It was fun… look for yourself :-)

I think it’s going to be good! Hope to see you there on Wednesday this week. Find out more here.

Since the rather public display of identity fraud via Telia’s e-leg a couple of weeks ago, it is interesting to do some more digging, and what a better place to start than with the Swedish e-leg?

Apparently the architecture will be using SAML federation, i.e. they have a relationship that they trust each other. Every ticket includes an identity (a SAML assertion) it is digitally signed but the signing is not embedded in the SAML assertion.  The YouTube video below describes this specific inherent weaknesses in SAML, but clearly (and hopefully) these issues have now been fixed. However according to the speaker (questions at the end) the signature signing standard in SAML is very complex, and there are not many that really understand it fully enough to implement properly. The main problem seems to be the way the signature is separate from the SAML assertion.

If the vulnerabilities mentioned from 2012 have been fixed, there is in any case potentially integrity issues for customers with the Swedish e-leg implementation, namely:

You can’t see what you are signing!

  • What you will see in the web-browser has a very weak connection to what you are signing. What this means is that your digital signature is not encapsulated with the text you are signing online, i.e. your signature and text are not married. I could leave the rest to your imagination, but I’ll give you one risk just to start with, and that is a Man-in-the-browser (MitB) trojan changes the content in the browser.

What you do maybe not be exactly what you expect!

  • This is exactly it, the customer… well that could be you, can potentially be ‘lured’ into signing something that you were not expecting to sign.  It is likely that the e-leg service works so that the identification of a user leads to a legitmate transaction. However this could be a logon to a service or digital signing of a transaction. There are other services available today that differentiate a signing transaction from a logon request. Swedish e-leg does not differentiate these two different transactions.

However, now the Myndigheten för samhällsskydd och beredskap (MSB) has published a summary report “Analys av informationssäkerheten i Svensk e-legitimation“. The detailed reports has been labelled as Secret.  However I guess that they are fixing all the potential security flaws, of just a couple I have named above. The thing that bothers me still is that even in the recommendations they are still fixated on using SAML for the infrastructure.

Funny that this report came out though in the wake of the Telia e-leg identity fraud fiasco ;-)

Have fun reading!

Introduction presentation from Ulf Bergund, M.Sc, CISM, President, Cloud Security Alliance Sweden fro Nordic IT Security 2014. More information http://www.nordicitsecurity.com/

14:00 Future Trends and Innovation at the Nordic IT Security Conference on 5th November in Stockholm. This is what I am going to talk about…

“I dare to challenge: that what you state as your digital identity today, is not a digital identity at all! This is why information security programs do not work. Your so called ‘digital identity’ is the weakest link in the chain; in a verbose, connected and dynamic digital society. What’s more is that your digital identity can be stolen. Identity fraud is on the rise, even in Sweden. So how did we get into such a mess and what is the future for our digital identities?”

For those of you that missed this program on SVT2 Avsnitt 9: Big data – så kartläggs hela ditt liv here is the link. It was played this evening in Sweden at 20:00. The program is mainly in English with Swedish subtitles.

Follow

Get every new post delivered to your Inbox.

Join 158 other followers