View Issue Details

IDProjectCategoryView StatusLast Update
0002496Compliance Test Tool (CTT) Unified ArchitectureIOP Problempublic2015-02-02 20:51
ReporterRandy Armstrong Assigned ToNathan Pocock 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.02.334.200 
Target Version1.02.335Fixed in Version1.02.335 
Summary0002496: Security Validation Tests expect wrong error codes.
Description

Part 6 Section 6.7.6 Verifying Message Security lays out the requirements for these test cases. Specifically it says that Bad_SecurityChecksFailed is the only error that returned until security validation is complete. Security validation includes all checks on the certificate provided by the client.

It also says that applications must log the real error, however, checking the application log requires a lab test and cannot be done with the CTT.

Additional Information

After the security validation is complete the receiver shall verify the RequestId and the SequenceNumber. If these checks fail a Bad_SecurityChecksFailed error is reported. The RequestId only needs to be verified by the Client since only the Client knows if it is valid or not.
Text from spec:

At this point the SecureChannel knows it is dealing with an authenticated Message that was not tampered with or resent. This means the SecureChannel can return secured error responses if any further problems are encountered.

Stacks that implement UASC shall have a mechanism to log errors when invalid Messages are discarded. This mechanism is intended for developers, systems integrators and administrators to debug network system configuration issues and to detect attacks on the network.

TagsNo tags attached.
Files Affected

Relationships

parent of 0002504 closedRandy Armstrong 10000-006: Mappings Security Validation Tests expect wrong error codes. 

Activities

Nathan Pocock

2013-06-20 18:28

viewer   ~0004733

CMPWG Jun-20-2013:

Agreed. Test cases have been revised. Test-scripts will follow.

Hannes Mezger

2013-06-25 11:55

reporter   ~0004734

Last edited: 2013-06-25 13:08

Reading section 6.7.6 of part 6 of the spec, I cannot find any passage that says that Bad_SecurityChecksFailed would be the only error code that should be returned by OpenSecureChannel in case of certificate errors. This part is very unclear regarding to the order of the verification steps and should be clarified.

For me, the sentence 'The receiver shall report the appropriate error if Certificate validation fails.' tells me (as a server) to return the appropriate error code to the client if verification fails - not the general Bad_SecurityChecksFailed.

Also, in case the spec should be interpreted this way, table 8 of part 4 would contradict part 6, as there are specific error codes like Bad_CertificateHostNameInvalid or Bad_CertificateTimeInvalid shown as service result codes specifically for OpenSecureChannel. If these should not be used, all specific error codes have to be removed from this table.

From my point of view, the steps are as follows:

  • Verifiying that the SenderCertificate is a proper X509 certificate
    -> if not, Bad_CertificateInvalid

  • Decrypting the message
    -> if not, Bad_SecurityChecksFailed

  • Verifying the signature
    -> if not, Bad_SignatureInvalid

  • Check if the certificate is trusted at all
    -> if not, Bad_CertificateUntrusted

  • Check URI, Hostname, Expiration, Revocation etc.
    -> if not, specific error code

The argument for not returning any specific error codes is that a hacker would be helped creating a valid certificate to connect to the server which he is not supposed to do.

But if a hacker gets as far as having the server trust his certificate (either by having his certificate signed by a CA that is trusted by the server, or by putting his certificate to the server's trust list), I think he would be clever enough to get the expiration date of his certificate right, even if the server just returns a general error code.

Thus, this would just be security by obscurity, adding no additional security at all. Also, this hides helpful error messages from clients that could use these messages to help a user decide what to do in case of a problem.

Hannes Mezger

2013-06-25 12:13

reporter   ~0004735

All other applications using X509 certificates return specific errors, hence the "obscurity" pushes UA in the same direction like DCOM, where unclear error messages lead to misconfiguration and frustration, without adding any additional security at all. All information in a public certificate is public, hence reporting errors about its content is no security hole.

Randy Armstrong

2013-06-26 10:37

administrator   ~0004736

The issue that we need to protect against are errors that would allow an attacker to use trial and error to discover keys by changing the message slightly and look for a change in error codes (an HTTPS exploit based on using error codes exists).

