87 research outputs found
The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines
Web-based single sign-on (SSO) services such as Google Sign-In and Log In
with Paypal are based on the OpenID Connect protocol. This protocol enables
so-called relying parties to delegate user authentication to so-called identity
providers. OpenID Connect is one of the newest and most widely deployed single
sign-on protocols on the web. Despite its importance, it has not received much
attention from security researchers so far, and in particular, has not
undergone any rigorous security analysis.
In this paper, we carry out the first in-depth security analysis of OpenID
Connect. To this end, we use a comprehensive generic model of the web to
develop a detailed formal model of OpenID Connect. Based on this model, we then
precisely formalize and prove central security properties for OpenID Connect,
including authentication, authorization, and session integrity properties.
In our modeling of OpenID Connect, we employ security measures in order to
avoid attacks on OpenID Connect that have been discovered previously and new
attack variants that we document for the first time in this paper. Based on
these security measures, we propose security guidelines for implementors of
OpenID Connect. Our formal analysis demonstrates that these guidelines are in
fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend
the web model presented in arXiv:1411.7210, arXiv:1403.1866,
arXiv:1508.01719, and arXiv:1601.0122
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
BrowserID is a complex, real-world Single Sign-On (SSO) System for web
applications recently developed by Mozilla. It employs new HTML5 features (such
as web messaging and web storage) and cryptographic assertions to provide
decentralized login, with the intent to respect users' privacy. It can operate
in a primary and a secondary identity provider mode. While in the primary mode
BrowserID runs with arbitrary identity providers (IdPs), in the secondary mode
there is one IdP only, namely Mozilla's default IdP.
We recently proposed an expressive general model for the web infrastructure
and, based on this web model, analyzed the security of the secondary IdP mode
of BrowserID. The analysis revealed several severe vulnerabilities.
In this paper, we complement our prior work by analyzing the even more
complex primary IdP mode of BrowserID. We do not only study authentication
properties as before, but also privacy properties. During our analysis we
discovered new and practical attacks that do not apply to the secondary mode:
an identity injection attack, which violates a central authentication property
of SSO systems, and attacks that break an important privacy promise of
BrowserID and which do not seem to be fixable without a major redesign of the
system. Some of our attacks on privacy make use of a browser side channel that
has not gained a lot of attention so far.
For the authentication bug, we propose a fix and formally prove in a slight
extension of our general web model that the fixed system satisfies all the
requirements we consider. This constitutes the most complex formal analysis of
a web application based on an expressive model of the web infrastructure so
far.
As another contribution, we identify and prove important security properties
of generic web features in the extended web model to facilitate future analysis
efforts of web standards and web applications.Comment: arXiv admin note: substantial text overlap with arXiv:1403.186
An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System
The web constitutes a complex infrastructure and as demonstrated by numerous
attacks, rigorous analysis of standards and web applications is indispensable.
Inspired by successful prior work, in particular the work by Akhawe et al. as
well as Bansal et al., in this work we propose a formal model for the web
infrastructure. While unlike prior works, which aim at automatic analysis, our
model so far is not directly amenable to automation, it is much more
comprehensive and accurate with respect to the standards and specifications. As
such, it can serve as a solid basis for the analysis of a broad range of
standards and applications.
As a case study and another important contribution of our work, we use our
model to carry out the first rigorous analysis of the BrowserID system (a.k.a.
Mozilla Persona), a recently developed complex real-world single sign-on system
that employs technologies such as AJAX, cross-document messaging, and HTML5 web
storage. Our analysis revealed a number of very critical flaws that could not
have been captured in prior models. We propose fixes for the flaws, formally
state relevant security properties, and prove that the fixed system in a
setting with a so-called secondary identity provider satisfies these security
properties in our model. The fixes for the most critical flaws have already
been adopted by Mozilla and our findings have been rewarded by the Mozilla
Security Bug Bounty Program.Comment: An abridged version appears in S&P 201
Diffusion and System Impact of Residential Battery Storage under Different Regulatory Settings
Cost reductions of rooftop photovoltaics and battery storage, increasing retail electricity prices as well as falling feed-in remuneration provide strong incentives for many German households to engage in self-consumption. These developments may also affect the electricity system as a whole. Against this background, we jointly apply a prosumer simulation and an agent-based electricity market simulation in order to investigate the long-term impacts of a residential battery storage diffusion on the electricity market.
