Embed Size (px)
DESCRIPTION
Juraj Somorovsky 1 , Andreas Mayer 2 , Jörg Schwenk 1 , Marco Kampmann 1 , and Meiko Jensen 1 1 Horst-Görtz Institute for IT-Security, Ruhr-University Bochum 2 Adolf Würth GmbH & Co. KG. On Breaking SAML: Be Whoever You Want to Be. Motivation – Single Sign -On. - PowerPoint PPT Presentation
Citation preview
1On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
On Breaking SAML: Be Whoever You Want to Be
Juraj Somorovsky1, Andreas Mayer2, Jörg Schwenk1, Marco Kampmann1, and Meiko Jensen1
1Horst-Görtz Institute for IT-Security, Ruhr-University Bochum2Adolf Würth GmbH & Co. KG
2On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Service Provider
Motivation – Single Sign-On
2
Identity Provider
Website Visit and redirect
User: BobRole: guest
User: BobRole: guest
User: BobRole: guest
• Too many identities / passwords• Solution: Single Sign-On
• Advantages: one password for users, no password management for Service Providers
3On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
• OpenID• OAuth• Security Assertion Markup Language (SAML)
• OASIS• Web Services or browser-based Single Sign-On• Authentication Statements stored in Assertions
3
Motivation – Single Sign-On
4On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Service Provider
Motivation – Single Sign-On
• How do we secure the messages? • Does SSL / TLS help?
• Messages secured only during transport!
4
Identity Provider
Website Visit and redirect
User: BobRole: guest
User: BobRole: guest
User: BobRole: guest
5On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
User: BobRole: guest
Service Provider
Motivation – Single Sign-On
• Does SSL / TLS help?
• Need for message level security!
5
Identity Provider
Website Visit and redirect
User: BobRole: guest
User: BobRole: guest
User: AdminRole: Admin
User: AdminRole: Admin
6On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
• Message level security?
• Realized using XML Signatures• Are we secure?
Service Provider
Motivation – Single Sign-On
6
Identity Provider
Website Visit and redirect
User: BobRole: guest
User: BobRole: guest
User: BobRole: guestUser: Admin
Role: Admin
7On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 7
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
8On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 8
<saml:Assertion ID="123"> <saml:Issuer>www.SecureIdP.com</saml:Issuer> <saml:Subject> <saml:NameID>[email protected]</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2011-08-08T14:42:00Z" NotOnOrAfter="2011-08-08T14:47:00Z"> <saml:AudienceRestriction> <saml:Audience> www.SecureSP.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions></saml:Assertion>
SAML Assertion
Assertion
Subject
Issuer
NameID
Conditions
Audience
SecureIdP
Bob
SecureSP
9On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 9
Securing SAML with XML Signature
Assertion
Subject
Binding
SignatureValue
SignatureSignedInfo
Reference URI=”#123”DigestValue
Id=”123”
Subject
Assertion
SignatureValue
SignatureSignedInfo
Reference URI=”#123”DigestValue
Id=”123”
Bob Bob
• Two typical usages
Binding
10On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 10
Securing SAML with XML Signature
Assertion
Subject
Binding
SignatureValue
Signature
SignedInfo
Reference URI=”#123”
DigestValue
Id=”123”
Bob
• Naive (typical) processing:1. Signature validation: Id-based2. Assertion evaluation: /Binding/Assertion/Subject
Signature Verification
Assertion EvaluationAssertion
Subject
Binding
SignatureValue
Signature
SignedInfo
Reference URI=”#123”DigestVal
ue
Id=”123”
Bob
Bobvalid
11On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 11
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
12On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 12
XML Signature Wrapping Attack on SAML
1. Place the original Assertion including its Binding element into another element
2. Change the Id of the original element
3. The Reference now points to the original element: signature is valid
4. Insert a new AssertionAssertion
Subject
BindingSignature
SignedInfoReference URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
13On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 13
XML Signature Wrapping Attack on SAML
Signature Verification
Assertion Evaluation
validAdmin
Assertion
Subject
BindingSignat
ureSignedInfoRefer
ence URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
Assertion
Subject
BindingSignature
SignedInfoReference URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
14On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 14
XML Signature Wrapping Attack on SAML – Threat model• Change arbitrary data in the Assertion: Subject, Timestamp ...• Attacker: everybody who can gain a signed Assertion...
