From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?

  • Alessandro Armando
  • Roberto Carbone
  • Luca Compagna
  • Jorge Cuellar
  • Giancarlo Pellegrino
  • Alessandro Sorniotti
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 354)

Abstract

Browser-based Single Sign-On (SSO) is replacing conventional solutions based on multiple, domain-specific credentials by offering an improved user experience: clients log on to their company system once and are then able to access all services offered by the company’s partners. By focusing on the emerging SAML standard, in this paper we show that the prototypical browser-based SSO use case suffers from an authentication flaw that allows a malicious service provider to hijack a client authentication attempt and force the latter to access a resource without its consent or intention. This may have serious consequences, as evidenced by a Cross-Site Scripting attack that we have identified in the SAML-based SSO for Google Apps: the attack allowed a malicious web server to impersonate a user on any Google application. We also describe solutions that can be used to mitigate and even solve the problem.

References

  1. 1.
    Armando, A., Carbone, R., Compagna, L.: LTL Model Checking for Security Protocols. Journal of Applied Non-Classical Logics, special issue on Logic and Information Security, 403–429 (2009)Google Scholar
  2. 2.
    Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Tobarra, M.L.: Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In: FMSE. ACM, New York (2008)Google Scholar
  3. 3.
    Barth, A., Jackson, C., Mitchell, J.C.: Robust defenses for cross-site request forgery. In: 15th ACM Conference on Computer and Communications Security (CCS 2008) (2008)Google Scholar
  4. 4.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  5. 5.
    Google. Web-based SAML-based SSO for Google Apps (2008), http://code.google.com/apis/apps/sso/saml_reference_implementation_web.html
  6. 6.
    Groß, T.: Security analysis of the SAML Single Sign-on Browser/Artifact profile. In: Proc. 19th Annual Computer Security Applications Conference. IEEE, Los Alamitos (December 2003)Google Scholar
  7. 7.
    Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Browser model for security analysis of browser-based protocols. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489–508. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Hansen, S.M., Skriver, J., Nielson, H.R.: Using static analysis to validate the SAML single sign-on protocol. In: WITS 2005. ACM Press, New York (2005)Google Scholar
  9. 9.
    Internet2. Shibboleth Project (2007), http://shibboleth.internet2.edu/
  10. 10.
    Lowe, G.: A hierarchy of authentication specifications. In: Proc. CSFW. IEEE, Los Alamitos (1997)Google Scholar
  11. 11.
    Microsoft. Windows Live ID, https://www.passport.net/
  12. 12.
    OASIS. Identity Federation. Liberty Alliance Project (2004), http://www.projectliberty.org/resources/specifications.php
  13. 13.
    OASIS. SAML V2.0 (April 2005), http://docs.oasis-open.org/security/saml/v2.0/
  14. 14.
    OASIS. SAML V2.0 – Technical Overview (March 2007), http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
  15. 15.
    OpenID Foundation. OpenID Specifications (2007), http://openid.net/developers/specs/
  16. 16.
    Pfitzmann, B., Waidner, M.: Analysis of Liberty Single-Sign-on with Enabled Clients. IEEE Internet Computing 7(6) (2003)Google Scholar
  17. 17.
    Pfitzmann, B., Waidner, M.: Federated identity-management protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 153–174. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Alessandro Armando
    • 1
    • 2
  • Roberto Carbone
    • 2
  • Luca Compagna
    • 3
  • Jorge Cuellar
    • 4
  • Giancarlo Pellegrino
    • 3
  • Alessandro Sorniotti
    • 5
  1. 1.DISTUniversità degli Studi di GenovaItaly
  2. 2.Security & Trust Unit, FBKTrentoItaly
  3. 3.SAP ResearchMouginsFrance
  4. 4.Siemens AGMunichGermany
  5. 5.IBM Research ZurichRüschlikonSwitzerland

Personalised recommendations