Hi, The .NET Framework apparently has a very serious security vulnerability in its AES implementation. Details of the attack will be released on Friday at the ekoparty Security Conference. If it turns out to be true, this could easily impact the vast majority of web applications written in ASP.NET.
http://securitythroughabsurdity.com/2010/09/vulnerability-in-net-aes-imp lementation.html By default, ASP.NET uses AES to encrypt and decrypt the FormsAuthentication cookies sent to the browser when a user successfully authenticates. This vulnerability makes it possible for a malicious user to generate a fake FormsAuthenticationTicket, stuff it in a FormsAuthenticationCookie, and encrypt it in such a way that the application server validates it successfully. When the ASP.NET application successfully decrypts a valid FormsAuthenticationTicket, it treats the request as authenticated & bypasses all authentication-related logic (including CAS redirects). There are a few workarounds. The first is to switch your server from AES to 3DES. This is detailed in the link above. The second is CAS client specific and makes use of a feature of the DotNetCasClient that effectively eliminates the attack vector. Set the serviceTicketManager="CacheServiceTicketManager" in web.config's casClientConfig. This will cause the CAS client to stuff the CAS service ticket in the FormsAuthenticationTicket's UserData property and to use it as a key to information about the CAS service ticket on the server side (along with the user, the expiration, etc.). When the CAS client validates the FormsAuthenticationTicket, it checks that the CAS service ticket matches a ticket retained on the server. If it doesn't, the request is treated as anonymous and the cookie is destroyed. The CacheServiceTicketManager implementation is not web farm or cluster friendly, so this will only work for single server instances. If you are planning on using the .NET CAS Client on a web farm or cluster configuration, you can pretty easily implement the IServiceTicketManager with a distributed cache or database implementation to get around this. Please contribute back to the project if you do. -ScottH -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
