96 Copyright © 2009 Open Geospatial Consortium, Inc. Requirement Confidentiality Table 103: Record Subscribe response Cause Man-In-The-Middle Effect User client will receive fraudulent response that does not reflect the result of the user processing done by the SAS. Result i XMPPURI might be fraudulent with the effect that the user client would either not receive any or fraudulent alerts. ii The processing status might be fraudulent, e.g. ―OK‖ which would hide processing errors. Scope Application specific knowledge is required. Example Likelihood Medium Impact on Asset None Impact on Asset Impact on user of the active client as he will not receive the MUC information associated to the request. Potential NA Reason Sabotage Requirement Integrity Table 104: Modify Subscribe response

9.7.6 RenewSubscription operation

Asset: Alert Subscriptions Cause ARP spoofing Effect User client will send RenewSubscription request to adversary’s SAS. Result Actual SAS will delete existing subscription at its regular expiration time as no renewal was received. Subscribed clients will not receive alerts via the XMPP channel after the subscription is expired. In case the used MUC was created by the client, it will exist but the client will not receive any more alerts on that MUC. In case the SAS created the MUC, the client might receive a XMPP error when the Copyright © 2009 Open Geospatial Consortium, Inc. 97 MUC is closed by the SAS. The response will come from the adversary’s SAS and therefore contain a faked processing status, e.g. ―OK‖. Scope Application specific knowledge required. Example Likelihood Medium Impact on Asset None Impact on User Impact on all subscribed users. Potential NA Reason Sabotage Requirement Access Control to prevent unauthorized renewal of subscriptions. Table 105: Redirect RenewSubscription request Cause Man-In-The-Middle Effect SAS will receive a modified RenewSubscription request message sent by the client. Basically two modifications can occur: i The renewal time is changed to be before or after the actual time in the request. ii The new date until the client is expecting alerts can be pushed into the invite future. Result If the modified renewal time is changed to be earlier than the actual renewal time, the SAS would close the MUC earlier than expected by the client. If the modified renewal time is changed to be after the actual renewal time, the SAS would keep the MUC but the client will no longer listen to it. Scope Application specific knowledge is required. Example Likelihood Medium Impact on Asset None, as SAS terminates abandoned MUCs. Impact on User Impact on all subscribed users. Potential NA 98 Copyright © 2009 Open Geospatial Consortium, Inc. Reason Sabotage Requirement Integrity Table 106: Modify RenewSubscription request Cause Adversary’s client is able to execute SAS Effect SAS will receive fictitious RenewSubscription request messages. Result If the SubscriptionID of a fictitious RenewSubscription message matches an existing offering, the SAS would change it accordingly. The adversary can theoretically push all existing subscriptions into the infinite future if either knowing or guessing all valid SubscriptionIDs. Scope Application specific knowledge required. In particular, this attack does only make sense if the attacker knows valid subscription IDs. Example Likelihood Low Impact on Asset Direct affect on asset effective to all subscribed clients. Impact on User Impact on all subscribed users. Potential NA Reason Sabotage Requirement Access Control to prevent unauthorized renewal. Table 107: Create RenewSubscription request Cause Eavesdropping and adversary’s client is able to execute SAS Effect SAS will receive outdated renewal requests for existing subscriptions. Result RenewSubscription messages that have been processed in the meantime become affectless. Scope No application specific knowledge required. Example Adversary records a RenewSubscription message that instructs the SAS to change the date on subscription 4711 until February 1, 2009. By the end of January, the client will renew 4711 until April 1, 2009. If the adversary re-sends the recorded message, the SAS will change the end of the subscription back to February 1, 2009 and stop sending alerts. Copyright © 2009 Open Geospatial Consortium, Inc. 99 Likelihood High Impact on Asset Affect on asset effective to subscriptions that have not been cancelled in the meantime. Impact on User Impact on all subscribed users. Potential NA Reason Sabotage Requirement Unique request ID and timestamp to detect replay. Table 108: Replay RenewSubscription request Cause Man-In-The-Middle Effect User client will receive fraudulent response that does not reflect the result of the processing done by the SAS. Result Subscriptions that resulted in a processing error will not be available for sending alerts. Therefore, the sta tus change to ―OK‖ is critical as it hides any errors that might have occurred when the SAS processed the RenewSubscription message. And because it is hidden to the client, the user cannot undertake relevant actions to correct the error. Scope Application specific knowledge required. Example Likelihood Medium Impact on Asset None Impact on User Affect on asset effective to the active client only. Potential NA Reason Sabotage Requirement Integrity Table 109: Modify RenewSubscription response Cause Eavesdropping Effect NA Result The adversary receives SubscriptionId. 100 Copyright © 2009 Open Geospatial Consortium, Inc. Scope Application specific knowledge required. Example Likelihood Medium Impact on Asset None Impact on User None Potential SubscriptionID can be used to cancel the associated subscription. Reason Espionage and preparation for future Sabotage. Requirement Confidentiality Table 110: Record RenewSubscription requestresponse

9.7.7 CancelSubscription operation