IdentityPython/SATOSA

SAML2 frontend uses weak encryption

melanger opened this issue · 2 comments

melanger commented

SAML2 frontend relies on the pysaml library, which defaults to RSA with PKCS#1 v1.5 padding (http://www.w3.org/2001/04/xmlenc#rsa-1_5) for assertion encryption. This algorithm should not be used because it is known to be vulnerable. For example, SimpleSAMLphp blocks it by default since version 1.13 released in 2014, so effectively it is not possible to use assertion encryption in SATOSA.
It also uses 3DES (http://www.w3.org/2001/04/xmlenc#tripledes-cbc) which probably should be replaced with AES (http://www.w3.org/2001/04/xmlenc#aes128-cbc or similar).

https://github.com/IdentityPython/pysaml2/blob/d62a10c473f64e389d2d26958c83c83daafe38fd/src/saml2/entity.py#L565
https://github.com/IdentityPython/pysaml2/blob/d62a10c473f64e389d2d26958c83c83daafe38fd/src/saml2/sigver.py#L1834

It is not possible to configure this in SATOSA neither in pysaml, because the encrypt_assertion method does not take the algorithm(s) as arguments. There is a related issue IdentityPython/pysaml2#421 started in 2017 which is still unsolved. There is also a PR for disabling specific algorithms, not yet merged https://github.com/IdentityPython/pysaml2/pull/628/files

Code Version

7.0.1

Expected Behavior

SATOSA should use a reasonably strong encryption by default and it should be possible to configure encryption algorithms.

Current Behavior

SATOSA SAML2 frontend uses vulnerable encryption by default and cannot be configured.

Possible Solution

Change defaults in pysaml and/or make the encrypt_assertion method configurable.

Steps to Reproduce

  1. Configure SATOSA with SAML2 frontend (IdP).
  2. Turn on assertion encryption (encrypt_assertion: true)
  3. Try to use it for example with a SimpleSAMLphp SP.
  4. SimpleSAMLphp fails to decrypt because of the algorithm:
Decryption failed: Algorithm disabled: 'http://www.w3.org/2001/04/xmlenc#rsa-1_5'
c00kiemon5ter commented

Yes, this is one the high-priority issues for pysaml2 and should be resolved soon. Ideally, we should bump the algos to be stronger, and at the same time offer a configuration option to allow the users to set what they need. The frontend will support this automatically by using a newer pysaml2 version.

I am closing this to move the discussion over to pysaml2.

hshort commented

Hi @c00kiemon5ter - I was looking for the issue in pysaml2 - is it this? IdentityPython/pysaml2#821
It still seems to be open in pysaml2 so I guess it will be a while before it becomes available in Satosa. This is blocking us (and presumably lots of people) from using Satosa as an IdP since it can't send encrypted assertions to SimpleSAMLPhp or Shibboleth SPs (from what I remember testing). Do you have an estimated timeline?