689 research outputs found
Analysing the Security of Google's implementation of OpenID Connect
Many millions of users routinely use their Google accounts to log in to
relying party (RP) websites supporting the Google OpenID Connect service.
OpenID Connect, a newly standardised single-sign-on protocol, builds an
identity layer on top of the OAuth 2.0 protocol, which has itself been widely
adopted to support identity management services. It adds identity management
functionality to the OAuth 2.0 system and allows an RP to obtain assurances
regarding the authenticity of an end user. A number of authors have analysed
the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in
practice remains an open question. We report on a large-scale practical study
of Google's implementation of OpenID Connect, involving forensic examination of
103 RP websites which support its use for sign-in. Our study reveals serious
vulnerabilities of a number of types, all of which allow an attacker to log in
to an RP website as a victim user. Further examination suggests that these
vulnerabilities are caused by a combination of Google's design of its OpenID
Connect service and RP developers making design decisions which sacrifice
security for simplicity of implementation. We also give practical
recommendations for both RPs and OPs to help improve the security of real world
OpenID Connect systems
OAuth2.0 in Securing APIs
Today’s modern applications are mostly designed around API’s. API’s are used for a variety of things such as passing data to another webservice reading data from a database etc. The problem with this is that not all the API’s are secure. Most of the today’s API’s are old and rely only on an authentication token where the user data often had to share their credentials with the application to enable such an API call on their behalf or string them, which is often hardcoded. We will focus on OAUTH 2.0 as new protocol in securing our API’s. This is a new protocol based on delegation of authorization, dynamically changing authentication string based on user session or application session. We will go on this different mode of authentication and show you how to use them properly. We will set up this with a Web API integrated with OAUTH and a client application that will stimulate the requests to our API’s
CYCLONE Unified Deployment and Management of Federated, Multi-Cloud Applications
Various Cloud layers have to work in concert in order to manage and deploy
complex multi-cloud applications, executing sophisticated workflows for Cloud
resource deployment, activation, adjustment, interaction, and monitoring. While
there are ample solutions for managing individual Cloud aspects (e.g. network
controllers, deployment tools, and application security software), there are no
well-integrated suites for managing an entire multi cloud environment with
multiple providers and deployment models. This paper presents the CYCLONE
architecture that integrates a number of existing solutions to create an open,
unified, holistic Cloud management platform for multi-cloud applications,
tailored to the needs of research organizations and SMEs. It discusses major
challenges in providing a network and security infrastructure for the
Intercloud and concludes with the demonstration how the architecture is
implemented in a real life bioinformatics use case
Single Sign-On Feature for Customer Life-Cycle Management Application
Signing into an application is the most critical part of any application, especially for an enterprise business application that needs to handle critical and highly sensitive user Information. An application like “SELFCARE”, which is the newest and most recent product from Tecnotree Corporation must guarantee information security to its customers before delivering the product.
However added security along with the immense complexity that comes with large-scale enterprise business applications can make signing into an application very cumbersome especially in this case because the project application depends on a number of other applications to get its data to work .The main goal of the thesis was to find the best way to implement an architecture for singing into the application without sacrificing any security.
The SSO feature was successfully implemented as an architecture for signing in to the project application. After implementation of the feature it showed strong evidence that it highly improved the usability of the application. A number of penetration tests were conducted by the security analyst to find any vulnerability of the implemented architecture. No security flaws were reported, which proves the architecture has excellent security. The project application was delivered as a product to its customer in Iran in July 2016. Currently the application is used by millions of users, with no complaints about the security and sign-on features. An initial report from the customer shows the product is a succes
- …