Abstract
Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.
Single sign-on (SSO) protocols, however, are not immune to vulnerabilities. Recent research introduced several attacks against existing SSO protocols, and further work showed that these problems are prevalent: 6.5% of the investigated relying parties were vulnerable to impersonation attacks, which can lead to account compromises and privacy breaches. Prior work used formal verification methods to identify vulnerabilities in SSO protocols or leveraged invariances of SSO interaction traces to identify logic flaws. No prior work, however, systematically studied the actual root cause of impersonation attacks against the relying party.
In this paper, we systematically examine existing SSO protocols and determine the root cause of the aforementioned vulnerabilities: the design of the communication channel between the relying party and the identity provider, which, depending on the protocol and implementation, suffers from being a one-way communication protocol, or from a lack of authentication. We (a) systematically study the weakness responsible for the vulnerabilities in existing protocols that allow impersonation attacks against the relying party, (b) introduce a dedicated, authenticated, bi-directional, secure channel that does not suffer from those shortcomings, (c) formally verify the authentication property of this channel using a well-known cryptographic protocol verifier (ProVerif), and (d) evaluate the practicality of a prototype implementation of our protocol.
Ultimately, to support a smooth and painless transition from existing SSO protocols, we introduce a proxy setup in which our channel can be used to secure existing SSO protocols from impersonation attacks. Furthermore, to demonstrate the flexibility of our approach, we design two different SSO protocols: an OAuth-like and an OpenID-like protocol.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Getting started with the facebook sdk for php, https://developers.facebook.com/docs/php/gettingstarted/
JanRain Engage, http://janrain.com/products/engage/
JavaScript Cryptography Toolkit, http://ats.oka.nu/titaniumcore/js/crypto/readme.txt
LocalConnection, http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/net/LocalConnection.html
OpenID, http://openid.net/
ProVerif: Cryptographic protocol verifier in the formal model, http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
Sandbox mode of facebook application, https://developers.facebook.com/docs/ApplicationSecurity/
Secure electronic transaction, http://goo.gl/2SpMbF
Security assertion markup language, http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
The Stanford Javascript Crypto Library, http://crypto.stanford.edu/sjcl/
Akhawe, D., Barth, A., Lam, P.E., Mitchell, J.C., Song, D.: Towards a formal foundation of web security. In: CSF (2010)
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of saml 2.0 web browser single sign-on: Breaking the saml-based single sign-on for google apps. In: FMSE: The ACM Workshop on Formal Methods in Security Engineering (2008)
Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. In: NDSS (2013)
Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. In: USENIX Security Symposium (2008)
Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Language-based defenses against untrusted browser origins. In: USENIX Security Symposium (2013)
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: CSFW (2001)
Cao, Y., Rastogi, V., Li, Z., Chen, Y., Moshchuk, A.: Redefining web browser principals with a configurable origin policy. In: DSN (2013)
Dolev, D., Yao, A.C.: On the security of public key protocols. Tech. rep., Stanford, CA, USA (1981)
Facebook. Facebook connect, http://goo.gl/ZUyBXF
Gro, T.: Security Analysis of the SAML Single Sign-on Browser/Artifact Profile. In: ACSAC (2003)
Hanna, S., Shin, R., Akhawe, D., Saxena, P., Boehm, A., Song, D.: The emperor’s new APIs: On the (in)secure usage of new client-side primitives. In: W2SP (2010)
Hansen, S.M., Skriver, J., Nielson, H.R.: Using static analysis to validate the saml single sign-on protocol. In: WITS: The Workshop on Issues in the Theory of Security (2005)
Miculan, M., Urban, C.: Formal Analysis of Facebook Connect Single Sign-On Authentication Protocol. In: SOFSEM (2011)
Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of oauth 2.0 using alloy framework. In: CSNT: The International Conference on Communication Systems and Network Technologies (2011)
Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. IEEE Internet Computing 7(6), 38–44 (2003)
Singh, K., Moshchuk, A., Wang, H., Lee, W.: On the Incoherencies in Web Browser Access Control Policies. In: SP: IEEE Symposium on Security and Privacy (2010)
Son, S., Shmatikov, V.: The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In: NDSS (2013)
Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: An empirical analysis of oauth sso systems. In: CCS (2012)
Sun, S.-T., Hawkey, K., Beznosov, K.: OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle. In: DIM (2010)
Sun, S.-T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: What makes users refuse web single sign-on?: An empirical investigation of openid. In: SOUPS (2011)
Tassanaviboon, A., Gong, G.: Oauth and abe based authorization in semi-trusted cloud computing: aauth. In: DataCloud-SC: The International Workshop on Data Intensive Computing in the Clouds (2011)
Urueña, M., Muñoz, A., Larrabeiti, D.: Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools and Applications (2012)
Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy (2012)
Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In: USENIX Security Symposium (2013)
Xing, L., Chen, Y., Wang, X., Chen, S.: InteGuard: Toward Automatic Protection of Third-party web service integrations. In: NDSS (2013)
Yang, E.Z., Stefan, D., Mitchell, J., Mazieres, D., Marchenko, P., Karp, B.: Toward principled browser security. In: HotOS (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Cao, Y., Shoshitaishvili, Y., Borgolte, K., Kruegel, C., Vigna, G., Chen, Y. (2014). Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel. In: Stavrou, A., Bos, H., Portokalidis, G. (eds) Research in Attacks, Intrusions and Defenses. RAID 2014. Lecture Notes in Computer Science, vol 8688. Springer, Cham. https://doi.org/10.1007/978-3-319-11379-1_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-11379-1_14
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11378-4
Online ISBN: 978-3-319-11379-1
eBook Packages: Computer ScienceComputer Science (R0)