Replay attacks vs man in the middle
rubys at intertwingly.net
Fri May 20 10:39:36 PDT 2005
Brad Fitzpatrick wrote:
> Regarding nonce vs. timestamp and why it doesn't matter:
> The man-in-the-middle this is preventing is an identity server in the
> middle, posing as a browser to the real identity server. When I first got
> into this and went through several schemes, it quickly became apparent
> that almost anything a browser could do, an identity-server-in-the-middle
> could appear to do too. The only differences were that:
> -- a real browser knew the identity server's cookies
> -- a real browser would follow redirects faithfully
> Hence the TypeKey-like redirect. If somebody can sniff your traffic and
> get the DSA signature in the redirect from identity site to consumer, wow!
> They know you're you! They already knew that from sniffing the rest of
> your cookies and LJ traffic.
> If a pair of sites cares about that, they both use SSL.
> The DSA signature with timestamp is there so consumers who DO care about
> freshness can use the timestamp to make sure a signature was issued only
> in the past $n minutes. And because the signature as a whole was signed
> using a random number, the entire signature itself is a nonce, so the
> consumer site can prevent replay attacks by just not accepting that digest
> ever again.
> That said, am I still missing something?
This conversation would go faster if there was a prototype server I
could review. But just looking at the traffic flows from the
perspective of your server, it looks to me that there is a problem.
Here's how I see it. You send down an initial form. That form contains
information that indicates that you would *like* it to actually respond
to a request to go to the ID server. If such a request is received, you
will serve up a page which indicates that you would *like* this to
redirect to the return_to_URL. At which point, you *hope* that the
server at the return_to_URL has some say, and ultimately produces a
signature that is sent back to you.
Now, realize that I have GreaseMonkey, and all those likes and hopes I
am free to treat as mere hints.
In fact, the easiest thing I could do is to let the system go through
the motions. I initiate a post to your website saying that I am Fred.
Fred's server serves up a page which asks me to authenticate. I, of
course, fail, but instead of the IFrame passing back up this little bit
of information, I pass up a different response instead. Remember, I
have Greasemonkey. This browser does what *I* want it to do.
From your perspective, you served up a comment form. You initiated a
redirect to Fred's machine. You get back a response that says "Fred
says it was OK". What's not to like?
At this point, let me stop here. If I am wrong, I don't need to go any
further. But if I am right, I can sketch out a simple solution that
solves this problem.
- Sam Ruby
More information about the yadis