[Freeipa-devel] Web SSO and securely storing the ccache
John Dennis
jdennis at redhat.com
Fri Jul 10 00:32:51 UTC 2009
I think the dirsec folks should review this too, perhaps you might want
to cc them as well.
What purpose is the sha56 hash of the session key serving? It appears to
be only used for look-up purposes, if that's the case why not just
lookup based on the session key?
You didn't state if this scheme would be restricted to only SSL/TLS
sessions, if not then ...
The session key is visible in the HTML headers, correct? Doesn't that
mean all one would need to do is sniff the session key to masquerade as
a legitimate user and automatically be authenticated as them? (Because
you'll look up the cached credentials under that session key and present
them without validating there is an uncompromised association between
the original user, the TGT, the ccache, and the currently presented
session cookie). In which case the scheme is essentially equivalent to
using clear text passwords with the exception the credentials will
eventually expire.
Otherwise if the session is SSL/TLS encrypted then the primary exposure
is reduced to brute force attacks on the session key which is probably a
minimal risk given it's a 256 bit key which is valid only during the
window the TGT is valid. You will have to be careful that there is no
collision or reuse of the session key within a specified time interval
(greater than the ticket duration).
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list