7 Deadly Sins of Distributed Authentication
Issue/Topic: 7 Deadly Sins of Distributed Authentication
Session: Day – Number - Space Location: Day 3 – Session 4 – Location A
Convener: Brad Hill
Notes-taker(s): Brad Hill
A. Tags for the session - technology discussed/ideas considered:
Security, Security Flaws, Cryptography, Protocols, Implementation
B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
This session was based on the idea that the many common problems, protocols and implementations of distributed authentication and identity systems also lead to a common set of flaws, pitfalls and shortcomings. The goal was to propose a set of “most common mistakes”, in the spirit of the OWASP Top 10 Most Common Web Application Flaws, (http://www.owasp.org) to inform designers, implementers and deployers of these technologies on the informal security history and academic literature of similar technologies.
The discussion started with the following outline, supplied by Brad Hill:
7 Deadly Sins of Distributed Authentication:
1. Unconstrained Delegation • Passwords – Give them to somebody, they can use them to authenticate as you to anyone else. • Bearer Tokens – Message level security needs to have a target scope: Who was this artifact intended for? • Kerberos Delegation v1 – Constrained sources, unconstrained targets for those sources. Abuse of “trusted subsystem” model.
2. Forwardable Credentials • NTLM – Not delegatable, definitely forwardable. – Protocols that don’t provide server authentication or scope and verify artifacts are vulnerable.
3. No Channel Binding • More sophisticated subset of credential forwarding. • Auth the transport channel one-way – Server to client (TLS) – Auth inside the client the other way – Client to server (NTLM, Kerberos bearer tokens, SAML) – No binding between the two creates confused deputy possibility, forwarding. • Possible even with client certs – recent renegotiation bug.
4. Bearer Tokens • Yes, it matters • Kerberos is a great example – Mutual auth, strong crypto, key exchange – Use it as a bearer token, it becomes vulnerable
5. Unscoped Authority • Example: Boeing & Air Force federate – Air Force wants to accept Boeing’s identity assertions – Boeing should be able to assert firstname.lastname@example.org – NOT: email@example.com or firstname.lastname@example.org – This is especially a big problem for systems that provide mutual authentication in a federated manner. – Server names must be scoped! • Kerberos SID Filtering
6. PKI, PKIX and SSL/TLS • Problems of unscoped authority. – Any public authority can assert any name. – Can any PKIX roots assert enterprise or other non-public identities? • Acceptance policies. – Key usage, EKU, etc. • Is this a server cert? A client cert? – Algorithms, key strengths • Trusting useless assertions – NO ASSURANCE for client certs or server certs for non-public TLDs as of 2005-9. • Wear a Belt & Suspenders for very high value services. – e.g. Windows Update
7. No Upgrade Path • Yes, adoption is important. • Build a strong and a weak system • Price them differently
Good Practices • Scoped, self-describing artifacts • Mutual authentication • Forwarding-resistant credentials • Channel binding • Key agreement • Proof-of-possession • Incentives to use high assurance protocols
Implementation Gaffes • Not verifying signatures. – Trusting encryption when integrity is needed – e.g., in SAML messages. <saml> <encrypted> … </encrypted><yourPublicKey/> <signed> … </signed><myPublicKey/> </saml>
• Weak Crypto / Incorrect Crypto – Stream ciphers. Don’t. – Using RSA to Encrypt and Sign arbitrary data. – ECB mode. – Encryption without Integrity • GUIDS, UUIDS and Randomness – Just make it random unless you have a good reason why it shouldn’t be. • Only need to seed and occasionally update PRNG with good randomness. – Minute possibility of a collision in a 128 bit random space is exactly the guarantee you’re hanging your hat on. – Old IETF draft of GUIDS not really that random – don’t use it. • HMAC Verification Timing – Don’t use a standard string or array comparison function to verify HMACs. – They all short-circuit as soon as they find a mismatched character. – Timing difference between good validation and bad validation. • Brute force correct HMAC one character at a time.
C and machine language comparisons that look like constant time may be OK, but test. Java and .Net are subject to optimizations that make code that looks like it should produce constant time results not. Adding a randomized delay was suggested. Suggestions from the group for better algorithms included double-hashing the HMAC before comparing, or starting the comparison at a random location in the HMAC string.
Other proposed additions to the list of common sins included:
Key Distribution • Administration • Rollover • Key Lifetime • “Heavy” Keys
Failure to Manage the Ecosystem and Dependencies • Verifying the implementation and policy of relying parties / consumers
Failure to Explicitly Distinguish Implementation vs. Policy • Acceptance policy • Issuance policy
“Writing Your Own” • Developers have learned in the last 10 years they shouldn’t write their own crypto algorithms. Need to learn now that they shouldn’t write their own distributed authentication and identity protocols. • IdPs and protocol implementers should provide and consumers should use standard libraries. • Usability should focus on providing good APIs and libraries. Making a protocol that anyone can implement in Perl overnight should be a non-goal, or at least subordinate to making a protocol that gives participants strong security guarantees.
Significant interest was expressed, at least among the attendees at the session, in formalizing the discussion into a paper, including a good bibliography.
Google Group created to facilitate discussion around creation of such a paper, at:
Suggested sources immediately relevant to the discussion included:
Ross Anderson - Robustness Principles for Public Key Protocols http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.44.3669
Martin Abadi and Roger Needham – Prudent Engineering Practice for Cryptographic Protocols http://portal.acm.org/citation.cfm?id=229714
Carl Ellision and Bruce Schneier – Ten Risks of PKI http://openweb.or.kr/10_risks_of_pki.pdf