View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0002496 | Compliance Test Tool (CTT) Unified Architecture | IOP Problem | public | 2013-06-19 18:29 | 2015-02-02 20:51 |
Reporter | Randy Armstrong | Assigned To | |||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.02.334.200 | ||||
Target Version | 1.02.335 | Fixed in Version | 1.02.335 | ||
Summary | 0002496: Security Validation Tests expect wrong error codes. | ||||
Description | Part 6 Section 6.7.6 Verifying Message Security lays out the requirements for these test cases. Specifically it says that Bad_SecurityChecksFailed is the only error that returned until security validation is complete. Security validation includes all checks on the certificate provided by the client. It also says that applications must log the real error, however, checking the application log requires a lab test and cannot be done with the CTT. | ||||
Additional Information | After the security validation is complete the receiver shall verify the RequestId and the SequenceNumber. If these checks fail a Bad_SecurityChecksFailed error is reported. The RequestId only needs to be verified by the Client since only the Client knows if it is valid or not. At this point the SecureChannel knows it is dealing with an authenticated Message that was not tampered with or resent. This means the SecureChannel can return secured error responses if any further problems are encountered. Stacks that implement UASC shall have a mechanism to log errors when invalid Messages are discarded. This mechanism is intended for developers, systems integrators and administrators to debug network system configuration issues and to detect attacks on the network. | ||||
Tags | No tags attached. | ||||
Files Affected | |||||
parent of | 0002504 | closed | Randy Armstrong | 10000-006: Mappings | Security Validation Tests expect wrong error codes. |
|
CMPWG Jun-20-2013: Agreed. Test cases have been revised. Test-scripts will follow. |
|
Reading section 6.7.6 of part 6 of the spec, I cannot find any passage that says that Bad_SecurityChecksFailed would be the only error code that should be returned by OpenSecureChannel in case of certificate errors. This part is very unclear regarding to the order of the verification steps and should be clarified. For me, the sentence 'The receiver shall report the appropriate error if Certificate validation fails.' tells me (as a server) to return the appropriate error code to the client if verification fails - not the general Bad_SecurityChecksFailed. Also, in case the spec should be interpreted this way, table 8 of part 4 would contradict part 6, as there are specific error codes like Bad_CertificateHostNameInvalid or Bad_CertificateTimeInvalid shown as service result codes specifically for OpenSecureChannel. If these should not be used, all specific error codes have to be removed from this table. From my point of view, the steps are as follows:
The argument for not returning any specific error codes is that a hacker would be helped creating a valid certificate to connect to the server which he is not supposed to do. But if a hacker gets as far as having the server trust his certificate (either by having his certificate signed by a CA that is trusted by the server, or by putting his certificate to the server's trust list), I think he would be clever enough to get the expiration date of his certificate right, even if the server just returns a general error code. Thus, this would just be security by obscurity, adding no additional security at all. Also, this hides helpful error messages from clients that could use these messages to help a user decide what to do in case of a problem. |
|
All other applications using X509 certificates return specific errors, hence the "obscurity" pushes UA in the same direction like DCOM, where unclear error messages lead to misconfiguration and frustration, without adding any additional security at all. All information in a public certificate is public, hence reporting errors about its content is no security hole. |
|
The issue that we need to protect against are errors that would allow an attacker to use trial and error to discover keys by changing the message slightly and look for a change in error codes (an HTTPS exploit based on using error codes exists). It is hypothetically possible for an attacker to create specially formed certificates to find holes. For that reason I not comfortable returning different errors that could occur when an hacker is probing the server with different constructed certificates. The one exception I would make is once the Server knows the certificate is trusted (i.e. it cannot be constructed by a hacker) then error codes can be returned as normal. If we could require that trust be checked before the other certificate checks then the other errors can be returned but that not the way the stacks work now. |
|
I would agree with Hannes comments from 6/25/2013. Should we punish the end-user with an error that's the equivalent to "an error has occurred". The end-user will be using the system 99.9999999% (or more) of time? My vote would be "no". However, Part 6 does state the behavior that Randy describes and that's the reason why we (CMPWG) have reluctantly revised the test-cases. We definitely should be mindful of security, but this behavior (in part 6) will very likely turn out to create a LOT of headache as end-users complain to their vendors when products don't talk and the user can't figure out why because of an overly generic error code. |
|
This issue should be moved to Part 6 where the UA WG can talk about changing the spec to specifically require certificate related errors. |
|
There already are servers on the market (using the AnsiC stack) that have the behaviour described:
This is why the CTT tests should at least allow a server to return the more specific error codes instead of Bad_SecurityChecksFailed, as security is given by the order of processing the certificate validation. |
|
Recommended change: 1) No change for symmetric keys BadCertificateRevoked is returned if the certificate would otherwise be trusted. |
|
Fixed, awaiting release. Will close issue once officially released. |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-06-19 18:29 | Randy Armstrong | New Issue | |
2013-06-19 18:29 | Randy Armstrong | Status | new => assigned |
2013-06-19 18:29 | Randy Armstrong | Assigned To | => Nathan Pocock |
2013-06-20 18:28 |
|
Note Added: 0004733 | |
2013-06-20 18:28 |
|
Status | assigned => confirmed |
2013-06-25 11:55 | Hannes Mezger | Note Added: 0004734 | |
2013-06-25 12:13 | Hannes Mezger | Note Added: 0004735 | |
2013-06-25 13:08 | Hannes Mezger | Note Edited: 0004734 | |
2013-06-26 10:37 | Randy Armstrong | Note Added: 0004736 | |
2013-06-27 19:54 |
|
Note Added: 0004738 | |
2013-06-28 04:14 | Randy Armstrong | Note Added: 0004739 | |
2013-06-28 04:15 | Randy Armstrong | Issue cloned: 0002504 | |
2013-06-28 04:15 | Randy Armstrong | Relationship added | parent of 0002504 |
2013-07-08 14:47 | Hannes Mezger | Note Added: 0004744 | |
2013-07-16 13:20 | Randy Armstrong | Note Added: 0004813 | |
2014-08-20 20:49 |
|
Target Version | => 1.02.335 |
2014-08-20 20:49 |
|
Additional Information Updated | |
2014-08-22 13:37 |
|
Category | Api Change => Script Change |
2014-08-28 14:03 |
|
Category | Script Change => (No Category) |
2014-08-28 14:16 |
|
Category | (No Category) => IOP Problem |
2014-08-28 14:16 |
|
Product Version | => 1.02.334.200 |
2014-09-22 15:48 |
|
Note Added: 0005491 | |
2014-09-22 15:48 |
|
Status | confirmed => resolved |
2014-09-22 15:48 |
|
Fixed in Version | => 1.02.335 |
2014-09-22 15:48 |
|
Resolution | open => fixed |
2015-02-02 20:51 |
|
Status | resolved => closed |