It is hypothetically possible for an attacker to create specially formed certificates to find holes. For that reason I not comfortable returning different errors that could occur when an hacker is probing the server with different constructed certificates.

The one exception I would make is once the Server knows the certificate is trusted (i.e. it cannot be constructed by a hacker) then error codes can be returned as normal. If we could require that trust be checked before the other certificate checks then the other errors can be returned but that not the way the stacks work now.

Nathan Pocock

2013-06-27 19:54

viewer   ~0004738

I would agree with Hannes comments from 6/25/2013.

Should we punish the end-user with an error that's the equivalent to "an error has occurred". The end-user will be using the system 99.9999999% (or more) of time? My vote would be "no".

However, Part 6 does state the behavior that Randy describes and that's the reason why we (CMPWG) have reluctantly revised the test-cases.

We definitely should be mindful of security, but this behavior (in part 6) will very likely turn out to create a LOT of headache as end-users complain to their vendors when products don't talk and the user can't figure out why because of an overly generic error code.

Randy Armstrong

2013-06-28 04:14

administrator   ~0004739

This issue should be moved to Part 6 where the UA WG can talk about changing the spec to specifically require certificate related errors.

Hannes Mezger

2013-07-08 14:47

reporter   ~0004744

There already are servers on the market (using the AnsiC stack) that have the behaviour described:

  1. Check for structurally valid certificate
  2. Check if certificate is trusted
  3. Check expiration, URI, hostname etc.

This is why the CTT tests should at least allow a server to return the more specific error codes instead of Bad_SecurityChecksFailed, as security is given by the order of processing the certificate validation.

Randy Armstrong

2013-07-16 13:20

administrator   ~0004813

Recommended change:

1) No change for symmetric keys
2) For asymmetric keys require that trust be checked first
3) Develop a CTT test that verifies that trust is checked first.
4) Return BadSecurityChecksFailed for trust error, a error that prevents trust from being checked or any other problem decrypting or verifying the message.
5) Return other certificate error codes when appropriate (expired).

BadCertificateRevoked is returned if the certificate would otherwise be trusted.
BadCertificateInvalid is not returned because it prevents trust from being checked.

Nathan Pocock

2014-09-22 15:48

viewer   ~0005491

Fixed, awaiting release. Will close issue once officially released.

Issue History

Date Modified Username Field Change
2013-06-19 18:29 Randy Armstrong New Issue
2013-06-19 18:29 Randy Armstrong Status new => assigned
2013-06-19 18:29 Randy Armstrong Assigned To => Nathan Pocock
2013-06-20 18:28 Nathan Pocock Note Added: 0004733
2013-06-20 18:28 Nathan Pocock Status assigned => confirmed
2013-06-25 11:55 Hannes Mezger Note Added: 0004734
2013-06-25 12:13 Hannes Mezger Note Added: 0004735
2013-06-25 13:08 Hannes Mezger Note Edited: 0004734
2013-06-26 10:37 Randy Armstrong Note Added: 0004736
2013-06-27 19:54 Nathan Pocock Note Added: 0004738
2013-06-28 04:14 Randy Armstrong Note Added: 0004739
2013-06-28 04:15 Randy Armstrong Issue cloned: 0002504
2013-06-28 04:15 Randy Armstrong Relationship added parent of 0002504
2013-07-08 14:47 Hannes Mezger Note Added: 0004744
2013-07-16 13:20 Randy Armstrong Note Added: 0004813
2014-08-20 20:49 Nathan Pocock Target Version => 1.02.335
2014-08-20 20:49 Nathan Pocock Additional Information Updated
2014-08-22 13:37 Nathan Pocock Category Api Change => Script Change
2014-08-28 14:03 Nathan Pocock Category Script Change => (No Category)
2014-08-28 14:16 Nathan Pocock Category (No Category) => IOP Problem
2014-08-28 14:16 Nathan Pocock Product Version => 1.02.334.200
2014-09-22 15:48 Nathan Pocock Note Added: 0005491
2014-09-22 15:48 Nathan Pocock Status confirmed => resolved
2014-09-22 15:48 Nathan Pocock Fixed in Version => 1.02.335
2014-09-22 15:48 Nathan Pocock Resolution open => fixed
2015-02-02 20:51 Nathan Pocock Status resolved => closed