Getting a grasp on Heartbleed and IDPs

Ian Young ian at
Thu Apr 10 12:05:14 EDT 2014

On 10 Apr 2014, at 16:53, Wessel, Keith <kwessel at> wrote:

> If the IDP’s private key was exposed (through connections to Apache connections to 8443), what could a hacker do with it? Could they intercept assertions from our IDP and decrypt them?

If they can run some kind of DNS poisoning attack, then they can impersonate your IdP to an SP making an attribute query, up until the point where that key material has been removed from metadata.

They can also directly issue signed assertions to SPs using that key. Again, this will stop working once the SP sees metadata that doesn't include that key.

Assertions going from the IdP to the SP are encrypted with a transient session key which is then encrypted using the *SP*'s public key, so they can't be decrypted by any party other than the intended SP, including the IdP itself.

	-- Ian

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5943 bytes
Desc: not available
Url : 

More information about the users mailing list