Certificate Faking
Attack description
The cryptographic verification of the digital signature guarantees the integrity of the token. Additionally, it is essential to verify the token’s authenticity, too. In other words, the Software-as-a-Service Cloud Provider (SaaS-CP) should check whether the token was signed by a trusted Identity Provider (IdP). The Certificate Faking (CF) attack utilizes possible flaws in the selection logic of the key used for the verification of tokens, by providing an attacker generated token signed by an attacker generated key.
The attack targets the Single Sign-On (SSO) Verificator, which should verify that the authentication token is signed by a trusted third party instead of accepting any key provided with the token (although the XML Signature standard allows to include certificates, it is essential to verify whether it is a trusted certificate).
Attack subtypes
There are no attack subtypes for this attack.
Prerequisites for attack
In order to run the attack, the attacker must be able to create Security Assertion Markup Language (SAML) tokens and sign them with his own self-created key.
Graphical representation of attack
The SAML token is signed with an untrusted key. If the key stored in the token is used for the verification without validating the trust relationship to it, CF is applicable.
Attack example
The attacker creates a token t = (I, N, D), where I - Identity, N - Freshness and D - Destination. Then, he creates a secret key evilKey and a corresponding public key. The secret key is used to compute the digital signature s = SIG_evilKey(t). The attacker then uses his key pair to create a certificate evilCert containing the corresponding public key to verify s. SAML uses the XML Signature standard that allows to store evilCert directly within the XML Signature. If the target SaaS-CP uses evilCert to verify the signature s (without prior check of the trust relationship for the corresponding key), the token will be accepted as valid.
Attack mitigation / countermeasures
This attack can be mitigated by manually deploying the trusted certificates to the corresponding SaaS-CP and not using any certificates provided with the token.
Attack categorisation
Categorisation by attacker model
- Category:Attack_Categorisation_By_Attacker_Model:_Message_generation_attacks
- Category:Attack_Categorisation_By_Attacker_Model
Categorisation by violated security objective
The attacker gains access to arbitrary accounts, since he can generate and sign valid tokens containing the identities of other users, for example,
t =(I_admin=I_Bob,N,D) with
s =SIG_evilKey(t). Hence, it violates the security objective of access control.
- Category:Attack_Categorisation_By_Violated_Security_Objective_Access_Control
- Category:Attack_Categorisation_By_Violated_Security_Objective
Categorisation by attack on IdP/SP
Categorisation by attacked component in web service architecture
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component
Categorisation by attack spreading
- Category:Attack_Categorisation_By_Attack_Spreading
- Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws
References
C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, J. Schwenk (2014): Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud. In The ACM Cloud Computing Security Workshop (CCSW).
- Attack Categorisation By Attacker Model: Message generation attacks
- Attack Categorisation By Attacker Model
- Attack Categorisation By Violated Security Objective Access Control
- Attack Categorisation By Violated Security Objective
- Attack Categorisation By Attack on IdP/ SP
- Attack Categorisation By Attacked Web Service Component: Signature Verification
- Attack Categorisation By Attacked Web Service Component
- Attack Categorisation By Attack Spreading
- Attack Categorisation By Attack Spreading:Conceptual Flaws