We analyze different regulatory frameworks and find significant effects on the household level, yet only moderate system impacts. In the long run, the diffusion of residential battery storage seems difficult to govern, even under a restrictive regulation. In contrast, the way the batteries are operated may be easier to regulate. Policymakers and regulators should focus on this aspect, since a system-friendly battery operation supports the system integration of residential photovoltaics while having little impact on the households’ selfsufficiency
Diffusion and system impact of residential battery storage under different regulatory settings
Cost reductions of rooftop photovoltaics and battery storage, increasing retail electricity prices as well as falling feed-in remuneration provide strong incentives for many German households to engage in self-consumption. These developments may also affect the electricity system as a whole. Against this background, we jointly apply a prosumer simulation and an agent-based electricity market simulation in order to investigate the long-term impacts of a residential battery storage diffusion on the electricity market. We analyze different regulatory frameworks and find significant effects on the household level, yet only moderate system impacts. In the long run, the diffusion of residential battery storage seems difficult to govern, even under a restrictive regulation. In contrast, the way the batteries are operated may be easier to regulate. Policymakers and regulators should focus on this aspect, since a system-friendly battery operation supports the system integration of residential photovoltaics while having little impact on the households’ self-sufficiency
Life cycle greenhouse gas emissions of residential battery storage systems: A German case study
Battery storage systems (BSSs) are popular as a means to increase the self-consumption rates of residential photovoltaics. However, their environmental impact is under discussion, given the greenhouse gas emissions caused by the production and the efficiency losses during operation. Against this background, we carry out a holistic environmental assessment of residential BSSs by combining a partial life cycle assessment for the production phase with a detailed simulation of 162 individual German households for the operational phase. As regards the production phase, we only find small differences between the carbon footprints of different cell chemistries. Moreover, we can show that the balance of plant components have a comparable impact on the global warming potential as the cell modules. In terms of the operational phase, our simulations show that BSSs can compensate at least parts of their efficiency losses by shifting electricity demand from high-emission to low-emission periods. Under certain conditions, the operational phase of the BSSs can even overcompensate the emissions from the production phase and lead to a positive environmental impact over the lifetime of the systems. As the most relevant drivers, we find the exact emissions at the production stage, the individual household load patterns, the system efficiency, and the applied operational strategy
A survey on the user acceptance of PV battery storage systems
This study presents the results of an analysis of user acceptance of PV battery storage systems. A structural equation model is developed based on Davis’ technology acceptance model (TAM). It is expanded by integrating elements of Ajzen’s theory of planned behavior (TPB). The main factors influencing the acceptance of PV battery storage systems are evaluated and analyzed. Empirical findings indicate that survey participants’ acceptance of PV battery storage systems is mainly influenced by their behavioral beliefs, perceived knowledge about battery storage systems, perceived ease of use, and perceived usefulness of PV battery storage systems. The results indicate a high degree of acceptance for PV battery storage systems
Porcine CD18 mediates Actinobacillus pleuropneumoniae ApxIII species-specific toxicity
Actinobacillus pleuropneumoniae, the causative agent of porcine pleuropneumonia, produces Apx toxins that are recognized as major virulence factors. Recently, we showed that ApxIIIA-cytotoxic activity specifically targets Sus scrofa leukocytes. Since both LtxA from Aggregatibacter actinomycetemcomitans (aggressive periodontitis in humans) and LktA from Mannheimia haemolytica (pneumonia in ruminants) share this characteristic, respectively towards human and ruminant leukocytes, and because both use the CD18 subunit to interact with their respective LFA-1, we hypothesized that ApxIIIA was likely to bind porcine CD18 to exercise its deleterious effects on pig leukocytes. A β
2−integrin-deficient ApxIIIA-resistant human erythroleukemic cell line was transfected either with homologous or heterologous CD11a/CD18 heterodimers using a set of plasmids coding for human (ApxIIIA-resistant), bovine (-resistant) and porcine (-susceptible) CD11a and CD18 subunits. Cell preparations that switched from ApxIIIA-resistance to -susceptibility were then sought to identify the LFA-1 subunit involved. The results showed that the ApxIIIA-resistant recipient cell line was rendered susceptible only if the CD18 partner within the LFA-1 heterodimer was that of the pig. It is concluded that porcine CD18 is necessary to mediate A. pleuropneumoniae ApxIIIA toxin-induced leukolysis
Probing of Actinobacillus pleuropneumoniae ApxIIIA toxin-dependent cytotoxicity towards mammalian peripheral blood mononucleated cells
<p>Abstract</p> <p>Background</p> <p><it>Actinobacillus pleuropneumoniae</it>, the causative bacterial agent of porcine pleuropneumonia, produces Apx toxins which belong to RTX toxin family and are recognized as the major virulence factors. So far, their target receptor(s) has not been identified and the disease cytopathogenesis remains poorly understood. Production of an active Apx toxin and characterization of its toxic activity constitute the premises necessary to the description of its interaction with a potential receptor. From this point of view, we produced an active recombinant ApxIIIA toxin in order to characterize its toxicity on peripheral blood mononucleated cells (PBMCs) isolated from several species.</p> <p>Findings</p> <p>Toxin preparation exercises a strong cytotoxic action on porcine PBMCs which is directly related to recombinant ApxIIIA since preincubation with polymyxin B does not modify the cytotoxicity rate while preincubation with a monospecific polyclonal antiserum directed against ApxIIIA does. The cell death process triggered by ApxIIIA is extremely fast, the maximum rate of toxicity being already reached after 20 minutes of incubation. Moreover, ApxIIIA cytotoxicity is species-specific because llama, human, dog, rat and mouse PBMCs are resistant. Interestingly, bovine and caprine PBMCs are slightly sensitive to ApxIIIA toxin too. Finally, ApxIIIA cytotoxicity is cell type-specific as porcine epithelial cells are resistant.</p> <p>Conclusion</p> <p>We have produced an active recombinant ApxIIIA toxin and characterized its specific cytotoxicity on porcine PBMCs which will allow us to get new insights on porcine pleuropneumonia pathogenesis in the future.</p
- …