1. Registering by the Identity Provider2. Message eavesdropping3. Google Hacking
• Single Point of Failure!
16On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
XML Signature Wrapping Attack on SAML
• How about them?Framework / Provider Binding Application
Apache Axis 2 SOAP WSO2 Web Services
Guanxi HTTP Sakai Project (www.sakaiproject.org)
Higgins 1.x HTTP Identity project
IBM Datapower XS40 SOAP Enterprise XML Security Gateway
JOSSO HTTP Motorola, NEC, Redhat
WIF HTTP Microsoft Sharepoint 2010
OIOSAML HTTP Danish eGovernment (e.g. www.virk.dk)
OpenAM HTTP Enterprise-Class Open Source SSO
OneLogin HTTP Joomla, Wordpress, SugarCRM, Drupal
OpenAthens HTTP UK Federation (www.eduserv.org.uk)
OpenSAML HTTP Shibboleth, SuisseID
Salesforce HTTP Cloud Computing and CRM
SimpleSAMLphp HTTP Danish e-ID Federation (www.wayf.dk)
WSO2 HTTP eBay, Deutsche Bank, HP
16
17On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 17
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
18On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
XML Signature Wrapping Attack on SAML – Results
Assertion
Subject
Binding
SignatureSignedInfo
Reference URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
Guanxi, JOSSO WSO2
Assertion
Subject
Binding
SignatureSignedInfo
Reference URI=”#123”
Id=”123”
Bob
Assertion
Subject
Binding Id=”123”
Bob
Id=”evil”
Assertion
Subject
Admin
Binding
18
19On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
XML Signature Wrapping Attack on SAML – Results
Binding
SignatureSignedInfo
Reference URI=”#123”
Assertion
Subject
Id=”123”
Bob
Id=”evil”Assertion
Subject
Admin
Binding
Higgins, Apache Axis2, IBM XS 40 OpenAM, Salesforce
Binding
SignatureSignedInfo
Reference URI=”#123”
Assertion
Subject
Id=”123”
Bob
Id=”evil”Assertion
Subject
Admin
19
20On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Attack on OpenSAML
20
• Is Signature Wrapping always that easy?
• OpenSAML implemented a few countermeasures:1. Checked if the signed assertion has the same ID value as
the processed one2. Validated XML Schema
• Not possible to insert two elements with the same ID values
21On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Attack on OpenSAML
21
1. ID values checking: Basic idea – using two identical ID values
2. XML Schema validation:1. Put the Assertion into an
extensible element (e.g. <Extensions>)
2. Two identical ID attributes (XML Xerces Parser bug)
• Which element is verified? C++ takes the first found
element
Assertion
Subject
Binding
SignatureSignedInfo
Reference URI=”#123”
Bob
Assertion
Subject
Extensions
Id=”123”
Bob
Assertion
Subject
Admin
Id=”123”
OpenSAML C++
22On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Attack on OpenSAML
22
Assertion
Subject
Binding
SignatureSignedInfo
Reference URI=”#123”
Bob
Assertion
Subject
Extensions
Id=”123”
Bob
Assertion
Subject
Admin
Id=”123”
OpenSAML C++ referencesthe first found element
OpenSAML Java referencesthe last found element
Assertion
Subject
Binding
SignatureSignedInfo
Reference URI=”#123”
Bob
Assertion
Subject
Object
Id=”123”
Bob
Assertion
Subject
Admin
Id=”123”
23On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Beyond Signature Wrapping: Signature Exclusion
23
• Lame but …
• …Worked against:– Apache Axis2– JOSSO– OpenAthens
Assertion
Subject
Binding
SignatureSignedInfo
Reference URI=”#123”
Bob
Assertion
Subject
Id=”123”
Bob
Assertion
Subject
Admin
24On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
SAML Signature Wrapping – Summary
24
