Assurance

["Jim Green" <>]

The CIC + Friends InCommon Silver documentation workgroup will have our
monthly conference call this afternoon from 3:00 - 4:00 Eastern time (2:00 -
3:00 Central).  Jeff Capehart of U. of Florida sent me an agenda item for a
discussion on whether anyone has reviewed/used the OASIS "Security and
Privacy Considerations for the OASIS Security Assertion Markup Language
(SAML) V2.0" in conjunction with the InCommon Assurance IAP for InCommon
Silver.  Here is a link to the document:

http://docs.oasis-open.org/security/saml/v2.0/saml-sec-consider-2.0-os.pdf

I've also attached Jeff's email where he poses some questions about it.

Otherwise I have some news from my institution to report and look forward to
hearing the news from other institutions.  

Here's the call-in information:

Phone number:  (605) 475-4000
Access code:  265768#

--- Begin Message ---

• From: "Capehart,Jeffrey D" <>
• To: "Jim Green" <>
• Subject: RE: [Assurance] CIC + Friends InC Silver doc workgroup
• Date: Wed, 15 May 2013 16:36:10 -0400

Jim,

I would be interested to hear if anyone has used the "Security and Privacy
Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0"
as published on the OASIS web site 14 March 2005 for implementing,
reviewing, or auditing InCommon Silver. In particular, a checklist might be
a good tool for these. If most institutions are using Shibboleth and SAML
2.0 with InCommon for Silver, then these security considerations should
probably be documented and addressed.

Per the Silver profile, v1.2, the following requirements are listed as:

4.2.5 Authentication Process

.1 Resist Replay Attack
.2 Resist Eavesdropper Attack
.3 Secure Communication
.4 Proof of Possession
.5 Resist Session Hijacking Threat
.6 Mitigate Risk of Credential Compromise

From http://docs.oasis-open.org/security/saml/v2.0/

3.3 SAML Threat Model
The general Internet threat model described in the IETF guidelines for
security considerations is the
basis for the SAML threat model. We assume here that the two or more
endpoints of a SAML transaction
are uncompromised, but that the attacker has complete control over the
communications channel.

Additionally, due to the nature of SAML as a multi-party authentication and
authorization statement
protocol, cases must be considered where one or more of the parties in a
legitimate SAML transaction-
who operate legitimately within their role for that transaction-attempt to
use information gained from a
previous transaction maliciously in a subsequent transaction.

The following scenarios describe possible attacks:

* Denial-of-Service Attacks: The prevention of authorized access to a system
resource or the
delaying of system operations and functions.
* Man-in-the-Middle Attacks: A form of active wiretapping attack in which
the attacker intercepts
and selectively modifies communicated data to masquerade as one or more of
the entities
involved in a communication association.
* Replay Attacks: An attack in which a valid data transmission is
maliciously or fraudulently
repeated, either by the originator or by an adversary who intercepts the
data and retransmits it,
possibly as part of a masquerade attack.
* Session Hijacking: A form of active wiretapping in which the attacker
seizes control of a
previously established communication association.

In all cases, the local mechanisms that systems will use to decide whether
or not to generate assertions
are out of scope. Thus, threats arising from the details of the original
login at an authentication authority,
for example, are out of scope as well. If an authority issues a false
assertion, then the threats arising from
the consumption of that assertion by downstream systems are explicitly out
of scope.


-----Original Message-----
From:


[mailto:]
On Behalf Of Jim Green
Sent: Wednesday, May 15, 2013 2:17 PM
To:
;
CIC IT IDMGMT Incsilver;
;

;
Steven Carmody; Coggins,
Deborah
Subject: [Assurance] CIC + Friends InC Silver doc workgroup

Based on the Doodle poll I sent out last week, 3:00 - 4:00pm Eastern time on
the third Friday of the month will be the meeting time for the CIC + Friends
InCommon Silver documentation workgroup. That will be this coming Friday,
May 17. Please send me any agenda items. Here's the call-in information:

Phone number: (605) 475-4000
Access code: 265768#

Thanks to all who took the time to fill in the poll. I look forward to
talking to you this Friday.


--- End Message ---