oss-sec mailing list archives

Re: Fixing the XML signature HMAC truncation authentication bypass

From: Robert Buchholz <rbu () gentoo org>
Date: Wed, 15 Jul 2009 02:41:16 +0200

On Tuesday 14 July 2009, Florian Weimer wrote:

Quoting from <http://www.kb.cert.org/vuls/id/466161>:
| XML Signature Syntax and Processing (XMLDsig) is a W3C
| recommendation for providing integrity, message authentication,
| and/or signer authentication services for data. XMLDsig is commonly
| used by web services such as SOAP. The XMLDsig recommendation
| includes support for HMAC truncation, as specified in RFC2014. When
| HMAC truncation is under the control of an attacker, however, this
| can result in an effective authentication bypass. For example, by
| specifying an HMACOutputLength of 1, only one bit of the signature
| is verified. This can allow an attacker to forge an XML signature
| that will be accepted as valid.

What shall we do about this?  Shall we just cap the value at 80 or 96
bits in our implementations?


I believe this to be the best approach. RFC 2104 specifically states 80 
or half of the digest length as the lower boundary for truncation, and 
it would be compatible API-wise.

As far as Gentoo is concerned, the following upstreams have confirmed 
the issue (to CERT):
1) Apache XML Security
2) aleksey.com xmlsec library
3) Mono
4) Sun JDK/JRE 1.6

1) Apache
Bug:
https://issues.apache.org/bugzilla/show_bug.cgi?id=47526
Patch:
http://svn.apache.org/viewvc?view=rev&revision=794013

It seems they disallow HMAC truncation completely.
* In my personal opinion the best move (since we're dealing with XML,
  who cares about an additional <16 bytes?)


2) xmlsec:

These are the patches that went into 1.2.12:
http://git.gnome.org/cgit/xmlsec/commit/?id=34b349675af9f72eb822837a8772cc1ead7115c7
http://git.gnome.org/cgit/xmlsec/commit/?id=d4ac1a621f88a923b17394530e333a3086ebe206

The value of 40 seems like a really bad default.


3) Mono

Patches:
http://anonsvn.mono-project.com/viewvc/?view=rev&revision=137886 (trunk)
http://anonsvn.mono-project.com/viewvc/?view=rev&revision=137887 (2.4)
http://anonsvn.mono-project.com/viewvc/?view=rev&revision=137888 (2.0)
http://anonsvn.mono-project.com/viewvc/?view=rev&revision=137889 (1.9)
http://anonsvn.mono-project.com/viewvc/?view=rev&revision=137890 (1.2.5)
http://anonsvn.mono-project.com/viewvc/?view=rev&revision=137891 (1.2.2)
http://anonsvn.mono-project.com/viewvc/?view=rev&revision=137892 (1.1.7)

They impelement min = max(80, full length/2). Good!



Florian Streibelt's analysis of the GnuTLS code indicated that is also 
vulnerable. On our list of unreviewed suspects is still:
* gSOAP (SOAP C++ Web Services)
* zsi (Zolera Soap Infrastructure)
* OpenSAML


Robert

Attachment: signature.asc
Description: This is a digitally signed message part.

Current thread:

Fixing the XML signature HMAC truncation authentication bypass Florian Weimer (Jul 14)
- Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)
  - Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)
  - Re: Fixing the XML signature HMAC truncation authentication bypass Robert Buchholz (Jul 14)