Single Sign-On Feature for Customer Life-Cycle Management Application

Signing into an application is the most critical part of any application, especially for an enterprise business application that needs to handle critical and highly sensitive user Information. An application like “SELFCARE”, which is the newest and most recent product from Tecnotree Corporation must guarantee information security to its customers before delivering the product. However added security along with the immense complexity that comes with large-scale enterprise business applications can make signing into an application very cumbersome especially in this case because the project application depends on a number of other applications to get its data to work .The main goal of the thesis was to find the best way to implement an architecture for singing into the application without sacrificing any security. The SSO feature was successfully implemented as an architecture for signing in to the project application. After implementation of the feature it showed strong evidence that it highly improved the usability of the application. A number of penetration tests were conducted by the security analyst to find any vulnerability of the implemented architecture. No security flaws were reported, which proves the architecture has excellent security. The project application was delivered as a product to its customer in Iran in July 2016. Currently the application is used by millions of users, with no complaints about the security and sign-on features. An initial report from the customer shows the product is a succes

Unified Singular Protocol Flow for OAuth (USPFO) Ecosystem

OAuth 2.0 is a popular authorization framework that allows third-party clients such as websites and mobile apps to request limited access to a user's account on another application. The specification classifies clients into different types based on their ability to keep client credentials confidential. It also describes different grant types for obtaining access to the protected resources, with the authorization code and implicit grants being the most commonly used. Each client type and associated grant type have their unique security and usability considerations. In this paper, we propose a new approach for OAuth ecosystem that combines different client and grant types into a unified singular protocol flow for OAuth (USPFO), which can be used by both confidential and public clients. This approach aims to reduce the vulnerabilities associated with implementing and configuring different client types and grant types. Additionally, it provides built-in protections against known OAuth 2.0 vulnerabilities such as client impersonation, token (or code) thefts and replay attacks through integrity, authenticity, and audience binding. The proposed USPFO is largely compatible with existing Internet Engineering Task Force (IETF) Proposed Standard Request for Comments (RFCs), OAuth 2.0 extensions and active internet drafts

Securing digital identities in the cloud by selecting an apposite federated identity management from SAML, OAuth and OpenID Connect

Access to computer systems and the information held on them, be it commercially or personally sensitive, is naturally, strictly controlled by both legal and technical security measures. One such method is digital identity, which is used to authenticate and authorize users to provide access to IT infrastructure to perform official, financial or sensitive operations within organisations. However, transmitting and sharing this sensitive information with other organisations over insecure channels always poses a significant security and privacy risk. An example of an effective solution to this problem is the Federated Identity Management (FIdM) standard adopted in the cloud environment. The FIdM standard is used to authenticate and authorize users across multiple organisations to obtain access to their networks and resources without transmitting sensitive information to other organisations. Using the same authentication and authorization details among multiple organisations in one federated group, it protects the identities and credentials of users in the group. This protection is a balance, mitigating security risk whilst maintaining a positive experience for users. Three of the most popular FIdM standards are Security Assertion Markup Language (SAML), Open Authentication (OAuth), and OpenID Connect (OIDC). This paper presents an assessment of these standards considering their architectural design, working, security strength and security vulnerability, to cognise and ascertain effective usages to protect digital identities and credentials. Firstly, it explains the architectural design and working of these standards. Secondly, it proposes several assessment criteria and compares functionalities of these standards based on the proposed criteria. Finally, it presents a comprehensive analysis of their security vulnerabilities to aid in selecting an apposite FIdM. This analysis of security vulnerabilities is of great significance because their improper or erroneous deployment may be exploited for attacks

OpenID Connect Provider Certification

The thesis looks into authentication and authorization theory and reviews some protocols used for identity management. The most important protocols in the thesis are OAuth 2.0 and OpenID Connect. The method of research used in the thesis is literature review, where a set of selected items are examined. Many of the items are technical documentation, which were then used to build an overview of the OpenID Connect authorization framework, as well as a set of requirements for the OpenID Connect Provider certification. The thesis also provides a practical view of the OpenID Connect Provider certification process and an analysis of the OpenID Connect Provider implementation in the Trivore Identity Service platform in terms of the certification requirements. After analysing the implementation, recommendations on improvements to meet the certification requirements are given. The implementation already conforms to the Config profile. However, the implementation has to be improved to properly conform to the Basic, Implicit, Hybrid, and Dynamic conformation profiles. For basic and implicit profiles, the session user session management should be improved. Additionally, support for the hybrid authorization flow and dynamic client creation should be added as well as

Protection of Information and Communications in Distributed Systems and Microservices

Distributed systems have been a topic of discussion since the 1980s, but the adoption of microservices has raised number of system components considerably. With more decentralised distributed systems, new ways to handle authentication, authorisation and accounting (AAA) are needed, as well as ways to allow components to communicate between themselves securely. New standards and technologies have been created to deal with these new requirements and many of them have already found their way to most used systems and services globally. After covering AAA and separate access control models, we continue with ways to secure communications between two connecting parties, using Transport Layer Security (TLS) and other more specialised methods such as the Google-originated Secure Production Identity Framework for Everyone (SPIFFE). We also discuss X.509 certificates for ensuring identities. Next, both older time- tested and newer distributed AAA technologies are presented. After this, we are looking into communication between distributed components with both synchronous and asynchronous communication mechanisms, as well as into the publish/subscribe communication model popular with the rise of the streaming platform. This thesis also explores possibilities in securing communications between distributed endpoints and ways to handle AAA in a distributed context. This is showcased in a new software component that handles authentication through a separate identity endpoint using the OpenID Connect authentication protocol and stores identity in a Javascript object-notation formatted and cryptographically signed JSON Web Token, allowing stateless session handling as the token can be validated by checking its signature. This enables fast and scalable session management and identity handling for any distributed system

Authentication and Authorization for the front-end web developer

Traditional web pages are hosted and served through a web server that are executed in a web browser in the user’s devices. Advancement in technologies used to create web pages has led to a paradigm shift in web development, leading to concepts such as front-end and back-end. Browser-based technologies, particularly JavaScript, has seen enormous advancements in functionalities and capabilities. This led to a possibility of creating standalone web applications capable of running in the browser and relying on the back-end server only for data. This is corroborated by the rise and popularity of various JavaScript frameworks that are used by default when creating web applications in modern times. As code running on a web browser can be inspected by anyone, this led to a challenge in incorporating authentication and authorization. Particularly because storing user credentials and secrets on the web browser code is not secure in any way. This thesis explores and documents authentication and authorization methods that can be securely implemented in a front-end web application. Token-based authentication and authorization has become widely accepted as the solution. OpenID Connect and OAuth 2.0 protocols were explored, which are the most commonly used token-based solution for authentication and authorization. Furthermore, three use-cases were described that used token-based solutions in real world client projects

Security Framework for the Web of IoT Platforms

Connected devices of IoT platforms are known to produce, process and exchange vast amounts of data, most of it sensitive or personal, that need to be protected. However, achieving minimal data protection requirements such as confidentiality, integrity, availability and non-repudiation in IoT platforms is a non-trivial issue. For one reason, the trillions of interacting devices provide larger attack surfaces. Secondly, high levels of personal and private data sharing in this ubiquitous and heterogeneous environment require more stringent protection. Additionally, whilst interoperability fuels innovation through cross-platform data flow, data ownership is a concern. This calls for categorizing data and providing different levels of access control to users known as global and local scopes. These issues present new and unique security considerations in IoT products and services that need to be addressed to enable wide adoption of the IoT paradigm. This thesis presents a security and privacy framework for the Web of IoT platforms that addresses end-to-end security and privacy needs of the platforms. It categorizes platforms’ resources into different levels of security requirements and provides appropriate access control mechanisms