Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web

Fett, Daniel; Küsters, Ralf; Schmitz, Guido

doi:10.1007/978-3-319-24174-6_3

Cited by 18 publications

(55 citation statements)

References 16 publications

(61 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This shows that state cannot be known to any party except for b, i, and r. 19 Note that we have only web attackers. 20 We note that, as discussed earlier, without the Referrer Policy, state could leak to a malicious IdP or other parties.…”

Section: E Proof Of Session Integritymentioning

confidence: 85%

“…The mitigation presented in Section III-A would have prevented the attack in Step 16 ff. Figure 5) 20 POST /start email 21 Response Redirect to HIdP authEP with client_id, redirect_uri, state 22 POST /token access_token , code, state 23 POST tokenEP code, client_id, redirect_uri, client_secret 24 Response access_token , id_token 25 Response session_cookie 26 POST tokenEP code, client_id, redirect_uri 27 Response access_token , id_token 28 Response access_token , id_token 29 GET /protectedResource access_token 30 GET /protectedResource access_token 31 Response secret user data dec a (enc a (x, pub(y)), y) = x…”

Section: Acknowledgementsmentioning

confidence: 99%

“…In this and the following two sections, we present the FKS model for the web infrastructure as proposed in [19], [20], and [24], along with the addition of a generic model for HTTPS web servers that harmonizes the behavior of such servers and facilitates easier proofs.…”

Section: Appendix B the Fks Web Modelmentioning

confidence: 99%

“…Also, since both scripts are always delivered with a restrictive Referrer Policy header, any requests that are caused by these scripts (e.g., the start of a new login flow) do not contain state in the referer header. 20 If state is contained in the fragment, then state is not immediately sent to r, but instead, a request without state is sent to r. Since this is a GET request, r either answers with a response that only contains the string ok but no script (Lines 23ff. of Algorithm 20), a response containing script_rp_index (Lines 2ff.…”

Section: E Proof Of Session Integritymentioning

confidence: 99%

See 3 more Smart Citations

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

Fett

Küsters

Schmitz

2017

2017 IEEE 30th Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

Abstract-Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis.In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties.In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.

show abstract

Section: E Proof Of Session Integritymentioning

confidence: 85%

Section: Acknowledgementsmentioning

confidence: 99%

Section: Appendix B the Fks Web Modelmentioning

confidence: 99%

Section: E Proof Of Session Integritymentioning

confidence: 99%

See 2 more Smart Citations

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

Fett

Küsters

Schmitz

2017

2017 IEEE 30th Computer Security Foundations Symposium (CSF)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Then, as soon as the user starts a new OAuth flow with the same RP and an honest IdP, the malicious IdP can use the known state value to mount a CSRF attack, breaking the session integrity property. 14 We also model CSRF protection for some URIs as follows: For RPs, we model origin header checking 15 (1) at the URI where the OAuth flow is started (for the implicit and authorization code mode), (2) at the password login for the resource owner password credentials mode, and (3) at the URI to which the JavaScript posts the access token in the implicit mode. For IdPs, we do the same at the URI to which the username and password pairs are posted.…”

Section: Attack Mitigationsmentioning

confidence: 99%

A Comprehensive Formal Security Analysis of OAuth 2.0

Fett

Küsters

Schmitz

2016

Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security

Self Cite

138

135

View full text Add to dashboard Cite

The OAuth 2.0 protocol is one of the most widely deployed authorization/single sign-on (SSO) protocols and also serves as the foundation for the new SSO standard OpenID Connect. Despite the popularity of OAuth, so far analysis efforts were mostly targeted at finding bugs in specific implementations and were based on formal models which abstract from many web features or did not provide a formal treatment at all.In this paper, we carry out the first extensive formal analysis of the OAuth 2.0 standard in an expressive web model. Our analysis aims at establishing strong authorization, authentication, and session integrity guarantees, for which we provide formal definitions. In our formal analysis, all four OAuth grant types (authorization code grant, implicit grant, resource owner password credentials grant, and the client credentials grant) are covered. They may even run simultaneously in the same and different relying parties and identity providers, where malicious relying parties, identity providers, and browsers are considered as well. Our modeling and analysis of the OAuth 2.0 standard assumes that security recommendations and best practices are followed in order to avoid obvious and known attacks.When proving the security of OAuth in our model, we discovered four attacks which break the security of OAuth. The vulnerabilities can be exploited in practice and are present also in OpenID Connect.We propose fixes for the identified vulnerabilities, and then, for the first time, actually prove the security of OAuth in an expressive web model. In particular, we show that the fixed version of OAuth (with security recommendations and best practices in place) provides the authorization, authentication, and session integrity properties we specify.

show abstract

Analyzing Security and Privacy in Design and Implementation of Web Authentication Protocols

Wang

2018

Formal Methods and Software Engineering

View full text Add to dashboard Cite

Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web

Cited by 18 publications

References 16 publications

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines

A Comprehensive Formal Security Analysis of OAuth 2.0

Analyzing Security and Privacy in Design and Implementation of Web Authentication Protocols

Contact Info

Product

Resources

About