Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On

Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols - OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implementations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID implementations have been informed about their vulnerabilities and we supported them in fixing the issues

Aspektualität und Temporalität – Aspekt und Tempus

The present paper deals with grammatical categories and their formalization as morphological units on the example of aspectuality / temporality on the one hand, and aspect / tense on the other hand with special attention paid to Polish, German, English and Romanic languages such as Italian, French and Spanish. It could be shown that the formal realization of aspectuality cannot be considered as being restricted to aspects, but also comprises tense in languages which are deprived of aspects. Furthermore the author proves that the German system of past tenses semantically largely differ from its English binary counterpart which it is often wrongly equated with

Telisch und atelisch: aspektual oder aktional oder beides? Zeno Vendlers Verbklassifikation und ihr Verhältnis zu den Kategorien Aspekt und Aktionsart

Im Laufe der letzten Jahrzehnte haben in die Aspektologie und die ihr gewidmeten wissenschaftlichen Debatten zunehmend Versuche Einzug gehalten, die mit dem Ziel unternommen wurden und darauf ausgerichtet waren, die Lexik der Verben in den Mittelpunkt des Interesses zu rücken und in der Hoffnung darauf zu durchforsten, darin Hinweise aufzuspüren, die es gestatten, entsprechende verlässliche Rückschlüsse auf das von ihnen gezeitigte Aspektverhalten, d.h. die in dem jeweiligen Fall zutage tretende Art der der Imperfektiv-Perfektiv-Opposition zugrunde liegenden Bedeutung zu ziehen. In dem Bemühen, eine aspektuell relevante Verbklassifikation, d.h. eine solche, die sowohl über die Frage der aspektuellen Paarigkeit von Verben als auch über die semantischen Eigenschaften von Perfektivum und Imperfektivum innerhalb eines Aspektpaares Aufschluss erteilt, zu erstellen, musste man sich zunächst auf die Aufgabe zurückbesinnen, die die Sprache dem Aspekt zubedacht hat und die durch den morphologisch geschiedenen Gegensatz von Imperfektiva und Perfektiva wahrgenommen wird: die - von mir eindeutig ausschließlich in diesem Sinne so genannte - Aspektualität

Nonce-based Kerberos is a Secure Delegated AKE Protocol

Kerberos is one of the most important cryptographic protocols, first because it is the basisc authentication protocol in Microsoft\u27s Active Directory and shipped with every major operating system, and second because it served as a model for all Single-Sign-On protocols (e.g. SAML, OpenID, MS Cardspace, OpenID Connect). Its security has been confirmed with several Dolev-Yao style proofs, and attacks on certain versions of the protocol have been described. However despite its importance, despite its longevity, and despite the wealth of Dolev-Yao-style security proofs, no reduction based security proof has been published until now. This has two reasons: (1) All widely accepted formal models either deal with two-party protocols, or group key agreement protocols (where all entities have the same role), but not with 3-party protocols where each party has a different role. (2) Kerberos uses timestamps and nonces, and formal security models for timestamps are not well understood up to now. As a step towards a full security proof of Kerberos, we target problem (1) here: We propose a variant of the Kerberos protocol, where nonces are used instead of timestamps. This requires one additional protocol message, but enables a proof in the standard Bellare-Rogaway (BR) model. The key setup and the roles of the different parties are identical to the original Kerberos protocol. For our proof, we only require that the authenticated encryption and the message authentication code (MAC) schemes are secure. Under these assumptions we show that the probability that a client or server process oracle accepts maliciously, and the advantage of an adversary trying to distinguish a real Kerberos session key from a random value, are both negligible. One main idea in the proof is to model the Kerberos server a a public oracle, so that we do not have to consider the security of the connection client--Kerberos. This idea is only applicable to the communication pattern adapted by Kerberos, and not to other 3-party patterns (e.g. EAP protocols)

Bedeutungsermittlung durch Kontrast oder: Wie man implizites Wissen explizit macht

The paper deals with verbal meaning deficiencies caused by lack of explicit knowledge occurring in Polish and German monolingual dictionaries with respect to the morphological categories of aspect and manner of action. The author shows that contrastive analysis has proved to be the chief means of identifying meaning and rendering implicit knowledge explicit, thus giving birth to the concept of horizontal lexicography and its realizatio

On the Analysis of Cryptographic Assumptions in the Generic Ring Model

The generic ring model considers algorithms that operate on elements of an algebraic ring by performing only the ring operations and without exploiting properties of a given representation of ring elements. It is used to analyze the hardness of computational problems defined over rings. For instance, it is known that breaking RSA is equivalent to factoring in the generic ring model (Aggarwal and Maurer, Eurocrypt 2009). Do hardness results in the generic ring model support the conjecture that solving the considered problem is also hard in the standard model, where elements of $\Z_n$ are represented by integers modulo $n$? We prove in the generic ring model that computing the Jacobi symbol of an integer modulo $n$ is equivalent to factoring. Since there are simple and efficient non-generic algorithms which compute the Jacobi symbol, this provides an example of a natural computational problem which is hard in the generic ring model, but easy to solve if elements of $\Z_n$ are given in their standard representation as integers. Thus, a proof in the generic ring model is unfortunately not a very strong indicator for the hardness of a computational problem in the standard model. Despite this negative result, generic hardness results still provide a lower complexity bound for a large class of algorithms, namely all algorithms solving a computational problem independent of a given representation of ring elements. Thus, from this point of view results in the generic ring model are still interesting. Motivated by this fact, we show also that solving the quadratic residuosity problem generically is equivalent to factoring

The Generic Hardness of Subset Membership Problems under the Factoring Assumption

We analyze a large class of subset membership problems related to integer factorization. We show that there is no algorithm solving these problems efficiently without exploiting properties of the given representation of ring elements, unless factoring integers is easy. Our results imply that problems with high relevance for a large number of cryptographic applications, such as the quadratic residuosity and the subgroup decision problems, are generically equivalent to factoring

Lessons Learned From Previous SSL/TLS Attacks - A Brief Chronology Of Attacks And Weaknesses

Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is its flexibility. Modes of operation and security aims can easily be configured through different cipher suites. During its evolutionary development process several flaws were found. However, the flexible architecture of SSL/TLS allowed efficient fixes in order to counter the issues. This paper presents an overview on theoretical and practical attacks of the last 15 years, in chronological order and four categories: Attacks on the TLS Handshake protocol, on the TLS Record and Application Data Protocols, on the PKI infrastructure of TLS, and on various other attacks. We try to give a short ”Lessons Learned” at the end of each paragraph