The Horcrux Protocol: A Method for Decentralized Biometric-based Self-sovereign Identity

Most user authentication methods and identity proving systems rely on a centralized database. Such information storage presents a single point of compromise from a security perspective. If this system is compromised it poses a direct threat to users' digital identities. This paper proposes a decentralized authentication method, called the Horcrux protocol, in which there is no such single point of compromise. The protocol relies on decentralized identifiers (DIDs) under development by the W3C Verifiable Claims Community Group and the concept of self-sovereign identity. To accomplish this, we propose specification and implementation of a decentralized biometric credential storage option via blockchains using DIDs and DID documents within the IEEE 2410-2017 Biometric Open Protocol Standard (BOPS)

Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On

Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols - OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implementations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues

Single Sign-On Feature for Customer Life-Cycle Management Application

Signing into an application is the most critical part of any application, especially for an enterprise business application that needs to handle critical and highly sensitive user Information. An application like “SELFCARE”, which is the newest and most recent product from Tecnotree Corporation must guarantee information security to its customers before delivering the product. However added security along with the immense complexity that comes with large-scale enterprise business applications can make signing into an application very cumbersome especially in this case because the project application depends on a number of other applications to get its data to work .The main goal of the thesis was to find the best way to implement an architecture for singing into the application without sacrificing any security. The SSO feature was successfully implemented as an architecture for signing in to the project application. After implementation of the feature it showed strong evidence that it highly improved the usability of the application. A number of penetration tests were conducted by the security analyst to find any vulnerability of the implemented architecture. No security flaws were reported, which proves the architecture has excellent security. The project application was delivered as a product to its customer in Iran in July 2016. Currently the application is used by millions of users, with no complaints about the security and sign-on features. An initial report from the customer shows the product is a succes

Implementing Azure Active Directory Integration with an Existing Cloud Service

Training Simulator (TraSim) is an online, web-based platform for holding crisis management exercises. It simulates epidemics and other exceptional situations to test the functionality of an organization’s operating instructions in the hour of need. The main objective of this thesis is to further develop the service by delegating its existing authentication and user provisioning mechanisms to a centralized, cloud-based Identity and Access Management (IAM) service. Making use of a centralized access control service is widely known as a Single Sign-On (SSO) implementation which comes with multiple benefits such as increased security, reduced administrative overhead and improved user experience. The objective originates from a customer organization’s request to enable SSO for TraSim. The research mainly focuses on implementing SSO by integrating TraSim with Azure Active Directory (AD) from a wide range of IAM services since it is considered as an industry standard and already utilized by the customer. Anyhow, the complexity of the integration is kept as reduced as possible to retain compatibility with other services besides Azure AD. While the integration is a unique operation with an endless amount of software stacks that a service can build on and multiple IAM services to choose from, this thesis aims to provide a general guideline of how to approach a resembling assignment. Conducting the study required extensive search and evaluation of the available literature about terms such as IAM, client-server communication, SSO, cloud services and AD. The literature review is combined with an introduction to the basic technologies that TraSim is built with to justify the choice of OpenID Connect as the authentication protocol and why it was implemented using the mozilla-django-oidc library. The literature consists of multiple online articles, publications and the official documentation of the utilized technologies. The research uses a constructive approach as it focuses into developing and testing a new feature that is merged into the source code of an already existing piece of software

Model of NFT Implementation on Web SSO over OpenID Connect and Oauth 2.0 protocols

Single Sign-On (SSO) is a mechanism that allows users to access various services using a single set of login credentials. However, in SSO implementations, there are still challenges related to security and authentication management, particularly attacks targeting the Identity Provider (IDP). To address this, the use of Non-Fungible Tokens (NFTs) as proof of IDP ownership has been proposed as a solution to enhance security in the authentication mechanism. The utilization of NFTs in SSO with OpenID Connect and OAuth 2.0 has the potential to improve security and convenience in the authentication process due to the unique and non-duplicable nature of NFTs. The results of this research present a model and design of SSO with NFTs on OpenID Connect and OAuth 2.0. An SSO application with login, register, and password recovery features was also developed to provide convenience to users during the login process. The findings conclude that the utilization of NFTs in SSO with OpenID Connect and OAuth 2.0 has the potential to enhance security and convenience in the authentication mechanism. Further research is needed to explore aspects such as scalability, in-depth security analysis, testing in real-world scenarios, improvement of integration and interoperability, as well as comparative analysis with other SSO technologies