OpenID Security Analysis and Evaluation

Similar documents
Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery

Real-world security analyses of OAuth 2.0 and OpenID Connect

Robust Defenses for Cross-Site Request Forgery Review

WEB SECURITY: XSS & CSRF

Web Application Security. Philippe Bogaerts

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

A Comprehensive Formal Security Analysis of OAuth 2.0

Security of Web Level User Identity Management

Authentication Security

Analysing the Security of Google s implementation of OpenID Connect

O Single Sign-Off, Where Art Thou? An Empirical Analysis of Single Sign-On Account Hijacking and Session Management on the Web

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

SoK: Single Sign-On Security An Evaluation of OpenID Connect

Addressing threats to real-world identity management systems

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider

1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague

A Security Analysis of the Precise Time Protocol

The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines

Solutions Business Manager Web Application Security Assessment

Web Security. Course: EPL 682 Name: Savvas Savva

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Authentication in the Cloud. Stefan Seelmann

Improving Web Security:

Application vulnerabilities and defences

CS259 Final Project: OpenID. Ben Newman Shivaram Lingamneni

The Highly Insidious Extreme Phishing Attacks

Web Security. Thierry Sans

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Based Single Sign-On and Access Control

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Digital Identity. Rob Richards October 20,

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

OAuth securing the insecure

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Bank Infrastructure - Video - 1

CSCE 813 Internet Security Case Study II: XSS

CIS 4360 Secure Computer Systems XSS

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Breaking FIDO Yubico. Are Exploits in There?

WHY CSRF WORKS. Implicit authentication by Web browsers

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

openid connect all the things

Interagency Advisory Board Meeting Agenda, August 25, 2009

MAN-IN-THE-MACHINE: EXPLOIT ILL-SECURE COMMUNICATION INSIDE THE COMPUTER

XSS Homework. 1 Overview. 2 Lab Environment

Progress Exchange June, Phoenix, AZ, USA 1

EasyCrypt passes an independent security audit

Secure web proxy resistant to probing attacks

Firewalls, Tunnels, and Network Intrusion Detection

P2_L12 Web Security Page 1

Web Security Model and Applications

Trusted Profile Identification and Validation Model

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

PhishEye: Live Monitoring of Sandboxed Phishing Kits. Xiao Han Nizar Kheir Davide Balzarotti

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS


U.S. E-Authentication Interoperability Lab Engineer

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

SELF SERVICE INTERFACE CODE OF CONNECTION

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

CS 155 Project 2. Overview & Part A

Copyright

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

ESORICS September Martin Johns

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CSC 482/582: Computer Security. Cross-Site Security

CS 142 Winter Session Management. Dan Boneh

Web Security: Countermeasures for Application level Attacks

Phishing Read Behind The Lines

SECURITY TESTING. Towards a safer web world

Secure Application Development. OWASP September 28, The OWASP Foundation

arxiv: v1 [cs.cr] 30 Apr 2018

MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Ethical Hacking. Content Outline: Session 1

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

En#ty Authen#ca#on and Session Management

Social Engineering (SE)

JOE WIPING OUT CSRF

Web Applications Penetration Testing

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CS 494/594 Computer and Network Security

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Your Auth is open! Oversharing with OpenAuth & SAML

Transcription:

University of British Columbia OpenID Security Analysis and Evaluation San-Tsai Sun, Kirstie Hawkey, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (LERSSE) University of British Columbia

CSRF attacks summary single-sign-on CSRF (force victim to login) (70%) account profile CSRF (50%) login CSRF (login as attacker) (73%) authentication response interception impersonation (67%) replay attack (6%) 2

agenda background approach and evaluation result countermeasures 3

OpenID open and user-centric Web single sign-on protocol OpenID Foundation (2007) [1] Microsoft, Google, IBM, Yahoo, VeriSign, Facebook, PayPal, PingIdentity over one billion OpenID enabled user accounts provided by Google, Yahoo, AOL...[1] [1] OpenID Foundation. http://openid.net/foundation/, 2009. 4

how OpenID works Service Provider (Relying Party) authentication response alice.myopenid.com http://alice.myopenid.com discover login request Identity Provider authentication request user name: alice.myopenid.com password: xxxxxxxx 5

agenda background of OpenID approach and evaluation results countermeasures 6

methodology 1. vulnerability identification OpenID Spec 2. vulnerability evaluation Protocol Interpretation/ Implementation real RPs RP v1 sequence diagram known weakness Protocol Modeling A-B notation Threat Model Protocol Encoding Model Checking attack traces HLPSL vulnerability evaluation results RP Evaluation exploits Exploit Design attack vectors Attack-Vector Identification 3. countermeasure evaluation countermeasure evaluation results Countermeasure Evaluation RP v2 Model Checking Countermeasure Implementation HLPSL counter measure Protocol Encoding Countermeasure Design 7

