Signature should be one-time or specific to the post (to avoid replay and similar attacks) #1
Comments
|
Very good point, thanks! From memory replay in PGP is mitigated by the signature containing a hashed timestamp and a signature ID. An implementation should probably check for these, although it seems that the info block that verify returns has a lot of blank spaces. One approach could be to simply sign the current time, the server could then check to see if this login is within a couple of seconds - mitigating a replay attack to a very fast attacker, and it would be a trivial matter to log out both users if the same user appears in two sessions. I'd like to avoid having a specific login endpoint with a challenge response, since this would add a second layer of discovery... (I had also, I think, kinda assumed https everywhere at this point ;) ) |
|
Ok, I've updated the spec to include a timestamp and a reference to the URL you're requesting. This lets the recipient check that we've not seen the packet before, and I've updated my reference implementation accordingly. See: http://www.marcus-povey.co.uk/2014/06/02/improved-openpgp-signin-implementation/ |
There is a security issue in using as the credential a PGP signature of a profile URL. In particular, as the protocol is described now, Alice could store the signature POSTed by Bob and then use that to impersonate Bob on Clara's or Dave's site. Eve (who overheard the request) could impersonate Bob on Alice's site, or any other site.
I'm not an expert in secure protocol design, but in general you'd want the signature to be of a particular challenge, which would be a one-time (or at least, specific to that post) value.
The text was updated successfully, but these errors were encountered: