First-Order Logic for Flow-Limited Authorization

We present the Flow-Limited Authorization First-Order Logic (FLAFOL), a logic for reasoning about authorization decisions in the presence of information-flow policies. We formalize the FLAFOL proof system, characterize its proof-theoretic properties, and develop its security guarantees. In particular, FLAFOL is the first logic to provide a non-interference guarantee while supporting all connectives of first-order logic. Furthermore, this guarantee is the first to combine the notions of non-interference from both authorization logic and information-flow systems. All theorems in this paper are proven in Coq.Comment: Coq code can be found at https://github.com/FLAFOL/flafol-co

The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines

Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis. In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties. In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend the web model presented in arXiv:1411.7210, arXiv:1403.1866, arXiv:1508.01719, and arXiv:1601.0122

Analysing the Security of Google's implementation of OpenID Connect

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems

Substance Use Disorder Treatment Confidentiality Boot Camp

[Excerpt]: INTRODUCTION: The Health Law and Policy Programs at UNH School of Law, Institute for Health Policy and Practice, and the NH Citizens Health Initiative have contracted with several of the New Hampshire Building Capacity for Transformation Delivery System Reform Incentive Payment (DSRIP) Integrated Delivery Networks (IDN) to provide technical assistance to the IDNs as they develop confidentiality tools related to substance use disorder services projects. A UNH Team assisted the IDNs by providing an educational summary of federal and state confidentiality requirements, focusing on 42 CFR Part 2, and hosting IDN interdisciplinary teams in three Substance Use Disorder (SUD) Treatment Confidentiality Boot Camp sessions providing technical assistance to assist each IDN partner with their SUD confidentiality project goals. The “boot camp” consisted of several guided meetings with assigned homework to follow, leading to the ultimate development of processes, plans, and draft forms and policies to implement Part 2 confidentiality. The process incorporated learning from the Citizens Health Initiative’s existing New Hampshire Behavioral Health Integration Learning Collaborative. The Project was implemented during half-day working sessions between May 15 – July 30, based upon the availability of IDN interdisciplinary teams and as arranged in collaboration with the IDNs. The IDNs committed to including project leaders with knowledge about and authority to investigate issues regarding projects, patient flow, and privacy. The project teams were multi-disciplinary. IDN participants were encouraged to review issues, forms, and ideas with their individual legal counsel at any point. The technical assistance provided as part of this project is not and does not take the place of legal advice