Getting a grasp on Heartbleed and IDPs
Wessel, Keith
kwessel at illinois.edu
Thu Apr 10 12:29:38 EDT 2014
Thanks for the further info, Ian. What's the lifetime of the transient session key?
Keith
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Ian Young
Sent: Thursday, April 10, 2014 11:05 AM
To: Shib Users
Subject: Re: Getting a grasp on Heartbleed and IDPs
On 10 Apr 2014, at 16:53, Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
If the IDP's private key was exposed (through connections to Apache connections to 8443), what could a hacker do with it? Could they intercept assertions from our IDP and decrypt them?
If they can run some kind of DNS poisoning attack, then they can impersonate your IdP to an SP making an attribute query, up until the point where that key material has been removed from metadata.
They can also directly issue signed assertions to SPs using that key. Again, this will stop working once the SP sees metadata that doesn't include that key.
Assertions going from the IdP to the SP are encrypted with a transient session key which is then encrypted using the *SP*'s public key, so they can't be decrypted by any party other than the intended SP, including the IdP itself.
-- Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140410/0e7d3afd/attachment.html
More information about the users
mailing list