Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel

  • Yinzhi Cao
  • Yan Shoshitaishvili
  • Kevin Borgolte
  • Christopher Kruegel
  • Giovanni Vigna
  • Yan Chen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)

Abstract

Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.

Single sign-on (SSO) protocols, however, are not immune to vulnerabilities. Recent research introduced several attacks against existing SSO protocols, and further work showed that these problems are prevalent: 6.5% of the investigated relying parties were vulnerable to impersonation attacks, which can lead to account compromises and privacy breaches. Prior work used formal verification methods to identify vulnerabilities in SSO protocols or leveraged invariances of SSO interaction traces to identify logic flaws. No prior work, however, systematically studied the actual root cause of impersonation attacks against the relying party.

In this paper, we systematically examine existing SSO protocols and determine the root cause of the aforementioned vulnerabilities: the design of the communication channel between the relying party and the identity provider, which, depending on the protocol and implementation, suffers from being a one-way communication protocol, or from a lack of authentication. We (a) systematically study the weakness responsible for the vulnerabilities in existing protocols that allow impersonation attacks against the relying party, (b) introduce a dedicated, authenticated, bi-directional, secure channel that does not suffer from those shortcomings, (c) formally verify the authentication property of this channel using a well-known cryptographic protocol verifier (ProVerif), and (d) evaluate the practicality of a prototype implementation of our protocol.

Ultimately, to support a smooth and painless transition from existing SSO protocols, we introduce a proxy setup in which our channel can be used to secure existing SSO protocols from impersonation attacks. Furthermore, to demonstrate the flexibility of our approach, we design two different SSO protocols: an OAuth-like and an OpenID-like protocol.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Getting started with the facebook sdk for php, https://developers.facebook.com/docs/php/gettingstarted/
  2. 2.
  3. 3.
    JavaScript Cryptography Toolkit, http://ats.oka.nu/titaniumcore/js/crypto/readme.txt
  4. 4.
  5. 5.
  6. 6.
    ProVerif: Cryptographic protocol verifier in the formal model, http://prosecco.gforge.inria.fr/personal/bblanche/proverif/
  7. 7.
    Sandbox mode of facebook application, https://developers.facebook.com/docs/ApplicationSecurity/
  8. 8.
    Secure electronic transaction, http://goo.gl/2SpMbF
  9. 9.
  10. 10.
    The Stanford Javascript Crypto Library, http://crypto.stanford.edu/sjcl/
  11. 11.
    Akhawe, D., Barth, A., Lam, P.E., Mitchell, J.C., Song, D.: Towards a formal foundation of web security. In: CSF (2010)Google Scholar
  12. 12.
    Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of saml 2.0 web browser single sign-on: Breaking the saml-based single sign-on for google apps. In: FMSE: The ACM Workshop on Formal Methods in Security Engineering (2008)Google Scholar
  13. 13.
    Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. In: NDSS (2013)Google Scholar
  14. 14.
    Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. In: USENIX Security Symposium (2008)Google Scholar
  15. 15.
    Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Language-based defenses against untrusted browser origins. In: USENIX Security Symposium (2013)Google Scholar
  16. 16.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: CSFW (2001)Google Scholar
  17. 17.
    Cao, Y., Rastogi, V., Li, Z., Chen, Y., Moshchuk, A.: Redefining web browser principals with a configurable origin policy. In: DSN (2013)Google Scholar
  18. 18.
    Dolev, D., Yao, A.C.: On the security of public key protocols. Tech. rep., Stanford, CA, USA (1981)Google Scholar
  19. 19.
    Facebook. Facebook connect, http://goo.gl/ZUyBXF
  20. 20.
    Gro, T.: Security Analysis of the SAML Single Sign-on Browser/Artifact Profile. In: ACSAC (2003)Google Scholar
  21. 21.
    Hanna, S., Shin, R., Akhawe, D., Saxena, P., Boehm, A., Song, D.: The emperor’s new APIs: On the (in)secure usage of new client-side primitives. In: W2SP (2010)Google Scholar
  22. 22.
    Hansen, S.M., Skriver, J., Nielson, H.R.: Using static analysis to validate the saml single sign-on protocol. In: WITS: The Workshop on Issues in the Theory of Security (2005)Google Scholar
  23. 23.
    Miculan, M., Urban, C.: Formal Analysis of Facebook Connect Single Sign-On Authentication Protocol. In: SOFSEM (2011)Google Scholar
  24. 24.
    Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of oauth 2.0 using alloy framework. In: CSNT: The International Conference on Communication Systems and Network Technologies (2011)Google Scholar
  25. 25.
    Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. IEEE Internet Computing 7(6), 38–44 (2003)CrossRefGoogle Scholar
  26. 26.
    Singh, K., Moshchuk, A., Wang, H., Lee, W.: On the Incoherencies in Web Browser Access Control Policies. In: SP: IEEE Symposium on Security and Privacy (2010)Google Scholar
  27. 27.
    Son, S., Shmatikov, V.: The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In: NDSS (2013)Google Scholar
  28. 28.
    Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: An empirical analysis of oauth sso systems. In: CCS (2012)Google Scholar
  29. 29.
    Sun, S.-T., Hawkey, K., Beznosov, K.: OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle. In: DIM (2010)Google Scholar
  30. 30.
    Sun, S.-T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: What makes users refuse web single sign-on?: An empirical investigation of openid. In: SOUPS (2011)Google Scholar
  31. 31.
    Tassanaviboon, A., Gong, G.: Oauth and abe based authorization in semi-trusted cloud computing: aauth. In: DataCloud-SC: The International Workshop on Data Intensive Computing in the Clouds (2011)Google Scholar
  32. 32.
    Urueña, M., Muñoz, A., Larrabeiti, D.: Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools and Applications (2012)Google Scholar
  33. 33.
    Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy (2012)Google Scholar
  34. 34.
    Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In: USENIX Security Symposium (2013)Google Scholar
  35. 35.
    Xing, L., Chen, Y., Wang, X., Chen, S.: InteGuard: Toward Automatic Protection of Third-party web service integrations. In: NDSS (2013)Google Scholar
  36. 36.
    Yang, E.Z., Stefan, D., Mitchell, J., Mazieres, D., Marchenko, P., Karp, B.: Toward principled browser security. In: HotOS (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Yinzhi Cao
    • 1
  • Yan Shoshitaishvili
    • 2
  • Kevin Borgolte
    • 2
  • Christopher Kruegel
    • 2
  • Giovanni Vigna
    • 2
  • Yan Chen
    • 1
  1. 1.Northwestern UniversityUSA
  2. 2.University of CaliforniaSanta BarbaraUSA

Personalised recommendations