The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines

Fett, Daniel; Kuesters, R.; Schmitz, Guido

doi:10.48550/arxiv.1704.08539

Cited by 4 publications

(24 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Code/Token/State Leakage [23,38], CSRF Attacks and Third-Party Login Initiation [25] are examples of exploits on incorrect OIDC implementations that do not properly check redirects or embed sensitive information such as ID tokens on redirection URLs. 307 Redirect Attack [25] similarly exploit the improper use of HTTP redirection codes.…”

Section: Sensitivity To Known Attacks On Oidcmentioning

confidence: 99%

EL PASSO: Privacy-preserving, Asynchronous Single Sign-On

Zhang,

Król,

Sonnino

et al. 2020

Preprint

View full text Add to dashboard Cite

We introduce EL PASSO, a privacy-preserving, asynchronous Single Sign-On (SSO) system. It enables personal authentication while protecting users' privacy against both identity providers and relying parties, and allows selective attribute disclosure. EL PASSO is based on anonymous credentials, yet it supports users' accountability. Selected authorities may recover the identity of allegedly misbehaving users, and users can prove properties about their identity without revealing it in the clear. EL PASSO does not require specific secure hardware or a third party (other than existing participants in SSO). The generation and use of authentication credentials are asynchronous, allowing users to sign on when identity providers are temporarily unavailable. We evaluate EL PASSO in a distributed environment and prove its low computational cost, yielding faster sign-on operations than OIDC from a regular laptop, one-second user-perceived latency from a low-power device, and scaling to more than 50 sign-on operations per second at a relying party using a single 4-core server in the cloud.

show abstract

Section: Sensitivity To Known Attacks On Oidcmentioning

confidence: 99%

EL PASSO: Privacy-preserving, Asynchronous Single Sign-On

Zhang,

Król,

Sonnino

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…The Web Infrastructure Model (WIM) was introduced by Fett, Küsters, and Schmitz in [22] (therefore also called the FKS model) and further developed in subsequent work. The appendix of [44] provides a detailed description of the model; a comparison with other models and a discussion of its scope and limitations can be found in [22]- [24]. We here only give a brief overview of the WIM following the description in [7], with some more details presented in Appendix B.…”

Section: A the Web Infrastructure Modelmentioning

confidence: 99%

“…Within the scope of this technical report, we adhere to the WIM as defined in [44], where it was used for modeling and analyzing OpenID Connect. In the following, we describe the additions to the model for the analysis of the FAPI.…”

Section: Appendix G Additions To the Web Infrastructure Modelmentioning

confidence: 99%

See 1 more Smart Citation

An Extensive Formal Security Analysis of the OpenID Financial-Grade API

Fett

Hosseyni

Küsters

2019

2019 IEEE Symposium on Security and Privacy (SP)

Self Cite

View full text Add to dashboard Cite

Forced by regulations and industry demand, banks worldwide are working to open their customers' online banking accounts to third-party services via web-based APIs. By using these so-called Open Banking APIs, third-party companies, such as FinTechs, are able to read information about and initiate payments from their users' bank accounts. Such access to financial data and resources needs to meet particularly high security requirements to protect customers.One of the most promising standards in this segment is the OpenID Financial-grade API (FAPI), currently under development in an open process by the OpenID Foundation and backed by large industry partners. The FAPI is a profile of OAuth 2.0 designed for high-risk scenarios and aiming to be secure against very strong attackers. To achieve this level of security, the FAPI employs a range of mechanisms that have been developed to harden OAuth 2.0, such as Code and Token Binding (including mTLS and OAUTB), JWS Client Assertions, and Proof Key for Code Exchange.In this paper, we perform a rigorous, systematic formal analysis of the security of the FAPI, based on an existing comprehensive model of the web infrastructure-the Web Infrastructure Model (WIM) proposed by Fett, Küsters, and Schmitz. To this end, we first develop a precise model of the FAPI in the WIM, including different profiles for read-only and read-write access, different flows, different types of clients, and different combinations of security features, capturing the complex interactions in a webbased environment. We then use our model of the FAPI to precisely define central security properties. In an attempt to prove these properties, we uncover partly severe attacks, breaking authentication, authorization, and session integrity properties. We develop mitigations against these attacks and finally are able to formally prove the security of a fixed version of the FAPI.Although financial applications are high-stakes environments, this work is the first to formally analyze and, importantly, verify an Open Banking security profile.By itself, this analysis is an important contribution to the development of the FAPI since it helps to define exact security properties and attacker models, and to avoid severe security risks before the first implementations of the standard go live.Of independent interest, we also uncover weaknesses in the aforementioned security mechanisms for hardening OAuth 2.0. We illustrate that these mechanisms do not necessarily achieve the security properties they have been designed for.

show abstract

“…Bansal et al [1] analysed the security of OAuth 2.0 using the WebSpi [2] and ProVerif models [4]. Fett et al [10] performed a formal security analysis of OpenID Connect. However, all this work is based on abstract models, and so delicate implementation details are ignored.…”

Section: Rp → Uamentioning

confidence: 99%

OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect

Li¹,

Mitchell²,

Chen³

2019

Preprint

View full text Add to dashboard Cite

Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 topranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.

show abstract

The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines

Cited by 4 publications

References 0 publications

EL PASSO: Privacy-preserving, Asynchronous Single Sign-On

EL PASSO: Privacy-preserving, Asynchronous Single Sign-On

An Extensive Formal Security Analysis of the OpenID Financial-Grade API

OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect

Contact Info

Product

Resources

About