1,818 research outputs found
Побудова та дослідження моделі безпечного способу авторизації на основі протоколу OAuth 2.0 для веб-застосунків, що використовують API
Представлена дипломна робота складається з трьох розділів, загальний обсяг роботи – 84 сторінки. Містить 13 літературних посилань, 11 ілюстрацій, 2 таблиці.
Основною метою роботи є підвищення захищеності способу авторизації веб застосунків, які використовують протоколи авторизації. Для досягнення мети потрібно провести дослідження та аналіз теперішніх протоколів авторизації, обрати найбільш безпечний для реалізації, виявити та дослідити існуючи атаки на обраний протокол авторизації – OAuth 2.0, та базуючись на складеному переліку атак побудувати модель безпечного способу авторизації на основі даного протоколу.
Об’єкт дослідження даної роботи – протоколи авторизації для веб-застосунків, що використовують API.
Предметом дослідження виступають атаки на протокол авторизації OAuth 2.0 та можливі методи захисту від них.
Під час написання роботи були проведені аналіз, дослідження та узагальнення технічної та наукової літератури, запропоновано реалізацію моделі безпечного способу авторизації на основі протоколу OAuth 2.0 для веб-застосунків.
Значення даної роботи зумовлено використанням розробниками запропонованої моделі для реалізації безпечного способу авторизації кінцевих користувачів, та побудови безпечних веб застосунків, що використовують протокол авторизації OAuth 2.0.The presented thesis consists of three sections, the total volume of work is 84 pages. Contains 13 literary references, 11 illustrations, 2 tables.
The main purpose of the work is to increase security of the authorization method for web-applications that use authorization protocols. In order to achieve the goal, it is necessary to conduct research and analysis of existing authorization protocols, to select safest to implement, to detect and investigate existing attacks on the selected authorization protocol - OAuth 2.0, and based on a composite list of attacks to build a safe model of authorization based on this protocol.
The object of this study is authorization protocols for web applications that use the API.
The subject of the study is attacks on the authorization protocol OAuth 2.0 and possible methods of their mitigation.
During writing of this work, analysis, research and generalization of technical and scientific literature were conducted, the implementation of the safe authorization method model based on OAuth 2.0 for web applications was proposed.
The value of this work is due to the use of the proposed model by software developers to implement a secure end-user authorization method and the construction of secure web-applications that use the OAuth 2.0 authorization protocol
Recommended from our members
Your Code Is My Code: Exploiting a Common Weakness in OAuth 2.0 Implementations
Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0-based single sign on. The security of OAuth 2.0 is therefore of critical importance, and it has been widely examined both in theory and in practice. In this paper we disclose a new class of practical attacks on OAuth 2.0 implementations, which we call Partial Redirection URI Manipulation Attacks. An attack of this type can be used by an attacker to gain a victim user’s OAuth 2.0 code (a token representing a right to access user data) without the user’s knowledge; this code can then be used to impersonate the user to the relevant relying party website. We examined 27 leading OAuth 2.0 identity providers, and found that 19 of them are vulnerable to these attacks
Analysing the Security of Google's implementation of OpenID Connect
Many millions of users routinely use their Google accounts to log in to
relying party (RP) websites supporting the Google OpenID Connect service.
OpenID Connect, a newly standardised single-sign-on protocol, builds an
identity layer on top of the OAuth 2.0 protocol, which has itself been widely
adopted to support identity management services. It adds identity management
functionality to the OAuth 2.0 system and allows an RP to obtain assurances
regarding the authenticity of an end user. A number of authors have analysed
the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in
practice remains an open question. We report on a large-scale practical study
of Google's implementation of OpenID Connect, involving forensic examination of
103 RP websites which support its use for sign-in. Our study reveals serious
vulnerabilities of a number of types, all of which allow an attacker to log in
to an RP website as a victim user. Further examination suggests that these
vulnerabilities are caused by a combination of Google's design of its OpenID
Connect service and RP developers making design decisions which sacrifice
security for simplicity of implementation. We also give practical
recommendations for both RPs and OPs to help improve the security of real world
OpenID Connect systems
The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines
Web-based single sign-on (SSO) services such as Google Sign-In and Log In
with Paypal are based on the OpenID Connect protocol. This protocol enables
so-called relying parties to delegate user authentication to so-called identity
providers. OpenID Connect is one of the newest and most widely deployed single
sign-on protocols on the web. Despite its importance, it has not received much
attention from security researchers so far, and in particular, has not
undergone any rigorous security analysis.
In this paper, we carry out the first in-depth security analysis of OpenID
Connect. To this end, we use a comprehensive generic model of the web to
develop a detailed formal model of OpenID Connect. Based on this model, we then
precisely formalize and prove central security properties for OpenID Connect,
including authentication, authorization, and session integrity properties.
In our modeling of OpenID Connect, we employ security measures in order to
avoid attacks on OpenID Connect that have been discovered previously and new
attack variants that we document for the first time in this paper. Based on
these security measures, we propose security guidelines for implementors of
OpenID Connect. Our formal analysis demonstrates that these guidelines are in
fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend
the web model presented in arXiv:1411.7210, arXiv:1403.1866,
arXiv:1508.01719, and arXiv:1601.0122
- …