GitHub - Fluepke/ssi-poc
source link: https://github.com/Fluepke/ssi-poc
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
SSI PoC
This is a PoC implementation of the DIDCOMM v1 messaging protocol. It establishes a direct connection to an SSI wallet (agent) and asks for personal data.
This PoC demonstrates a conceptual flaw: Only one end in the communication is properly identified: The user, not the entity asking for digital identity proof The user cannot distinguish between a malicious and a valid QR
Since the official documentation is terrible to read IMHO, here's a quick summary of what happens:
Preconditions:
- Alice wants to proof to Bob, that she is, in fact, Alice
- Alice holds a document (Base-ID) in her wallet, that was issued to her, that proves her identity
To prove her identity, Alice and Bob perform the following steps:
- Bob provides Alice a QR code, transporting:
- A public key (Bob generates and holds the correspending private key)
- A list of attributes, he wants to know from Alice
- A reference to the type of document containing those attributes (
CRED_DEF
) - A label for his identity, that is displayed (and not verified) in the ID Wallet app. In the Lissi wallet only 'Direct connection' is shown.
- A callback URL (
serviceEndpoint
)
- Alice scans the QR code and accepts the connection request
- Alice cannot verify that she is establishing a connection with Bob, because his identity is not validated
- The wallet app prompts Alice if she wants to share her personal data and she accepts
- Alice encrypts her personal data using Bobs public key and sends it to the given callback URL
- Bob decrypts Alice personal data
- Bob performs steps to validate that data (this was out of scope of our analysis)
The problem
Since the identity of Bob is not established and only 'Direct connection' is shown (or some attacker controlled data in the ID Wallet app), Alice cannot verify with whom she is sharing her data. An attacker, Mallory, could replace the QR code by performing a machine-in-the-middle attack or by replacing a QR code in real world in order to steal personal data. Please note, that we do not demonstrate a mitm-attack here.
The problem (and its implications) are known and have been the topic of multiple Github issues and public discussions, but apparently has not been solved.
Impact: As a user, one cannot make sure, who receives one's data. The original recipient might have been replaced by a malicious one. A malicious recipient might use the leaked sensitive private data to sell it or to attempt identity theft. Future use-cases might include for example credit card data (see the Lissi demo).
Demo Time
Video (german): Link
We are using the Lissi wallet because it is the same (standardized) technology like the ID Wallet and it seemd more stable to us. For our demo, we are using the document
XmfRzF36ViQg8W8pHot1FQ:3:CL:5614:Base-ID
, some example digital identity issued at https://lissi.id/demo.
Steps to reproduce:
Download the Lissi wallet app
- On some other device, navigate to the Lissi demo site and use the
Citizen Office
demo, to receive a base-ID - Install python dependencies:
pip install -r requirements.txt
- Run the python software:
./poc.py <local ip addr>
- Open
http://<local ip addr>:9000/qr
and scan it - You'll be prompted a 'Direct connection' request, notice how there's no way for you to validate it
- Accept the request and your data will appear on the terminal
Licenses
This PoC utilizes code (crypto.py
) taken from https://github.com/hyperledger/aries-staticagent-python/ that is licensed under a Apache License, version 2.0.
This code is licensed under the same license.
Authors
Recommend
-
162
V-E-O/PoC: PoC of CVE/Exploit Skip to content...
-
70
harsaroopdhillon/SpectreExploit master
-
78
-
59
SSI全称是Server Side Includes,即服务器端包含,是一种基于服务器端的网页制作技术。 SSI是嵌入HTML页面中的指令,在页面被提供时由服务器进行运算,以对现有HTML页面增加动态生成的内容,而无须通过CGI程序提供其整个页面,或者使用其他动态技术。...
-
8
Disclaimer All information is provided for educational purposes only. Follow these instructions at your own risk. Neither the authors nor their employer are responsible for any direct or consequential damage...
-
16
master IntelTXE-PoC/me_exp_bxtp.py / Jump to
-
12
Project status Hey As I'm currently getting some non-developer traffic I feel like I should make some things clear.
-
29
PeiQi WiKi-POC文库 如今漏洞的各种复现文章已经填满了互联网,但是每次去尝试漏洞复现时,总会纠结于环境搭建,POC和漏洞原理上。 由于这...
-
15
README.md CVE...
-
4
Apache allows you to configure server side includes (SSI) to add dynamic web content, html code, and reuse them more efficiently. In this article, we will look at how to enable server side includes (SSI) in Apache. What is Server S...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK