Presentation on theme: "Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011)."— Presentation transcript:
Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011). Integrating OAuth with Information Card Systems. In Proceedings of IAS '11: 7th International Conference on Information Assurance and Security, Malacca, Malaysia, 5-8 December 2011. IEEE.
Abstract The scheme using between the OAuth and Information Card System(CardSpace) (The Scheme in Mid-Term) The drawbacks of OAuth/OpenID and Information Card System The scheme in Smartphone-based authorization system The implementation - http://sng.mizzou1.comhttp://sng.mizzou1.com The Snap & Go App on Android System Red words are our contribution
In the Mid-term presentation: A scheme using between the OAuth and Information Card System (CardSpace) was presented.
Why dose the paper try to use this scheme? To mitigate identity-oriented attacks, a number of identity systems (e.g. CardSpace, OAuth, OpenID, etc.) have been proposed. An identity provider in such systems supplies a user agent with a security token that can be consumed by a relying party. Whilst one RP might support an Information Card system, another might only sup- port OAuth. To make these systems available to the largest possible group of users, interoperability between such systems is needed.
How CardSpace w/ OAuth works Policy 2. I would like a SAML 1.1 token, containing First Name, Surname, issued by *any* 3. UI filters cards that can satisfy policy 4. User picks a card 5. Token is requested 1.Access resource 6. Token is created 7. Token is presented Relying Party Identity Provider OAuthCard copied check hold & modified hold & modified
How OAuth works? User Token Request modified token Sign in Token Access_token Expire_time Refresh_token Info Request Access_token User Information RP-required user attributes Relying Party Identity Provider retrived &modify retrived &modify
The drawbacks of OAuth/Open-ID and Information Card System 1.The Information Card System requires different extensions installed on the different browsers.
The drawbacks of OAuth/Open-ID and Information Card System 2.The Information Card System has been abandoned. Microsoft announced that Windows CardSpace 2.0 will not be shipped.
The drawbacks of OAuth/Open-ID and Information Card System 3. Users still need to enter username and password when logging using OAuth / Open-ID (On the public computers or they didnt login)
Our scheme: Snap & Go User has some cards in their smart-phone. (the real information behind the cards is saved on the Identity Provider Server) User logs in the Snap & Go app on his smart-phone. User uses the app to shoot at the QR-code on the website. User logged in successfully into his account.
How Snap & Go works? Policy I would like some information, containing First Name, Surname, issued by snap&go 4. Scan the QR code on the page 5. User picks a card 1.Access resource Relying Party Identity Provider 2. 2. Login Snap&Go using any android device 2. Token is requested 3. Access token is presented 6. Information presented
Whats on where? In the App( On Smart-phone) All the cards that contain users information
Whats on where? On Identity Provider Server Users Accounts Information(Username & Password) All the cards that contain users information APIs(Relying Parties Information and keys) The relation between one authorized card and one relying party.
Whats on where? On Relying Party Server API key to connect to Identity Provider Server(IPS) QR-code generator The token got from the IPS The users information got from the IPS
How to use Snap & Go? sng.mizzou1.com Download the Snap n Go app from our website: sng.mizzou1.com Install the app
How to use Snap & Go? Register in the App Login The Account Username and Password will be saved on the Identity Provider Server.
How to use Snap & Go? Choose Enter Passcode(Create New Card)
How to use Snap & Go? Enter the information and save as a card The information card will be saved on the server as well as in the phone.
How to use Snap & Go? We can see, edit or create cards under my account
How to use Snap & Go? Open a relying party website that needed to login. For example: http://sng.mizzou1.com/http://sng.mizzou1.com/
How to use Snap & Go? Choose Scan QRcode button
How to use Snap & Go? Use the camera on the phone to scan the QRcode on the computer screen
How to use Snap & Go? Choose one card that you want to use