Understanding and mitigating OpenID Connect threats

Navas, Jorge; Beltrán, Marta

doi:10.1016/j.cose.2019.03.003

Cited by 30 publications

(23 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…More testing could identify further gaps in Facebook and other social media algorithms. This is particularly important as Facebook and other platforms are increasingly being user as OpenID providers; a process that authenticates users ID on third party platforms (Navas and Beltrán, 2019).…”

Section: Discussionmentioning

confidence: 99%

Facebook fake profile identification: technical and ethical considerations

Pourghomi

Dordevic

Safieddine

2020

IJPCC

View full text Add to dashboard Cite

Purpose In March 2019, Facebook updated its security procedures requesting ID verification for people who wish to advertise or promote political posts of adverts. The announcement received little media coverage even though it is an interesting development in the battle against fake news. This paper aims to review the current literature on different approaches in the battle against the spread of fake news, including the use of computer algorithms, artificial intelligence (AI) and introduction of ID checks. Design/methodology/approach Critical to the evaluation is consideration into ID checks as a means to combat the spread of fake news. To understand the process and how it works, the team undertook a social experiment combined with reflective analysis to better understand the impact of ID check policies when combined with other standards policies of a typical platform. Findings The analysis identifies grave concerns. In a wider context, standardising such policy will leave political activists in countries vulnerable to reprisal from authoritarian regimes. Other victims of the impacts include people who use fake names to protect the identity of adopted children or to protect anonymity from abusive partners. Originality/value The analysis also points to the fact that troll armies could bypass these checks rendering the use of ID checks less effective in the battle to combat fake news.

show abstract

Section: Discussionmentioning

confidence: 99%

Facebook fake profile identification: technical and ethical considerations

Pourghomi

Dordevic

Safieddine

2020

IJPCC

View full text Add to dashboard Cite

show abstract

“…We assume that the fog is using OpenID Connect (OIDC), which is a popular third-party authentication mechanism that allows a client to authenticate an end-user based on authentication with an authorization server and obtain information about user [17]. It is predicted that in the coming years, OIDC will have widespread adoption in fog computing and IoT applications [18]. The subscriber must also start using a particular application in the fog network from the same state it had been left off in the 3GPP MEC.…”

Section: B Problem Statementmentioning

confidence: 99%

Provisioning Fog Services to 3GPP Subscribers: Authentication and Application Mobility

Ali¹,

Mallick²,

Sakib³

et al. 2021

Preprint

View full text Add to dashboard Cite

Multi-Access Edge computing (MEC) and Fog computing provide services to subscribers at low latency. There is a need to form a federation among 3GPP MEC and fog to provide better coverage to 3GPP subscribers. This federation gives rise to two issues-third-party authentication and application mobility-for continuous service during handover from 3GPP MEC to fog without re-authentication. In this paper, we propose: 1) a proxy-based state transfer and third-party authentication (PS3A) that uses a transparent proxy to transfer the authentication and application state information, and 2) a token-based state transfer and proxy-based third-party authentication (TSP3A) that uses the proxy to transfer the authentication information and tokens to transfer the application state from 3GPP MEC to the fog. The proxy is kept transparent with virtual counterparts, to avoid any changes to the existing 3GPP MEC and fog architectures. We implemented these solutions on a testbed and results show that PS3A and TSP3A provide authentication within 0.345-2.858s for a 0-100 Mbps proxy load. The results further show that TSP3A provides application mobility while taking 40-52% less time than PS3A using state tokens. TSP3A and PS3A also reduce the service interruption latency by 82.4% and 84.6%, compared to the cloudbased service via tokens and prefetching.

show abstract

“…Lu et al 44,45 formally modeled and verified the OpenID Connect protocol and SAML2.0 protocol using Applied PI calculus in the symbolic model. Jorge et al 46 recognized sixteen kinds of attack patterns of OpenID Connect protocol, for example, token leakage, compromised identity provider password, and session hijack. Furthermore, corresponding possible solutions and mitigation measures were proposed.…”

Section: Related Workmentioning

confidence: 99%

Inter‐cloud secure data sharing and its formal verification

Zhang

Yang

et al. 2021

Trans Emerging Tel Tech

View full text Add to dashboard Cite

With the development of cloud computing, data sharing and collaboration have become increasing among cloud‐oriented organizations. In addition to trivial management work, data providers face many difficulties in managing access control policies in cloud data sharing, to prevent permission abuse and information leakage. This article mainly answers the following question: is it possible to achieve verifiably secure inter‐cloud data sharing? This article proposes an inter‐cloud data sharing (ICDS) approach based on ciphertext‐policy attribute‐based encryption (CP‐ABE) to ensure the security of ICDS. The security properties that ICDS holds are formally verified, where the information flow rules are defined and used in the verification. The information flow of the proposed ICDS is firstly modeled by use of high‐level Petri nets (HLPN) formally, then being represented in Z language, and at last the security properties of ICDS are verified by the Z3 solver. The formal analysis proves that the ICDS holds the security properties of confidentiality, authenticity, and collusion‐resistance.

show abstract

Understanding and mitigating OpenID Connect threats

Cited by 30 publications

References 5 publications

Facebook fake profile identification: technical and ethical considerations

Facebook fake profile identification: technical and ethical considerations

Provisioning Fog Services to 3GPP Subscribers: Authentication and Application Mobility

Inter‐cloud secure data sharing and its formal verification

Contact Info

Product

Resources

About