Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

San-Tsai Sun

Abstract:Social login is currently used by millions of Facebook users to sign in more than one million supporting websites. The protocol behinds this web-based single sign-on (SSO) scheme is OAuth 2.0, which is also adopted by major service providers such as Google and Microsoft. Several formal methods have been used to analyze the security of the OAuth protocol, but no novel threat is found. To understand and improve the security of OAuth 2.0 SSO systems in the real-world settings, this work investigates potential security threats by examining the implementations of three major identity providers (i.e., Facebook, Microsoft and Google) and about one hundred popular supporting websites listed on Google Top 1,000 Websites. Our analysis and evaluation found several systematic weaknesses that allow an attacker to gain unauthorized access to the victim user’s profile and social graph on the identity providers, as well as impersonating the victim on the supporting website. A further investigation found that those weaknesses are rooted from a set of simplicity features o↵ered by the design of the protocol and IdP implementations. Based on the insights from this analysis, we recommend practical countermeasures to mitigate the uncovered threats.

Computer Science

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

高俊娜,于继万,朱华飞,潘雪增

2004-01-01

Abstract:In current SIP protocol,to interact with other domain services,a node need multi-authentication processes. This paper integrates SAML into SIP protocol which well extends SIP authentication mechanism between multi-domains. It makes full use of SAML capability based on XML to bring an easy method to implement single sign-on(SSO).

Furkan Alaca,Paul C. Van Oorschot

DOI: https://doi.org/10.1145/3409452

IF: 16.6

2020-10-15

ACM Computing Surveys

Abstract:We perform a comprehensive analysis and comparison of 14 web single sign-on (SSO) systems proposed and/or deployed over the past decade, including federated identity and credential/password management schemes. We identify common design properties and use them to develop a taxonomy for SSO schemes, highlighting the associated tradeoffs in benefits (positive attributes) offered. We develop a framework to evaluate the schemes, in which we identify 14 security, usability, deployability, and privacy benefits. We also discuss how differences in priorities between users, service providers, and identity providers impact the design and deployment of SSO schemes.

computer science, theory & methods

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Krügel,Giovanni Vigna,Yan Chen

DOI: https://doi.org/10.1007/978-3-319-11379-1_14

2014-01-01

Abstract:Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.

Di Wu,Yabo Dong,Jian Lin,Miaoliang Zhu

DOI: https://doi.org/10.1007/11563952_52

2005-01-01

Abstract:The fast development of E-Commerce and information technology brings much higher requirements for enterprise informationization. Because of the differences in platforms, development languages and standards etc, enterprise application integration (EAI) has become the important form of enterprise informationization to support complex business processes. Web services have emerged as the next generation of integration technology which provides the power to support interoperability. However EAI doesn’t just present new interoperability challenges; it also presents serious privacy and security challenges. This paper presents security architecture of Web Services based EAI which uses distributed Single Sign On authentication and distributed Role-based Access Control authorization. The basic concept and prototype system of the security architecture are described in detail.

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Kruegel,Giovanni Vigna,Yan Chen

2014-01-01

Abstract:Author(s): Cao, Yinzhi; Shoshitaishvili, Yan; Borgolte, Kevin; Kruegel, Christopher; Vigna, Giovanni; Chen, Yan | Abstract: Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.Single sign-on (SSO) protocols, however, are not immune to vulnerabilities. Recent research introduced several attacks against existing SSO protocols, and further work showed that these problems are prevalent: 6.5% of the investigated relying parties were vulnerable to impersonation attacks, which can lead to account compromises and privacy breaches. Prior work used formal verification methods to identify vulnerabilities in SSO protocols or leveraged invariances of SSO interaction traces to identify logic flaws. No prior work, however, systematically studied the actual root cause of impersonation attacks against the relying party.In this paper, we systematically examine existing SSO protocols and determine the root cause of the aforementioned vulnerabilities: the design of the communication channel between the relying party and the identity provider, which, depending on the protocol and implementation, suffers from being a one-way communication protocol, or from a lack of authentication. We (a) systematically study the weakness responsible for the vulnerabilities in existing protocols that allow impersonation attacks against the relying party, (b) introduce a dedicated, authenticated, bi-directional, secure channel that does not suffer from those shortcomings, (c) formally verify the authentication property of this channel using a well-known cryptographic protocol verifier (ProVerif), and (d) evaluate the practicality of a prototype implementation of our protocol.Ultimately, to support a smooth and painless transition from existing SSO protocols, we introduce a proxy setup in which our channel can be used to secure existing SSO protocols from impersonation attacks. Furthermore, to demonstrate the flexibility of our approach, we design two different SSO protocols: an OAuth-like and an OpenID-like protocol.

Christian Mainka,Vladislav Mladenov,Jörg Schwenk

DOI: https://doi.org/10.48550/arXiv.1412.1623

2014-12-04

Abstract:Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols - OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implementations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues.

