132 research outputs found
Web Single Sign-On Authentication using SAML
Companies have increasingly turned to application service providers (ASPs) or Software as a Service (SaaS) vendors to offer specialized web-based services that will cut costs and provide specific and focused applications to users. The complexity of designing, installing, configuring, deploying, and supporting the system with internal resources can be eliminated with this type of methodology, providing great benefit to organizations. However, these models can present an authentication problem for corporations with a large number of external service providers. This paper describes the implementation of Security Assertion Markup Language (SAML) and its capabilities to provide secure single sign-on (SSO) solutions for externally hosted applications
Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On
Single Sign-On (SSO) systems simplify login procedures by using an an
Identity Provider (IdP) to issue authentication tokens which can be consumed by
Service Providers (SPs). Traditionally, IdPs are modeled as trusted third
parties. This is reasonable for SSO systems like Kerberos, MS Passport and
SAML, where each SP explicitely specifies which IdP he trusts. However, in open
systems like OpenID and OpenID Connect, each user may set up his own IdP, and a
discovery phase is added to the protocol flow. Thus it is easy for an attacker
to set up its own IdP. In this paper we use a novel approach for analyzing SSO
authentication schemes by introducing a malicious IdP. With this approach we
evaluate one of the most popular and widely deployed SSO protocols - OpenID. We
found four novel attack classes on OpenID, which were not covered by previous
research, and show their applicability to real-life implementations. As a
result, we were able to compromise 11 out of 16 existing OpenID implementations
like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks
in a open source tool OpenID Attacker, which additionally allows fine-granular
testing of all parameters in OpenID implementations. Our research helps to
better understand the message flow in the OpenID protocol, trust assumptions in
the different components of the system, and implementation issues in OpenID
components. It is applicable to other SSO systems like OpenID Connect and SAML.
All OpenID implementations have been informed about their vulnerabilities and
we supported them in fixing the issues
Choice of suitable Identity and Access Management standards for mobile computing and communication
© 2017 IEEE. Enterprises have recognised the importance of personal mobile devices for business and official use. Employees and consumers have been freely accessing resources and services from their principal organisation and partners' businesses on their mobile devices, to improve the efficiency and productivity of their businesses. This mobile computing-based business model has one major challenge, that of ascertaining and linking users' identities and access rights across business partners. The parent organisation owns all the confidential information about users but the collaborative organisation has to verify users' identities and access rights to allow access to their services and resources. This challenge involves resolving how to communicate users' identities to collaborative organisations without sending their confidential information. Several generic Identity and Access Management (IAM) standards have been proposed, and three have become established standards: Security Assertion Markup Language (SAML), Open Authentication (OAuth), and OpenID Connect (OIDC). Mobile computing and communication have some specific requirements and limitations; therefore, this paper evaluates these IAM standards to ascertain suitable IAM to protect mobile computing and communication. This evaluation is based on the three types of analyses: Comparative analysis, suitability analysis and security vulnerability analysis of SAML, OAuth and OIDC
Identidade digital federada globaliD
Mestrado em Engenharia de Computadores e TelemáticaO presente texto propõe uma solução para a gestão de identidade digital
online tendo em conta a versatilidade, o anonimato, a privacidade, a
veracidade, a credibilidade e a responsabilidade do utilizador, recorrendo para
isso ao uso do Cartão de Cidadão Electrónico Nacional Português e a outros
meios de autenticação públicos usados diariamente pelos utilizadores. A
dissertação é composta pela apresentação do conceito de identidade e das
suas particularidades, por uma análise aos vários problemas da gestão da
informação pessoal online, uma análise aos vários modelos, mecanismos e
especificações existentes para gerir a identidade digital online (gestão de
identidade digital). Uma solução de gestão de identidade digital baseada no
modelo de identidade federada e associada ao Cartão do Cidadão Electrónico
Nacional Português é apresentada, descrita, analisada, avaliada e comparada
com outras soluções existentes.
