Two Identifiers - no caching advantage
Dick Hardt
dick at sxip.com
Sun Oct 22 01:10:56 UTC 2006
On 19-Oct-06, at 11:12 AM, Josh Hoyt wrote:
> On 10/19/06, Dick Hardt <dick at sxip.com> wrote:
>> > Your attack fails.
>>
>> <sigh> reread the attack. The portable identifier and the IdP do
>> match.
>
> No the identifiers do not.
They do. The attacker goes to the RP and enters my blog URL. The
attacker changes the request from the RP so that the IdP-specific
identifier is what the attacker used in the past. The IdP has an
incorrect mapping between the attackers IdP-specific identifier and
the public identifier. The response then has the portable identifier
(my blog URL) and the attackers IdP-specific identifier. The RP
verifies (per the spec) that the portable identifier is bound to the
IdP, and the attacker has successfully logged in as me.
There are two issues here:
1) the IdP did not verify the binding between the portable
identifier and the IdP-specific identifier
2) the RP does not verify the binding between the portable
identifier and the IdP-specific identifier in the response.
to the one the attacker controls and the IdP has mapped
The logic presented previously was that the RP is doing discovery and
that it can save the IdP work. Unfortunately, the discovery the RP
does of the binding between the portable identifier and the IdP
specific identifier is useless to the IdP since the message can be
modified.
-- Dick
More information about the specs
mailing list