Cryptography and Security

Nassoro M. R. Lwamo,Liehuang Zhu,Chang Xu,Kashif Sharif,Ximeng Liu,Chuan Zhang

DOI: https://doi.org/10.1016/j.ins.2018.10.037

IF: 8.1

2018-01-01

Information Sciences

Abstract:The rapid increase in user base and technological penetration has enabled the use of a wide range of devices and applications. The services are rendered to these devices from single-server or highly distributed server environments, irrespective of their location. As the information exchanged between servers and clients is private, numerous forms of attacks can be launched to compromise it. To ensure the security, privacy, and availability of the services, different authentication schemes have been proposed for both single-server and multi-server environments. The primary performance objective of such schemes is to prevent most (if not all) attacks, with minimal computational costs at the server and user ends. To address this challenge, this paper presents a secure user authentication scheme with anonymity (SUAA) for single-server and multi-server environments. It works on 3-factor authentication, involving passwords, smart cards, and biometric data. We use symmetric and asymmetric encryption for single-server and multi-server architectures respectively, to reduce the computational costs. Through a comprehensive security analysis, we show that the proposed scheme is reliable through mutual authentication, and is resilient to attacks addressed by state of the art solutions. Time cost analysis also shows less time required to complete the authentication process.

Daniel Fett,Ralf Kuesters,Guido Schmitz

DOI: https://doi.org/10.48550/arXiv.1704.08539

2017-04-27

Abstract:Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis. In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties. In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.

Cryptography and Security

Maximilian Westers,Tobias Wich,Louis Jannett,Vladislav Mladenov,Christian Mainka,Andreas Mayer

DOI: https://doi.org/10.48550/arXiv.2302.01024

2023-02-02

Abstract:Single Sign-On (SSO) shifts the crucial authentication process on a website to to the underlying SSO protocols and their correct implementation. To strengthen SSO security, organizations, such as IETF and W3C, maintain advisories to address known threats. One could assume that these security best practices are widely deployed on websites. We show that this assumption is a fallacy. We present SSO-MONITOR, an open-source fully-automatic large-scale SSO landscape, security, and privacy analysis tool. In contrast to all previous work, SSO-MONITOR uses a highly extensible, fully automated workflow with novel visual-based SSO detection techniques, enhanced security and privacy analyses, and continuously updated monitoring results. It receives a list of domains as input to discover the login pages, recognize the supported Identity Providers (IdPs), and execute the SSO. It further reveals the current security level of SSO in the wild compared to the security best practices on paper. With SSO-MONITOR, we automatically identified 1,632 websites with 3,020 Apple, Facebook, or Google logins within the Tranco 10k. Our continuous monitoring also revealed how quickly these numbers change over time. SSO-MONITOR can automatically login to each SSO website. It records the logins by tracing HTTP and in-browser communication to detect widespread security and privacy issues automatically. We introduce a novel deep-level inspection of HTTP parameters that we call SMARTPARMS. Using SMARTPARMS for security analyses, we uncovered URL parameters in 5 Client Application (Client) secret leakages and 337 cases with weak CSRF protection. We additionally identified 447 cases with no CSRF protection, 342 insecure SSO flows and 9 cases with nested URL parameters, leading to an open redirect in one case. SSO-MONITOR reveals privacy leakages that deanonymize users in 200 cases.

Cryptography and Security

Srivathsan G. Morkonda,Paul C. van Oorschot,Sonia Chiasson

DOI: https://doi.org/10.48550/arXiv.2103.02579

2021-03-04

Abstract:Single sign-on authentication systems such as OAuth 2.0 are widely used in web services. They allow users to use accounts registered with major identity providers such as Google and Facebook to login on multiple services (relying parties). These services can both identify users and access a subset of the user's data stored with the provider. We empirically investigate the end-user privacy implications of OAuth 2.0 implementations in relying parties most visited around the world. We collect data on the use of OAuth-based logins in the Alexa Top 500 sites per country for five countries. We categorize user data made available by four identity providers (Google, Facebook, Apple and LinkedIn) and evaluate popular services accessing user data from the SSO platforms of these providers. Many services allow users to choose from multiple login options (with different identity providers). Our results reveal that services request different categories and amounts of personal data from different providers, with at least one choice undeniably more privacy-intrusive. These privacy choices (and their privacy implications) are highly invisible to users. Based on our analysis, we also identify areas which could improve user privacy and help users make informed decisions.

