The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines

Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis. In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties. In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend the web model presented in arXiv:1411.7210, arXiv:1403.1866, arXiv:1508.01719, and arXiv:1601.0122

Understanding Federation: An Analytical Framework for the Interoperability of Social Networking Sites

Although social networking has become a remarkable feature in the Web, full interoperability has not arrived. This work explores the main 5 paradigms of interoperability across social networking sites, corresponding to the layers in which we an find interoperability. Building on those, a novel analytical framework for SNS interoperability is introduced. Seven representative interoperability SNS technologies are compared using the proposed framework. The analysis exposes an overwhelming disparity and fragmentation in the solutions for tackling the same problems. Although there are a few solutions where consensus is reached and are widely adopted (e.g. in object IDs), there are multiple central issues that are still far from being widely standarized (e.g. in profile representation). In addition, several areas have been identified where there is clear room for improvement, such as privacy controls or data synchronization

OpenID Connect Provider Certification

The thesis looks into authentication and authorization theory and reviews some protocols used for identity management. The most important protocols in the thesis are OAuth 2.0 and OpenID Connect. The method of research used in the thesis is literature review, where a set of selected items are examined. Many of the items are technical documentation, which were then used to build an overview of the OpenID Connect authorization framework, as well as a set of requirements for the OpenID Connect Provider certification. The thesis also provides a practical view of the OpenID Connect Provider certification process and an analysis of the OpenID Connect Provider implementation in the Trivore Identity Service platform in terms of the certification requirements. After analysing the implementation, recommendations on improvements to meet the certification requirements are given. The implementation already conforms to the Config profile. However, the implementation has to be improved to properly conform to the Basic, Implicit, Hybrid, and Dynamic conformation profiles. For basic and implicit profiles, the session user session management should be improved. Additionally, support for the hybrid authorization flow and dynamic client creation should be added as well as

Implementation of federation protocol for social networks

Trabalho de Conclusão de Curso (graduação)—Universidade de Brasília, Faculdade UnB Gama, 2017.The federation of social networks aims at integrating users by means of a decentralized structure, enabling the interoperability among multiple social networks in a transparent way. Despite a few isolated initiatives in federating open social networks, there is no adoption of any standard, which hinders the emergence of new, effective federated systems. To understand the difficulties in the development and standardization of federated services, we have conducted research on existing specifications and implementations of interoperability among social networks. We have developed a federation proof of concept within the Noosfero platform, implementing a subset of the Diaspora protocol to federate users and public content, in addition to complementary specifications, such as Salmon and WebFinger. In this work, we introduce our results to federate Noosfero with Diaspora networks, pointing the required steps before further development. We aim to implement the Diaspora protocol within Noosfero, finishing its specification and improving its documentation, encouraging more projects to adopt this protocol

Desktop client for open social networks

Sociálne siete zažívajú v poslednej dekáde obrovský romach a ovplyvnili nielen spôsob on-line komunikácie a sociálnej interakcie ale tiež oblasť obchodu, médií či vládnych inštitúcií. Avšak ich hlavný nedostatok, uzvretý a centralizovaný charakter, ostáva nepovšimnutý medzi širokou verejnosťou. Táto práca pojednáva a hodnotí ich otvorené a decentralizované alternatívy a súčasne sa zameriava na jednu konkrétnu - buddycloud. Vďaka využitiu XMPP protokolu, buddycloud a jeho protokol Channel sa javí ako sľubný prístup pre otvorenie ekosystému sociálnych sietí. Umožňuje im komunikovať federatívnym spôsobom ako funguje dnes e-mailová sieť. Ako príspevok do projektu buddycloud táto práca predstavuje aplikáciu SocialDesktopClient, desktopový klient pre širokú škálu sociálnych sietí. Bližšie sa zaoberá modulárnym návrhom klienta a implementáciou protokolu Channel ako prvej sociálnej sieti.For the past decade social network sites emerged rapidly and effect not only online communication and social experience but also businesses, media and governments. However, their greatest deficiency, closed and centralized character, remains unnoticed among the general public. This thesis discusses and evaluates open and decentralized alternatives for them and draws attention to one particular - buddycloud. While leveraging the use of XMPP protocol, buddycloud with its Channel protocol appears to be a promising approach for opening ecosystem of social networks. It enables them to work in federated manner like e-mail network does today. As a contribution to the buddycloud project this thesis presents SocialDesktopClient, a desktop client for multiple social network services. It deals with modular client architecture and a Channel protocol implementation as the client's first social network service.Department of Applied MathematicsKatedra aplikované matematikyFaculty of Mathematics and PhysicsMatematicko-fyzikální fakult

