Analysing the Security of Google's implementation of OpenID Connect

Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems

OAuth2.0 in Securing APIs

Today’s modern applications are mostly designed around API’s. API’s are used for a variety of things such as passing data to another webservice reading data from a database etc. The problem with this is that not all the API’s are secure. Most of the today’s API’s are old and rely only on an authentication token where the user data often had to share their credentials with the application to enable such an API call on their behalf or string them, which is often hardcoded. We will focus on OAUTH 2.0 as new protocol in securing our API’s. This is a new protocol based on delegation of authorization, dynamically changing authentication string based on user session or application session. We will go on this different mode of authentication and show you how to use them properly. We will set up this with a Web API integrated with OAUTH and a client application that will stimulate the requests to our API’s

CYCLONE Unified Deployment and Management of Federated, Multi-Cloud Applications

Various Cloud layers have to work in concert in order to manage and deploy complex multi-cloud applications, executing sophisticated workflows for Cloud resource deployment, activation, adjustment, interaction, and monitoring. While there are ample solutions for managing individual Cloud aspects (e.g. network controllers, deployment tools, and application security software), there are no well-integrated suites for managing an entire multi cloud environment with multiple providers and deployment models. This paper presents the CYCLONE architecture that integrates a number of existing solutions to create an open, unified, holistic Cloud management platform for multi-cloud applications, tailored to the needs of research organizations and SMEs. It discusses major challenges in providing a network and security infrastructure for the Intercloud and concludes with the demonstration how the architecture is implemented in a real life bioinformatics use case

Single Sign-On Feature for Customer Life-Cycle Management Application

Signing into an application is the most critical part of any application, especially for an enterprise business application that needs to handle critical and highly sensitive user Information. An application like “SELFCARE”, which is the newest and most recent product from Tecnotree Corporation must guarantee information security to its customers before delivering the product. However added security along with the immense complexity that comes with large-scale enterprise business applications can make signing into an application very cumbersome especially in this case because the project application depends on a number of other applications to get its data to work .The main goal of the thesis was to find the best way to implement an architecture for singing into the application without sacrificing any security. The SSO feature was successfully implemented as an architecture for signing in to the project application. After implementation of the feature it showed strong evidence that it highly improved the usability of the application. A number of penetration tests were conducted by the security analyst to find any vulnerability of the implemented architecture. No security flaws were reported, which proves the architecture has excellent security. The project application was delivered as a product to its customer in Iran in July 2016. Currently the application is used by millions of users, with no complaints about the security and sign-on features. An initial report from the customer shows the product is a succes