OpenID sequence diagram Browser ID server RP IdP login request: I (identity url) fetch I IdP discovery IdP p,g,g a mod p association gen: b, h, k authentication request find c compute k store h redirect to IdP: I, RP, [h] g b mod p, h, H(g ab mod p) k I, RP, [h], [c] check: h, c user authentication user authentication (if c is missing) save c user credential authentication response redirect to RP: I, RP, h, n, HMAC k (I,RP,h,n), c check: credential gen: n, c, HMAC k (I,RP,h,n) I, RP, h, n, HMAC k (I,RP,h,n) verify HMAC k (I,RP,h,n) if h exists I: identity url h: session handle k: session key n: nonce c: IdP cookie RP: RP return_to url IdP: IdP endpoint url p: DH modulus g: DH generator or I, RP, h, n, HMAC k (I,RP,h,n) valid/invalid signature verification

known weakness Browser ID server RP IdP login request: I (login request) fetch I IdP p,g,g a mod p association gen: b, h, k find c compute k redirect to IdP: I, RP, [h] g b mod p, h, H(g ab mod p) k I, RP, [h], [c] (authentication request) user authentication user authentication (if c is missing) check: h, c save c user credential (authentication response) redirect to RP: I, RP, h, n, HMAC k (I,RP,h,n), c check: credential gen: n, c, HMAC k (I,RP,h,n) I, RP, h, n, HMAC k (I,RP,h,n) I: identity url h: session handle k: session key n: nonce c: IdP cookie RP: RP return_to url IdP: IdP endpoint url p: DH modulus g: DH generator or verify HMAC k (I,RP,h,n) if h exists I, RP, h, n, HMAC k (I,RP,h,n) valid/invalid

threat model adversary: non-rp or IdP associated attackers adversary goal: unauthorized access/modification to uses data hosted on RP Web poster: post comments Web attacker: setup a malicious website send malicious links via spam deliver malicious content via Ads network exploit web vulnerabilities (i.e., XSS) of benign websites network attacker: setup an wireless access point compromise client DNS resolution 10

threat assumptions RP, IdP, user machine, and browser are not compromised RP, IdP are not malicious user credentials on IdPs are secured cookies in the browser are secured (integrity and confidentiality) 11

non-considered threats availability threat DoS by sending massive concurrent auth requests to an IdP DoS by sending massive concurrent auth responses to an RP identity spoofing phishing attacks by RP exploits vulnerabilities on IdP integrity of IdP discovery process altering discovery information compromise RP DNS resolution 12

found weakness authentication response acts as an one-time access token to an RP, but authentication response is not bound to a specific authentication request (non-associate) authentication request is not bound to a specific login request login request is not bound to the browser session 13

CSRF attack vectors single sign-on (SSO) CSRF (force victim to login) HTTP GET Auth Request CSRF[Web poster, Web attacker] HTTP POST Login CSRF [Web attacker] HTTP GET Login CSRF [Web poster, Web attacker] account profile CSRF [Web poster, Web attacker] login CSRF (login as attacker) [Web attacker] authentication response interception impersonation [Network attacker] replay attack [Network attacker] 14

SSO CSRF: HTTP GET Auth Request Browser ID server RP IdP <img src= idp.jsp?return_url=rp&identity=l style= display:none > I, RP, c (authentication request) a nonce associated with the auth request can stop the attack user credential I, RP, h, n, HMAC k (I,RP,h,n) (authentication response) redirect to RP: I, RP, h, n, HMAC k (I,RP,h,n) check_authentication I, RP, h, n, HMAC k (I,RP,h,n) valid/invalid check: c gen: n, h HMAC k (I,RP,h,n)

SSO CSRF : HTTP POST/GET login Browser ID server RP IdP login request: I (login request) IdP fetch I associate the login request with the browser session association can stop the attack p,g,g a mod p gen: b, h, k find c compute k redirect to IdP: I, RP, [h] g b mod p, h, H(g ab mod p) k I, RP, h, c (authentication request) save c (authentication response) redirect to RP: I, RP, h, n, HMAC k (I,RP,h,n), c check: h,c gen: n, HMAC k (I,RP,h,n) I, RP, h, n, HMAC k (I,RP,h,n) verify HMAC k (I,RP,h,n) if h exists or check_authentication I, RP, h, n, HMAC k (I,RP,h,n) valid/invalid

login CSRF: login as the attacker authentication response <img src= auth response style= display:none > login request RP attacker user name and password authentication request authentication response IdP associate the authentication response with the browser session can stop the attack 17

impersonation and replay attack Browser ID server RP IdP login request: I (login request) fetch I IdP p,g,g a mod p association gen: b, h, k find c compute k redirect to IdP: I, RP, [h] g b mod p, h, H(g ab mod p) k I, RP, [h], [c] (authentication request) user authentication user authentication (if c is missing) check: h, c save c user credential (authentication response) redirect to RP: I, RP, h, n, HMAC k (I,RP,h,n), c check: credential gen: n, c, HMAC k (I,RP,h,n) I, RP, h, n, HMAC k (I,RP,h,n) or verify HMAC k (I,RP,h,n) if h exists check_authentication I, RP, h, n, HMAC k (I,RP,h,n) associate the authentication response with the browser session can stop the attack valid/invalid

CSRF attacks attack summary single-sign-on CSRF (force victim to login) (70%) HTTP GET Auth Request (25%) HTTP POST Login (50%) HTTP GET Login (35%) account profile CSRF (50%) login CSRF (login as attacker) (73%) authentication response interception impersonation (67%) replay attack (6%) 19

agenda background of OpenID approach and evaluation result countermeasures 20

countermeasure when a new browser session initialized RP generates a nonce N = HMAC(browser session id ) issues a new cookie C N = N append a parameter P N =N to the OpenID login form when receive a login request check if P N = C N and C N = HMAC(browser session id ) initiate a new authentication request append a parameter R N =N to the return_to URL when receive an authentication response check if R N = C N and C N = HMAC(browser session id ) 21

characteristics of countermeasure compatible with existing OpenID do not require any additional storage on RP would not reveal browser session id protect from cookie overwrite 22

future work evaluate more RPs apply our methodology to other Web single sign-on protocol Facebook connect Microsoft Live ID 23

University of British Columbia OpenID Security Analysis and Evaluation san-tsai sun <santsais@ece.ubc.ca> Department of Electrical and Computer Engineering Laboratory for Education and Research in Secure Systems Engineering (LERSSE) 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback