Swedish e-leg fiasco

Since the rather public display of identity fraud via Telia’s e-leg a couple of weeks ago, it is interesting to do some more digging, and what a better place to start than with the Swedish e-leg? Apparently the architecture will be using SAML federation, i.e. they have a relationship that they trust each other. Every ticket includes an identity (a SAML assertion) it is digitally signed but the signing is not embedded in the SAML assertion.  The YouTube video below describes this specific inherent weaknesses in SAML, but clearly (and hopefully) these issues have now been fixed. However according to the speaker (questions at the end) the signature signing standard in SAML is very complex, and there are not many that really understand it fully enough to implement properly. The main problem seems to be the way the signature is separate from the SAML assertion. [youtube=http://youtu.be/RHIkb9yEV1k] If the vulnerabilities mentioned from 2012 have been fixed, there is in any case potentially integrity issues for customers with the Swedish e-leg implementation, namely: You can’t see what you are signing!

  • What you will see in the web-browser has a very weak connection to what you are signing. What this means is that your digital signature is not encapsulated with the text you are signing online, i.e. your signature and text are not married. I could leave the rest to your imagination, but I’ll give you one risk just to start with, and that is a Man-in-the-browser (MitB) trojan changes the content in the browser.

What you do maybe not be exactly what you expect!

  • This is exactly it, the customer… well that could be you, can potentially be ‘lured’ into signing something that you were not expecting to sign.  It is likely that the e-leg service works so that the identification of a user leads to a legitmate transaction. However this could be a logon to a service or digital signing of a transaction. There are other services available today that differentiate a signing transaction from a logon request. Swedish e-leg does not differentiate these two different transactions.

However, now the Myndigheten för samhällsskydd och beredskap (MSB) has published a summary report “Analys av informationssäkerheten i Svensk e-legitimation” (link broken, 2015-05-21). The detailed reports has been labelled as Secret.  However I guess that they are fixing all the potential security flaws, of just a couple I have named above. The thing that bothers me still is that even in the recommendations they are still fixated on using SAML for the infrastructure. Funny that this report came out though in the wake of the Telia e-leg identity fraud fiasco 😉 Have fun reading!