We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJanice Simpson
Modified about 1 year ago
deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India
© Copyright IBM Corporation 2011 Context 2 Analyzing security of web-based ‘transaction protocols’ presents new challenges. User interacting with multiple service providers using a browser. Trust between service providers. Usage of well-known mechanisms like SSL/TLS. These protocols are characterized by: Examples include: web single sign-on, identity linking, third party delegation. In this paper, we focus on web based federation workflow used to link user accounts across domains..
© Copyright IBM Corporation 2011 Challenges 3 Support for principals without identifying keys. Support for principal without global identities Support for reasoning about user actions. Need to provide primitives for standard mechanisms like SSL/TLS. Need to support attacks specific to browser-based communication, e.g. CSRF. Techniques for analyzing cryptographic protocols need to be adapted for the web: web protocol analysis can be greatly simplified using a much more restrictive model designed for secure (SSL/TLS) communication. inducing an honest principal into unintentionally sending messages (including secrets) to a server chosen by the attacker, manipulating redirection URLs etc. Why Dolev-Yao model is not ideally suited for web protocols
© Copyright IBM Corporation 2011 Two contrasting styles 4 Advantages: Efficiently computable formulations, High abstraction level, establish what a protocol achieves. Drawbacks: Difficult to analyze protocols vulnerable to certain types of active attacks. Do not automatically generate attack traces. Inference Construction: Use inference in specialized logics to reason about belief established by a protocol. Examples: BAN logic [BAN], [AT], [GNY], [AUTLOG], [SETHEO],[EVES] Advantages: More rigorous and cover wider range of attacks. Generate counter- examples/attack traces. Drawbacks: State-space explosion problem. Complex intruder model. Attack Construction: Construct attacks by modeling an intruder and algebraic properties of the messages being transmitted. Use model checkers to find flaws. Examples: [DOL], [LOW], [STRAND], [AVISPA], [PROVERIF], [SCYTHER].
© Copyright IBM Corporation 2011 Motivation for Hybrid Approach 5 In the absence of identifying keys and global identities, users are identified by actions they have recently performed. Secrets are used to associate actions with users. Establishing agreement between service providers about context of the transaction. This can be achieved using a BAN style belief analysis. Ensuring that tokens identifying users cannot be stolen or misused. Model checking approaches have been extensively used to study secrecy property Establishing security of web protocols involves two key elements:
© Copyright IBM Corporation 2011 Overview of Hybrid Approach 6 In the first stage of analysis, we use an extension of BAN in which some common web mechanisms have been formalized. For the second stage, we use a generic model for web protocols using Alloy – a SAT based model analysis tool – to analyze secrecy. Conclusions from belief analysis are used to further constrain the protocol model. Results in simplifications that drastically reduce the search-space needed to be explored by the model-checker.
© Copyright IBM Corporation 2011 Overview of Hybrid Approach 7 Idealization Protocol Spec Forward chaining using BAN logic. Ignore terms that represent neither secrets nor nonces. Retain only those messages that require possession of keys that are not public. Simplified Spec General Protocol Model in Alloy Alloy model incorporating results of BAN analysis. Alloy Analyzer BAN fomulae Correspondence about session and token parameters. Counter Example Goal Spec
© Copyright IBM Corporation 2011 Inference Rules: BAN 8 8 Message Origin Nonce Verification Jurisdiction Rule Operators Believes | , Sees, |~ Says, |=> Controls
© Copyright IBM Corporation 2011 New Inference Rules 9 9 Rules to associate actions with users.
© Copyright IBM Corporation 2011 Goals for Web Protocols 10 Web protocols use tokens to communicate actions across domains. A token is associated with parameters representing the action as well as the context in which the action was performed. Agreement about token between service providers. Agreement about service provider end-points. Establishing agreement about tokens identifying actions. Establishing at a service provider that an action has been performed by an identified user. Adversary model should take into account browser-based attacks. Associating user instances with actions.
© Copyright IBM Corporation 2011 Alloy Based Web Protocol Model 11 Principals: Server and User with honest sub-classes HServer and HUser Messages: Set of cookies, set of tokens, sender, receiver, redirect URL. Protocol trace: sequence of messages. A message from an honest user to a server must include all cookies shared previously by server Constraint A Correct handling of an HTTP redirect by an honest user (Constraint B). Examples of constraints on messages and traces. A B
© Copyright IBM Corporation 2011 The Single Sign-On Workflow 12
© Copyright IBM Corporation 2011 The Account Linking Workflow 13
© Copyright IBM Corporation 2011 Attack on Account Linking Workflow 14
© Copyright IBM Corporation 2011 Conclusions 15 A novel hybrid strategy for analysis of web protocols. A framework for reasoning about user actions. Demonstration of the approach though an extremely important cross-domain ID management workflow. The issue has gone unnoticed in previous SAML analyses. Shows that definition of authentication can be considerably different when the same protocol is used for different goals. We identify insecurity in the account linking workflow.. We propose fix for the workflow and discuss implementation in leading web protocols: SAML and OpenID.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL.
AUTHENTICATION AND KEY DISTRIBUTION
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Information Security of Embedded Systems : BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Key Management and Distribution Anand Seetharam CST 312.
IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
User Authentication fundamental security building block basis of access control & user accountability is the process of verifying an identity claimed.
Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Authentication & Kerberos
Executable specification of cryptofraglets with Maude for security verification Fabio Martinelli and Marinella Petrocchi IIT-CNR, Pisa Italy presented.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
BAN LOGIC Amit Chetal Monica Desai November 14, 2001
By: Ansuya Chauhan.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
© UCL Crypto group Sep-15 A Security Analysis of Cliques Protocols Suites Olivier Pereira – Jean-Jacques Quisquater UCL Crypto Group.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Chen Advisor: Limin Jia. Whole picture Process Calculus Definition of Secrecy and Authenticity Demo Comparison Conclusion.
Alexander Potapov. Authentication definition Protocol architectures Cryptographic properties Freshness Types of attack on protocols Two-way.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
Network Protocols Network Systems Security Mort Anvari.
Formal Analysis of Security Protocols Dr. Changyu Dong
Security protocols Authentication protocols (this lecture) Electronic voting protocols Fair exchange protocols Digital cash protocols.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
TRUST NEGOTIATION IN ONLINE BUSINESS TRANSACTIONS BY CHANDRAKANTH REDDY.
Key Management. Session and Interchange Keys Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
NZ igovt/RealMe proposed consent service: overview Kantara eGov Working Group April 8 th 2013 CROWN COPYRIGHT © This work is licensed under the Creative.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
SSL/TLS How to send your credit card number securely over the internet.
Secure Mobile Development with NetIQ Access Manager April 2016.
Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.
CSE Michigan State University Extensions of BAN by Heather Goldsby Michelle Pirtle.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
London e-Science Centre Imperial College London Making the Grid Pay Economic Services - Pricing and Payment William Lee.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
© 2017 SlidePlayer.com Inc. All rights reserved.