Liberty and the Comparmentalization Attack. We've all seen the generic submarine movie in which the engine room takes a direct torpedo hit. In order to save the rest of the ship, all the compartment bulkhead doors are closed, committing the isolated sailors to their watery deaths.
Compartmentalization--limiting the scope of damage--plays an important role in security planning. I believe the Liberty Alliance 1.0 spec may weaken consumer protection by leaving open bulkhead doors between federated providers, therefore creating opportunities for "compartmentalization attacks."
Under Liberty 1.0, when a user opts-in to the sharing of his identity between two parties, he must explicitly log in to both web sites. The parties don't learn the usernames and passwords used on the other sites (i.e., no identifying data are exchanged), but an anonymous relationship is created. The next time that same user visits one of the sites, he can click through using a link to the other site without authentication.
If a Bad Guy manages to obtain the consumer's username and password to the first site, he can impersonate the consumer on that site. That risk has always existed. But due to the association created by Liberty 1.0, the Bad Guy now can also click through to the other federated sites--continuing to impersonate the consumer--without being authenticated via usernames and passwords. Once the Circle of Trust between providers has been created under Liberty 1.0, compartmentalization of the identity has been compromised. The bulkhead doors have been opened. A password-theft attack that would have been contained to a single site prior to Liberty 1.0, now has a broadened scope. If my bank and brokerage account identities are federated, anyone able to log into one can automatically access the other.
Some important caveats here. First, I'm putting this out for comment as speculation based on my understanding of Liberty 1.0. Many people, far smarter than I, have spent months developing the Liberty Alliance specifications, and there's a significant chance that my understanding is flat-out wrong. Second, I'm not a security guru, and I imagine my concept of a "Containment Attack" has another name of which I'm not aware. Please let me know if I'm in error on either account.
Posted Sunday, September 15, 2002 6:18:54 AM