Getting a grasp on Heartbleed and IDPs

Wessel, Keith kwessel at
Thu Apr 10 12:29:38 EDT 2014

Thanks for the further info, Ian. What's the lifetime of the transient session key?


From: users-bounces at [mailto:users-bounces at] On Behalf Of Ian Young
Sent: Thursday, April 10, 2014 11:05 AM
To: Shib Users
Subject: Re: Getting a grasp on Heartbleed and IDPs

On 10 Apr 2014, at 16:53, Wessel, Keith <kwessel at<mailto:kwessel at>> wrote:

If the IDP's private key was exposed (through connections to Apache connections to 8443), what could a hacker do with it? Could they intercept assertions from our IDP and decrypt them?

If they can run some kind of DNS poisoning attack, then they can impersonate your IdP to an SP making an attribute query, up until the point where that key material has been removed from metadata.

They can also directly issue signed assertions to SPs using that key. Again, this will stop working once the SP sees metadata that doesn't include that key.

Assertions going from the IdP to the SP are encrypted with a transient session key which is then encrypted using the *SP*'s public key, so they can't be decrypted by any party other than the intended SP, including the IdP itself.

               -- Ian

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the users mailing list