FOSP: Towards a Federated Object Sharing Protocol that Unifies Operations on Social Content

Years ago, the World Wide Web (WWW) began as a system for publishing interlinked hypertext documents. While the protocols on top of which the WWW is built are almost still the same, the usage, as well as the content has changed significantly. Simple delivery of hypertext documents has been expanded by operations, such as uploading, sharing, and commenting on pieces of content. Online Social Networks (OSNs) and other IT services provide aggregated views on these pieces of content. However, the services are often implemented as vendor specific applications on top of common web technologies, such as HTTP, HTML, JavaScript and CSS. Moreover, users are locked into these applications of dedicated providers, which prevents sharing of content across applications and limits the control users have over their data. Most existing approaches that overcome these issues focus on defining a common HTTP API or prefer solutions based on peer-to-peer networks. In this paper, we start by discussing related work and identifying essential requirements for an appropriate solution. Furthermore, we outline the concept and implementation of a Federated Object Sharing Protocol (FOSP), i.e, a different approach to support todays common operations on social content already on a protocol level. We show that services built on top of this protocol can be federated by default, i.e., users registered with different providers can easily interact with each other. Finally, we provide an evaluation and discussion on the proposed approach

Xodx – Konzeption und Implementierung eines Distributed Semantic Social Network Knotens

Betrieb eines Knotens in einem Distributed Semantic Social Network. Der Knoten umfasst Funktionen zur Erstellung einer persönlichen Beschreibung, zur Verwaltung von Freundschaftsbeziehungen und zur Kommunikation mit anderen Teilnehmern des Netzwerks. Die entstandene Implementierung ist bereits auf leistungsschwacher, kostengünstiger und energieeffizienter Hardware praktisch im Einsatz. Zusätzlich wurden ihre Skalierungseigenschaften in einem Testaufbau mit mehreren Knoten untersucht

Estudio de mejora en la seguridad de aplicaciones Web y de aplicaciones móviles mediante el protocolo OpenID Connect open source utilizado en IdentityServer4

La creación de cuentas de acceso por plataforma y el acceso a ellas utilizando las tecnologías actuales son susceptibles a múltiples ataques con el fin de obtener información sensible y útil para el atacante. Según gobierno de Estados Unidos, se invierte varios billones de USD para solucionar los incidentes de ciber defensa, los cuales cerca del 40% son de acceso no autorizado. Según Kaspersky Lab, hay más de 110 mil ataques diarios de malware que corresponde a Ecuador. Este problema es común en aplicaciones móviles y web. La unificación del proceso de autenticación soluciona en parte el impacto de riesgos que presentan los diferentes tipos de desarrollos en aplicaciones web y móviles, lo que facilita únicamente la autenticación con encriptación JWT hacia los usuarios registrados en el Servidor de Identidad. Las características que se utilizarán en este artículo se basan en el Servidor de Identidad con el protocolo OpenID Connect, lo cual puede ser usado por desarrolladores y futuras investigaciones de universidades. La metodología a utilizar para análisis de la documentación es el mapeo sistemático con el objetivo de identificar y evidenciar cada una de las diferentes etapas de solución más posibles fallos. La implementación realizada de la solución del Servidor de Identidad otorgó un nivel elevado de seguridad frente al acceso no autorizado en aplicaciones web y móviles, lo cual representa una mejora en la seguridad. Después de analizada la implementación de este artículo existen posibles variables que no han sido validadas y las cuales seguramente van a alterar el resultado de esta investigación.The creation of access account by platform and access to them using current technologies are susceptible to multiple attacks in order to obtain sensitive and useful information for the attacker. According to the United States government, we invite several billon USD to resolve cyber defense incidents, which are about 40% unauthorized access. According to Kaspersky Lab, there are more than 110 thousand daily malware attacks correspond to Ecuador. This problem is common in mobile and web applications. The unification of the authentication process partially solves the impact of risks presented by different types of developments in web and mobile applications which only facilitates authentication with JWT Encryption to users registered in Identity Server. The features that will be used in this article are based on Identity Server with the OpenID Connect protocol, which can be used by developers and future university research. The methodology used for the analysis of the documentation is the systematic mapping with the objective of identifying and evidencing each of the different stages of solution plus possible failures. The implementation of the Identity Server solution provided a high level of security against unauthorized access in web and mobile applications, which represents an improvement in security. After analyzing the implementation of this article, there are possible variables that have not been validated and which will surely alter the result of this research