Por fim um protótipo de um provedor de identidades digitais federadas
baseado na solução de gestão de identidade digital proposta é apresentado.The following text provides a solution for the digital identity management on the
Web regarding the users’ versatility, anonymity, privacy, veracity,
trustworthiness and accountability by using the Portuguese National Electronic
Citizen Identity Card and other publicly available authentication mechanisms
users use daily. The dissertation consists of the presentation of the concept of
identity and its particularities, an analysis to the several problems of managing
personal information online, and an analysis to the several existing models,
mechanisms and specifications for the management of the digital identity online
(digital identity management). A solution for digital identity management based
on the federated identity model and associated to the Portuguese National
Electronic Citizen Identity Card is introduced, described, analyzed, evaluated
and compared to other several existing solutions. Last, a prototype of a
federated digital identity provider based on the purposed solution for digital
identity management is presented
On Secure Implementation of an IHE XUA-Based Protocol for Authenticating Healthcare Professionals
The importance of the Electronic Health Record (EHR) has been addressed in recent years by governments and institutions.Many large scale projects have been funded with the aim to allow healthcare professionals to consult patients data. Properties such as confidentiality, authentication and authorization are the key for the success for these projects. The Integrating the Healthcare Enterprise (IHE) initiative promotes the coordinated use of established standards for authenticated and secure EHR exchanges among clinics and hospitals. In particular, the IHE integration profile named XUA permits to attest user identities by relying on SAML assertions, i.e. XML documents containing authentication statements. In this paper, we provide a formal model for the secure issuance of such an assertion. We first specify the scenario using the process calculus COWS and then analyse it using the model checker CMC. Our analysis reveals a potential flaw in the XUA profile when using a SAML assertion in an unprotected network. We then suggest a solution for this flaw, and model check and implement this solution to show that it is secure and feasible
A standard-driven communication protocol for disconnected clinics in rural areas
The importance of the Electronic Health Record (EHR), which stores all healthcare-related data belonging to a patient, has been recognized in recent years by governments, institutions, and industry. Initiatives like Integrating the Healthcare Enterprise (IHE) have been developed for the definition of standard methodologies for secure and interoperable EHR exchanges among clinics and hospitals. Using the requisites specified by these initiatives, many large-scale projects have been set up to enable healthcare professionals to handle patients' EHRs. Applications deployed in these settings are often considered safety-critical, thus ensuring such security properties as confidentiality, authentication, and authorization is crucial for their success. In this paper, we propose a communication protocol, based on the IHE specifications, for authenticating healthcare professionals and assuring patients' safety in settings where no network connection is available, such as in rural areas of some developing countries. We define a specific threat model, driven by the experience of use cases covered by international projects, and prove that an intruder cannot cause damages to the safety of patients and their data by performing any of the attacks falling within this threat model. To demonstrate the feasibility and effectiveness of our protocol, we have fully implemented it
Shibboleth and the challenge of authentication in multiple servers on a e-learning environment
L' objectiu d’aquest treball és l’estudi, implementació i prova d'un sistema de
autentificació compartida per a múltiples servidors. Encara que des d'un principi es
sabia que es treballaria amb Shibboleth també s’han tingut en compte altres possibles
solucions. Shibboleth és un projecte desenvolupat per els membres de les universitats
que formen el consorci Internet2 amb l’ objectiu de desenvolupar un nou middleware
per a realitzar les funcions d’autentificació compartida en múltiples servidors i pensat
específicament per facilitar la col·laboració entre institucions i l’accés a continguts
digitals.
Shibboleth és una solució complerta ja que contempla des de l’autentificació ,
autorització i accounting, fins al sistema de login i els atributs a emprar. La qual cosa fa
que es converteixi en un entorn de treball molt segur però amb l’avantatge d’aportar
privacitat als usuaris.
El primer objectiu ha estat identificar les peculiaritats i requeriments dels entorns de elearning
distribuïts, per això s’ha estudiat conceptes específics de seguretat així com la
manera d’adaptar-los a l’entorn requerit. Desprès s’ha fet una comparativa de les
solucions existents al mercat amb una funcionalitat similar a Shibboleth, per tal de
presentar els avantatges i desavantatges de Shibboleth vers aquests.
Posteriorment, el treball ha consistit en entendre la estructura i els principis de
funcionament de Shibboleth, quin tipus de requeriments tenia, el funcionament i
objectius de cada part, estudiar els requeriments de l’entorn específic per al qual ha
estat dissenyat (e-learning) i donar una idea general de com s’ hauria de fer la
implementació. També s’han estudiat totes les tecnologies i requeriments necessaris
per desenvolupar Shibboleth.
Una vegada estudiat Shibboleth i l'entorn específic en el que s’hauria d’integrar, s’ha
muntat un escenari per a la posada en marxa i proves d’aquest, provant específicament
cada part i entenent amb les proves reals el funcionament. Amb l’escenari en
funcionament, la idea era integrar Shibboleth amb Sakai i Blackboard, els CMS (Course
Management System) utilitzats a on-campus, el campus virtual de la Fachhochschule
Lübeck.
Per a finalitzar i a mode de conclusions s'ha fet una petita explicació dels resultats
obtinguts, una valoració de com Shibboleth resoldria les necessitats plantejades i
algunes propostes de millora
Flexible Single Sign-On for SIP: Bridging the Identity Chasm
Abstract-Identity federation is a key requirement for today's distributed services. This technology allows managed sharing of users' identity information between identity providers (IDP), and subsequently, the use of federated identities to access service providers (SP). Single Sign-On (SSO) is a core feature provided by these systems. The Session Initiation Protocol (SIP) is a signaling framework for session call control. It is becoming a widely accepted layer for applications and services, especially in the telecommunications and multimedia domain. In this paper, we explore solutions to incorporate SSO process into the SIP framework in order to simplify the services and resources access. Our design leverages the Liberty Alliance specifications and extends the existing SIP standards to support SSO functionality. We also present a prototype implementation at the end of this paper
Federated Identity Management Systems: A Privacy-based Characterization
Identity management systems store attributes associated with users and facilitate authorization on the basis of these attributes. A privacy-driven characterization of the principal design choices for identity management systems is given, and existing systems are fit into this framework. The taxonomy of design choices also can guide public policy relating to identity management, which is illustrated using the United States NSTIC initiative
- …