RE: [Users] Forging X.509 Access

From: John Sullivan (John.Sullivan_at_nexusmgmt.com)
Date: Sat Dec 07 2002 - 09:14:16 CET

• Next message: mowglie: "[Users] ping failure"
• Previous message: Andreas Steffen: "Re: [Users] Forging X.509 Access"
• Maybe in reply to: John A. Sullivan III: "[Users] Forging X.509 Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Is there any userland utility that would let us grab the cert at some point?
We're actually more interested in grabbing the information and then creating
iptables rules from it. Thanks - John

> John A. Sullivan III
> Group Technology Director
> Nexus Management
> +1 207-985-7880

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen_at_strongsec.net]
Sent: Saturday, December 07, 2002 2:43 AM
To: John Sullivan
Cc: Users
Subject: Re: [Users] Forging X.509 Access

Hi John,

your hypothetical attack is currently possible since all CA certificates
go into a pool and are applied to all connections. I have planned for
some time to introduce a restriction in the form

conn companyA
        rightid="C=US,O=CompanyA,OU=Financial,CN=joe.bloggs"
        rightca="C=US,O=CompanyA,OU=CA,CN=CompanyA CA"

conn companyB
        rightid="C=GB,O=CompanyB,OU=CompanyAPartner,CN=jane.doe"
        rightca="C=GB,O=CompanyB,OU=CA,CN=CompanyB CA"

which would solve your problem. I want to implement this sometime
next year.

Regards

Andreas

John A. Sullivan III wrote:
> A hypothetical question. Let's say we configure our VPN gateways to
> trust external CA's CompanyA-CA and CompanyB-CA. We have a connection
> definition that allows a CompanyA user with a cert where
> C=US,O=CompanyA,OU=Financial,CN=joe.bloggs and another that allows in a
> CompanyB user with a cert where
> C=GB,O=CompanyB,OU=CompanyAPartner,CN=jane.doe. If CompanyB-CA issues a
> CompanyB user a certificate where
> C=US,O=CompanyA,OU=Financial,CN=joe.bloggs,i.e., they have "forged" a
> CompanyA certificate, will we allow that user access as a CompanyA user
> since we are only checking the X.509 fields and not the issuer?
> Is there a way to check the issuer with the X.509 patch without
> dissecting the certificate? If I trust multiple CA's how do I know which
> one sent which certificate?
> This is a real world problem for us since we are using the ID
> information to make further dynamic security changes to iptables
> granting different accesses to CompanyA and CompanyB. Thanks - John

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: mowglie: "[Users] ping failure"
• Previous message: Andreas Steffen: "Re: [Users] Forging X.509 Access"
• Maybe in reply to: John A. Sullivan III: "[Users] Forging X.509 Access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Sun Dec 08 2002 - 05:20:51 CET