunday, June 14, 2009 12:15 PM
Subject: Re: [Shib-Users] a potential security problem for metadata

Thanks Chad,
But according to the Shibboleth configuration
When fetching metadata remotely,there will be a temporary file of the meatdata in local
If someone add some additional info(including entityid and credentials ) into this temp file,such as an untrusted IdP was added
Does it possible this IdP become trusted?

2009/6/14 Chad La Joie <[hidden email]>
When fetching metadata remotely the metadata should be signed and the signature validated.  When reading metadata locally this is not necessary.  If some one compromises you're server then all trust, in all applications, on that server is lost.


Reason wrote:
Hi all,
I have a question for metadata
Metadata provides the basis for all trust between providers in Shibboleth
and Shibboleth provides two kings of way for loading meatadata file:local
and remote
Whatever kind of way for loading metadata adopted, the metadata file is
finally stored in local
Such an important file is stored in local, is there any potential problem?
if it is modified hostilely, the trust will be damaged
Does Shibboleth provide some strategies for protecting metadata file?

Thanks


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Z¨¹rich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch


Reply | Threaded
Open this post in threaded view
|

Re: a potential security problem for metadata

reason-4
Thanks Rod,
I got it
I think metadata file is very important for shibboleth
now it is stored in local,may lead to some potential security problems
Like other system,some important things will not be stored in local
such as bank,it will stroe guest's private key in an hardware(USB-KEY)
such as PKI, private key can be stored in local,but more secure way is to put it in CA

2009/6/14 Rod Widdowson <[hidden email]>
> If someone add some additional info(including EntityID and credentials ) into this temp file,such as an untrusted IdP was added
Indeed, but at that point your server is compromised and as Chad says that's game over.
 
In other words it is up to you to make sure that the file or location or whatever cannot be written to by untrusted applications, just as you ensure that your key information cannot be read by untrusted applications.  This is no different from ensuring that the critical parts of your registry is protected or that your init scripts are tamper proof.
----- Original Message -----
Sent: Sunday, June 14, 2009 12:15 PM
Subject: Re: [Shib-Users] a potential security problem for metadata

Thanks Chad,
But according to the Shibboleth configuration
When fetching metadata remotely,there will be a temporary file of the meatdata in local
If someone add some additional info(including entityid and credentials ) into this temp file,such as an untrusted IdP was added
Does it possible this IdP become trusted?

2009/6/14 Chad La Joie <[hidden email]>
When fetching metadata remotely the metadata should be signed and the signature validated.  When reading metadata locally this is not necessary.  If some one compromises you're server then all trust, in all applications, on that server is lost.


Reason wrote:
Hi all,
I have a question for metadata
Metadata provides the basis for all trust between providers in Shibboleth
and Shibboleth provides two kings of way for loading meatadata file:local
and remote
Whatever kind of way for loading metadata adopted, the metadata file is
finally stored in local
Such an important file is stored in local, is there any potential problem?
if it is modified hostilely, the trust will be damaged
Does Shibboleth provide some strategies for protecting metadata file?

Thanks


--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Z¨¹rich, Switzerland

phone +41 44 268 15 75, fax +41 44 268 15 68
[hidden email], http://www.switch.ch



Reply | Threaded
Open this post in threaded view
|

RE: a potential security problem for metadata

Cantor, Scott E.
In reply to this post by Rod Widdowson
Rod Widdowson wrote on 2009-06-14:
>> If someone add some additional info(including EntityID and credentials
> ) into this temp file,such as an untrusted IdP was added
>
> Indeed, but at that point your server is compromised and as Chad says
that's
> game over.

I don't know what the IdP does, but the SP doesn't allow that to happen
anyway. The filtering based on signature is run every time the metadata is
loaded, remotely or locally, so unless you compromise the address space of
shibd, you can't attack it only through metadata file changes.

Of course, if you can modify metadata, chances are you can modify
shibboleth2.xml, and then it's indeed game over.
 
-- Scott


Reply | Threaded
Open this post in threaded view
|

Re: a potential security problem for metadata

Jim Fox




I don't know what the IdP does, but the SP doesn't allow that to happen
anyway. The filtering based on signature is run every time the metadata is
loaded, remotely or locally, so unless you compromise the address space of
shibd, you can't attack it only through metadata file changes.


The SP allows metadata without signatures.  All you need to do is take the signature out of the InCommon metadata.  But this is all academic.  As many have pointed out, if your system is compromised -- then you're toast.

Jim

Reply | Threaded
Open this post in threaded view
|

RE: a potential security problem for metadata

Cantor, Scott E.
Jim Fox wrote on 2009-06-14:
> The SP allows metadata without signatures.  All you need to do is take the
> signature out of the InCommon metadata.  But this is all academic.  As
many
> have pointed out, if your system is compromised -- then you're toast.

If you have the signature filter configured, you can't give it unsigned
metadata from that source, unless there's a bug anyway.

-- Scott