Verkkosovelluksen autentikointi monikäyttäjähakemistoympäristössä

Käyttäjähakemistojen käyttö on kerryttänyt organisaatioiden suuren suosion. Käyttäjähakemistojen ansiosta organisaation käyttäjillä on vain yksi tunnus, jolla voi kirjautua mihin tahansa organisaation sisäiseen käyttäjähakemiston tuntemaan sovellukseen. Tällöin organisaation käyttäjät voivat luoda ja muistaa yhden vahvan salasanan, eikä heidän tarvitse käyttää heikkoa helposti muistettavaa salasanaa tai käyttää uudelleen vanhaa salasanaa. Tunnuksien ja käyttöoikeuksien sekä niiden hallinnoimisen keskittäminen helpottaa myös luonnollisesti ylläpitäjien työtä. Tietyistä käyttäjähakemistoista on mahdollista autentikoida käyttäjiä käyttäjähakemiston ulkopuolelle käyttäen autentikointiprotokollia. Tässä työssä käyttäjähakemistojen luoma hyöty haluttiin tuoda myös sovelluksen käyttäjille. Työn tarkoituksena oli toteuttaa autentikointi kahdesta erilaisesta käyttäjähakemistosta mahdollisimman tietoturvallisesti ja yksinkertaisesti. Työssä pyrittiin selvittämään käyttäjähakemistojen, protokollien ja identiteettipalveluiden toimintaperiaatteita sekä niiden yhteensopivuutta. Lisäksi selvitettiin sopivimmat identiteettipalvelut ja protokollat sekä tietoturvallisimmat menetelmät toteutettavalle autentikoinnille. Autentikointiprotokollista selvitettiin toteutuksen kannalta oleellisimmat. Vertailemalla protokollien ominaisuuksia selvitettiin toteutukseen parhaiten soveltuva protokolla. Toteutuksessa käytettävä identiteettipalvelu valittiin samanlaista prosessia noudattaen. Työssä selvitettiin myös useita mahdollisia autentikointitapahtuman uhkia, jotka huomioitiin, kun sovellukseen kehitettiin tuki autentikointiprotokollalle. Työn tuloksena ei löydetty yhtä tiettyä tapaa, jolla voitaisiin autentikoida kaikenlaisista käyttäjähakemistoista käyttäjiä. Sen sijaan huomattiin, että verkkosovelluksen autentikointi voidaan toteuttaa käyttäjähakemistosta ja verkkosovelluksen tarpeesta riippuen eri menetelmillä ja protokollilla. Kahden eri menetelmän toimivuus testattiin toteuttamalla autentikointi niiden avulla verkkosovellukseen.The use of Active Directories has gained significant popularity within organizations. As a result of using Active Directories, users have only one credential that can be used to log in to any of the organizations applications as long as they are trusted by the Active Directory. This allows organization users to create and remember a single strong password, eliminating the need for a weak and easily memorable password or reusing an old one. Centralizing the credentials, permissions and their management also naturally eases the work of administrators. Certain Active Directories enable authenticating users outside the directory using authentication protocols. The objective of this thesis was to extend the benefits created by Active Directories to the users of our web application. Before the implementation could be done, it was paramount to understand the principles of different directories, protocols, and identity services, as well as their compatibility. Additionally, the most suitable identity services and protocols were identified, along with the most secure methods of implementing the authentication. Only the authentication protocols that were relevant to the implementation were examined. By comparing the characteristics of the protocols, the most suitable protocol for the implementation was determined. Following a similar process, the identity service for the implementation was selected. The potential threats to the authentication transaction were also explored and taken into account when developing the authentication. As a result of this thesis, one specific method for authenticating users from all types of directories was not found. Instead, it was found that the authentication could be implemented using different methods and protocols depending on the directory and the needs of the web application. The functionality of two of the found methods was tested by using them to implement authentication to a web application