Wednesday, December 30, 2009

Security Gotcha: Nonrepudiation


An important web services security requirement is nonrepudiation. This requirement prevents a party from denying it sent or received a message. The way to implement this is using Xml Digital Signatures. For example, if I sent a message which is signed with my private key, I cannot later deny that I sent it.

A common mistake is to think that every web service that require an X.509 certificate ensures nonrepudiation. This goes without say for web services that only require server certificate - in these services clients are either anonymous or username/password identified, which is considered weak cryptographically material.

However, also when a client X.509 is involved, nonrepudiation is not always guaranteed.
For example, let's examine a Wcf service which uses WsHttpBinding with TransportWithMessageCredential and clientCredentialType="Certificate":

   <binding name="WSHttpBinding_IService" >
     <security mode="TransportWithMessageCredential">
       <transport clientCredentialType="None" proxyCredentialType="None"
        realm="" />
       <message clientCredentialType="Certificate" negotiateServiceCredential="true"
        algorithmSuite="Default" establishSecurityContext="false" />

This is how the client request looks like:

<soap:Envelope xmlns:soap="" xmlns:xsi="" xmlns:xsd="" xmlns:wsa="">
   <To soap:mustUnderstand="1" u:Id="_1" xmlns="" xmlns:u=""></To>
   <o:Security soap:mustUnderstand="1" xmlns:o="">
    <u:Timestamp u:Id="_0" xmlns:u="">
    <o:BinarySecurityToken u:Id="uuid-b29856c4-1be8-4cf6-94ef-b3e2818b9924-1" ValueType="" xmlns:u="">...</o:BinarySecurityToken>
    <Signature xmlns="">
      <CanonicalizationMethod Algorithm="" />
      <SignatureMethod Algorithm="" />
      <Reference URI="#_0">
        <Transform Algorithm="" />
       <DigestMethod Algorithm="" />
      <Reference URI="#_1">
        <Transform Algorithm="" />
       <DigestMethod Algorithm="" />
       <o:Reference URI="#uuid-b29856c4-1be8-4cf6-94ef-b3e2818b9924-1" />
   <EchoString xmlns="">

The message body is not signed!
This practically means anyone who has this message (for example the server) can extract the signed parts and resend them with a bogus body.


What's next? get this blog rss updates or register for mail updates!