Cryptography and Security

Ahmad R. Pratama,Firman M. Firmansyah,Fayruz Rahma

DOI: https://doi.org/10.7717/peerj-cs.918

2022-03-11

PeerJ Computer Science

Abstract:Single sign-on (SSO) enables users to authenticate across multiple related but independent systems using a single username and password. While the number of higher education institutions adopting SSO continues to grow, little is known about the academic community’s security awareness regarding SSO. This paper aims to examine the security awareness of SSO across various demographic groups within a single higher education institution based on their age, gender, and academic roles. Additionally, we investigate some psychological factors (i.e., privacy concerns and personality traits) that may influence users’ level of SSO security awareness. Using survey data collected from 283 participants (faculty, staff, and students) and analyzed using a hierarchical linear regression model, we discovered a generational gap, but no gender gap, in security awareness of SSO. Additionally, our findings confirm that students have a significantly lower level of security awareness than faculty and staff. Finally, we discovered that privacy concerns have no effect on SSO security awareness on their own. Rather, they interact with the user’s personality traits, most notably agreeableness and conscientiousness. The findings of this study lay the groundwork for future research and interventions aimed at increasing cybersecurity awareness among users of various demographic groups as well as closing any existing gaps between them.

computer science, information systems, artificial intelligence, theory & methods

Srivathsan G. Morkonda,Sonia Chiasson,Paul C. van Oorschot

2023-08-17

Abstract:The number of login options on web sites has increased since the introduction of web single sign-on (SSO) protocols. Web SSO services allow users to grant web sites or relying parties (RPs) access to their personal profile information from identity provider (IdP) accounts. Many RP sites do not provide sufficient privacy information that could help users make informed login decisions. Moreover, privacy differences in permission requests across login options are largely hidden from users and are time-consuming to manually extract and compare. In this paper, we present an empirical analysis of popular RP implementations supporting three major IdP login options (Facebook, Google, and Apple) and categorize RPs in the top 500 sites into four client-side code patterns. Informed by these RP patterns, we design and implement SSOPrivateEye (SPEye), a browser extension prototype that extracts and displays to users permission request information from SSO login options in RPs covering the three IdPs.

Cryptography and Security

CHEN Dong,YIN Jian-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.04.084

2007-01-01

Abstract:This paper analyzed the principles and drawbacks of traditional SSO products.It separated the two types of information which is needed through login procedure of applications,and realized auto-login with sharing information of login procedure based on XML and USB authentication.Furthermore,it made research on the structure and message transmission of Windows and Web applications,and developd a distributed SSO System which supports multi-mode applications.The system was proved to be effect.

Haojiang Gao,Xiao Tian-yuan

2011-01-01

Abstract:To overcome the shortcomings of SAML(security assertion markup language),the following improvements are done.Web sites group-based session life cycle is defined.Reverse query on-line user(RQOU) protocol,and logout of fixed logon(SOFL) protocol is designed.Avoiding duplication login method is given.Domain-crossed SSO problem is resolved.A data synchronization strategy is stated,which simplifies legacy system integration.A SSO system based on these designs is used in a state-owned bank in China,which has reduced system management costs and improved productivity,and then satisfies the enterprise requirements.

Zhiyi Zhang,Michał Król,Alberto Sonnino,Lixia Zhang,Etienne Rivière

DOI: https://doi.org/10.48550/arXiv.2002.10289

2020-02-24

Cryptography and Security

Abstract:We introduce EL PASSO, a privacy-preserving, asynchronous Single Sign-On (SSO) system. It enables personal authentication while protecting users' privacy against both identity providers and relying parties, and allows selective attribute disclosure. EL PASSO is based on anonymous credentials, yet it supports users' accountability. Selected authorities may recover the identity of allegedly misbehaving users, and users can prove properties about their identity without revealing it in the clear. EL PASSO does not require specific secure hardware or a third party (other than existing participants in SSO). The generation and use of authentication credentials are asynchronous, allowing users to sign on when identity providers are temporarily unavailable. We evaluate EL PASSO in a distributed environment and prove its low computational cost, yielding faster sign-on operations than OIDC from a regular laptop, one-second user-perceived latency from a low-power device, and scaling to more than 50 sign-on operations per second at a relying party using a single 4-core server in the cloud.

ZHANG Jing-yu,LI Zhi-shu,CHEN Liang-yin,XING Jian-chuan,LI Bao-lin,LI Qing

DOI: https://doi.org/10.3969/j.issn.1009-3087.2007.05.027

2007-01-01

Abstract:Single Sign On(SSO) provides uniform authentication entrance for multi-application integration system,but has a security issue on which it normally does not focus— authentication management in Single Sign Out.A Message System-based and Customizable Single Sign Out Service —MSC-SSOS integrating Yale ITS CAS into a multi-application online service system,was designed and implemented.Many services such as security management,business customization,message persistency and balance loading are provided through a message bus.MSC-SSOS demonstrates characteristics of security,stability and efficiency in the online system which is visited by more than 400000 pages a day.

Peng Qi-rui,Wang Cheng,Wu Jing,Li Jun

DOI: https://doi.org/10.1109/icsess.2010.5552305

2010-01-01

Abstract:To integrate distributed information systems in group companies, people favor the Service-Oriented-Architecture (SOA) for its features such as loose-coupling and standardization. But SOA brings security problems. Consequently, an authentication and authorization solution is proposed in this paper. By designing security architecture based on Service-Access-Agent, this solution can simplify the security program, and bring good to the system flexibility and loose coupling, thereby meet the integrated system's requirements for dynamics and agility. This solution has been applied to a project of “national 863 plan”, and shown its validity in engineering practices.