Framework / Provider Signature Exclusion Signature Wrapping
Apache Axis 2 X X
Guanxi X
Higgins 1.x X
IBM Datapower XS40 X
JOSSO X X
WIF
OIOSAML X
OpenAM X
OneLogin X
OpenAthens X
OpenSAML X
Salesforce X
SimpleSAMLphp
WSO2 X
Danish eGovernment
Shibboleth, SwissID …
Enterprise Applications
Joomla, Wordpress, SugarCRM, Drupal
25On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 25
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
26On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 26
• Considered all the attack vectors:1. Different permutations of signed / processed Assertions2. Id processing3. Signature exclusion attacks4. XML Schema extensions
• Further attacks on Salesforce interface• Will be included in our WS-Attacker framework
• http://ws-attacker.sourceforge.net/
Penetration Test Library
27On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 27
Overview
1. Securing SAML with XML Signature2. XML Signature Wrapping Attacks3. Practical Evaluation4. Penetration Test Library5. Countermeasures6. Conclusion
28On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 28
• General problem: different processing modules have different views on documents
Countermeasures
Signature Verification
Assertion Evaluation
Valid /Invalid
Id-based
/Binding/Assertion/Subject
Assertion
Subject
Binding
SignatureValue
Signature
SignedInfo
Reference URI=”#123”DigestVal
ue
Id=”123”
Bob
User
29On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 29
• Forward only signed elements• Also called see-only-what-is-signed
Countermeasure 1: Strict Filtering
Binding
Assertion
AssertionSignature
Verification
Signature
Binding
Assertion
Assertion Evaluation
30On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 30
• Signature verification generates a random number r• The verified data is tainted with r• r is forwarded to the Assertion evaluation logic
Countermeasure 2: Data Tainting
Binding
Assertion
Assertion Signature Verification
Signature
Assertion Evaluation
Binding
Assertion
Assertion
Signature r = xyzr = xyz
r=”xyz”
31On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 31
Overview
1. SAML Assertion2. Securing SAML with XML Signature3. XML Signature Wrapping Attacks4. Practical Evaluation5. Countermeasures6. Conclusion
32On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 32
• We showed critical Signature Wrappings in SAML, 12 out of 14 frameworks affected!
• All providers informed• Signature Wrapping known since 2005, but:
• Not in focus of research community• Nearly all implementations are vulnerable• Not easy to fix: many permutations, vulnerable libraries
• Be aware of Signature Wrapping when applying:• In Web Services• SAML
•Beyond XML: Could be applied in all the scenarios where different processing modules have different views on documents
Conclusion
33On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium
Thank you for your attention
Juraj Somorovsky1, Andreas Mayer2, Jörg Schwenk1, Marco Kampmann1, and Meiko Jensen1
1Horst-Görtz Institute for IT-Security, Ruhr-University Bochum2Adolf Würth GmbH & Co. KG
34On Breaking SAML: Be Whoever You Want to Be Juraj Somorovsky, 21st USENIX Security Symposium 34
Responsible Disclosure
• Apache Axis 2 05.04.2011 ???• Guanxi 25.07.2011 ???• Higgins 1.x 24.04.2011 Open• IBM XS40 Oct 2011 ??• JOSSO 18.02.2011 March 2011• OIOSAML 25.07.2011 03.08.2011• OpenAM 03.12.2011 07.12.2011• OneLogin 03.06.2011 ???• OpenAthens 29.07.2011 05.08.2011• OpenSAML 18.07.2011 25.07.2011• Salesforce 03.06.2011 13.06.2011• WSO2 16.02.2011 18.07.2011
