Hi,
I also think that the information that can be gained in this way
is of limited use, but if you were very strict, you could still
demand that no such such information could be obtainable.
I still wonder what's the purpose of the sequence numbers -
probably to absolutely ensure uniqueness?
(which would be extremely unlikely with the appended
35 random characters, and could possibly also be checked against
the ticket registry on creation)
Best regards,
Guido
Gesendet: Donnerstag, 14. November 2013 um 15:35 Uhr
Von: "Marvin Addison" <marvin.addi...@gmail.com>
An: cas-user@lists.jasig.org
Betreff: Re: [cas-user] Sequence number in ticket granting ticket id
Von: "Marvin Addison" <marvin.addi...@gmail.com>
An: cas-user@lists.jasig.org
Betreff: Re: [cas-user] Sequence number in ticket granting ticket id
> With the help of the sequence numbers, one could perform traffic analyses
> (e.g. determining
> how many logins there are in a given timespan), which might be undesired.
You would need credentials in order to perform such an analysis. I
suppose a curious user could perform this analysis on his or her SSO
domain using his or her own credentials, but I would hope vigilant IDM
sysadmins would note high rates of authentication for a single user
and investigate.
You suggested that the rates of authentication could be disclosed,
which at first glance appears the only meaningful information to be
gained from traffic analysis. I don't see how that information would
be useful to an attacker. You could probably estimate fairly
accurately the number of authentications per day by basing on
organizational size. It's perfectly reasonable to expect an SSO
session to last one day, so rough estimate on authentications per day
is simply the number of users. For public universities in the US that
information is publicly available; I would imagine it's not hard to
determine for an organization generally.
M
--
You are currently subscribed to cas-user@lists.jasig.org as: guido.wim...@gmx.net
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
> (e.g. determining
> how many logins there are in a given timespan), which might be undesired.
You would need credentials in order to perform such an analysis. I
suppose a curious user could perform this analysis on his or her SSO
domain using his or her own credentials, but I would hope vigilant IDM
sysadmins would note high rates of authentication for a single user
and investigate.
You suggested that the rates of authentication could be disclosed,
which at first glance appears the only meaningful information to be
gained from traffic analysis. I don't see how that information would
be useful to an attacker. You could probably estimate fairly
accurately the number of authentications per day by basing on
organizational size. It's perfectly reasonable to expect an SSO
session to last one day, so rough estimate on authentications per day
is simply the number of users. For public universities in the US that
information is publicly available; I would imagine it's not hard to
determine for an organization generally.
M
--
You are currently subscribed to cas-user@lists.jasig.org as: guido.wim...@gmx.net
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
