553 research outputs found
The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines
Web-based single sign-on (SSO) services such as Google Sign-In and Log In
with Paypal are based on the OpenID Connect protocol. This protocol enables
so-called relying parties to delegate user authentication to so-called identity
providers. OpenID Connect is one of the newest and most widely deployed single
sign-on protocols on the web. Despite its importance, it has not received much
attention from security researchers so far, and in particular, has not
undergone any rigorous security analysis.
In this paper, we carry out the first in-depth security analysis of OpenID
Connect. To this end, we use a comprehensive generic model of the web to
develop a detailed formal model of OpenID Connect. Based on this model, we then
precisely formalize and prove central security properties for OpenID Connect,
including authentication, authorization, and session integrity properties.
In our modeling of OpenID Connect, we employ security measures in order to
avoid attacks on OpenID Connect that have been discovered previously and new
attack variants that we document for the first time in this paper. Based on
these security measures, we propose security guidelines for implementors of
OpenID Connect. Our formal analysis demonstrates that these guidelines are in
fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend
the web model presented in arXiv:1411.7210, arXiv:1403.1866,
arXiv:1508.01719, and arXiv:1601.0122
Unified Singular Protocol Flow for OAuth (USPFO) Ecosystem
OAuth 2.0 is a popular authorization framework that allows third-party
clients such as websites and mobile apps to request limited access to a user's
account on another application. The specification classifies clients into
different types based on their ability to keep client credentials confidential.
It also describes different grant types for obtaining access to the protected
resources, with the authorization code and implicit grants being the most
commonly used. Each client type and associated grant type have their unique
security and usability considerations. In this paper, we propose a new approach
for OAuth ecosystem that combines different client and grant types into a
unified singular protocol flow for OAuth (USPFO), which can be used by both
confidential and public clients. This approach aims to reduce the
vulnerabilities associated with implementing and configuring different client
types and grant types. Additionally, it provides built-in protections against
known OAuth 2.0 vulnerabilities such as client impersonation, token (or code)
thefts and replay attacks through integrity, authenticity, and audience
binding. The proposed USPFO is largely compatible with existing Internet
Engineering Task Force (IETF) Proposed Standard Request for Comments (RFCs),
OAuth 2.0 extensions and active internet drafts
Access Management in Lightweight IoT: A Comprehensive review of ACE-OAuth framework
With the expansion of Internet of Things (IoT), the need for secure and scalable authentication and
authorization mechanism for resource-constrained devices is becoming increasingly important. This
thesis reviews the authentication and authorization mechanisms in resource-constrained Internet of
Things (IoT) environments. The thesis focuses on the ACE-OAuth framework, which is a lightweight
and scalable solution for access management in IoT. Traditional access management protocols are not
well-suited for the resource-constrained environment of IoT devices. This makes the lightweight
devices vulnerable to cyber-attacks and unauthorized access. This thesis explores the security
mechanisms and standards, the protocol flow and comparison of ACE-OAuth profiles. It underlines
their potential risks involved with the implementation. The thesis delves into the existing and
emerging trends technologies of resource-constrained IoT and identifies limitations and potential
threats in existing authentication and authorization methods.
Furthermore, comparative analysis of ACE profiles demonstrated that the DTLS profile enables
constrained servers to effectively handle client authentication and authorization. The OSCORE
provides enhanced security and non-repudiation due to the Proof-of-Possession (PoP) mechanism,
requiring client to prove the possession of cryptographic key to generate the access token.
The key findings in this thesis, including security implications, strengths, and weaknesses for ACE
OAuth profiles are covered in-depth. It shows that the ACE-OAuth framework’s strengths lie in its
customization capabilities and scalability. This thesis demonstrates the practical applications and
benefits of ACE-OAuth framework in diverse IoT deployments through implementation in smart
home and factory use cases. Through these discussions, the research advances the application of
authentication and authorization mechanisms and provides practical insights into overcoming the
challenges in constrained IoT settings
OpenID Connect Provider Certification
The thesis looks into authentication and authorization theory and reviews some protocols used for identity management. The most important protocols in the thesis are OAuth 2.0 and OpenID Connect.
The method of research used in the thesis is literature review, where a set of selected items are examined. Many of the items are technical documentation, which were then used to build an overview of the OpenID Connect authorization framework, as well as a set of requirements for the OpenID Connect Provider certification.
The thesis also provides a practical view of the OpenID Connect Provider certification process and an analysis of the OpenID Connect Provider implementation in the Trivore Identity Service platform in terms of the certification requirements. After analysing the implementation, recommendations on improvements to meet the certification requirements are given.
The implementation already conforms to the Config profile. However, the implementation has to be improved to properly conform to the Basic, Implicit, Hybrid, and Dynamic conformation profiles. For basic and implicit profiles, the session user session management should be improved. Additionally, support for the hybrid authorization flow and dynamic client creation should be added as well as
A Wizard-based Approach for Secure Code Generation of Single Sign-On and Access Delegation Solutions for Mobile Native Apps
Many available mobile applications (apps) have poorly implemented Single Sign-On and Access Delegation solutions leading to serious security issues. This could be caused by inexperienced developers who prioritize the implementation of core functionalities and/or misunderstand security critical parts. The situation is even worse in complex API scenarios where the app interacts with several providers. To address these problems, we propose a novel wizard-based approach that guides developers to integrate multiple third-party Identity Management (IdM) providers in their apps, by (i) “enforcing” the usage of best practices for native apps, (ii) avoiding the need to download several SDKs and understanding their online documentations (a list of known IdM providers with their configuration information is embedded within our approach), and (iii) automatically generating the code to enable the communication with the different IdM providers. The effectiveness of the proposed approach has been as sessed by implementing an Android Studio plugin and using it to integrate several IdM providers, such as OKTA, Auth0, Microsoft, and Google
Token Based Authentication and Authorization with Zero-Knowledge Proofs for Enhancing Web API Security and Privacy
This design science study showcases an innovative artifact that utilizes Zero-Knowledge Proofs for API Authentication and Authorization. A comprehensive examination of existing literature and technology is conducted to evaluate the effectiveness of this alternative approach. The study reveals that existing APIs are using slower techniques that don’t scale, can’t take advantage of newer hardware, and have been unable to adequately address current security issues. In contrast, the novel technique presented in this study performs better, is more resilient in privacy sensitive and security settings, and is easy to implement and deploy. Additionally, this study identifies potential avenues for further research that could help advance the field of Web API development in terms of security, privacy, and simplicity
- …