Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Published byJanice Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India."— Presentation transcript:

1 deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India

2 © Copyright IBM Corporation 2011 Context 2 Analyzing security of web-based ‘transaction protocols’ presents new challenges. User interacting with multiple service providers using a browser. Trust between service providers. Usage of well-known mechanisms like SSL/TLS. These protocols are characterized by: Examples include: web single sign-on, identity linking, third party delegation. In this paper, we focus on web based federation workflow used to link user accounts across domains..

3 © Copyright IBM Corporation 2011 Challenges 3 Support for principals without identifying keys. Support for principal without global identities Support for reasoning about user actions. Need to provide primitives for standard mechanisms like SSL/TLS. Need to support attacks specific to browser-based communication, e.g. CSRF. Techniques for analyzing cryptographic protocols need to be adapted for the web: web protocol analysis can be greatly simplified using a much more restrictive model designed for secure (SSL/TLS) communication. inducing an honest principal into unintentionally sending messages (including secrets) to a server chosen by the attacker, manipulating redirection URLs etc. Why Dolev-Yao model is not ideally suited for web protocols

4 © Copyright IBM Corporation 2011 Two contrasting styles 4 Advantages: Efficiently computable formulations, High abstraction level, establish what a protocol achieves. Drawbacks: Difficult to analyze protocols vulnerable to certain types of active attacks. Do not automatically generate attack traces. Inference Construction: Use inference in specialized logics to reason about belief established by a protocol. Examples: BAN logic [BAN], [AT], [GNY], [AUTLOG], [SETHEO],[EVES] Advantages: More rigorous and cover wider range of attacks. Generate counter- examples/attack traces. Drawbacks: State-space explosion problem. Complex intruder model. Attack Construction: Construct attacks by modeling an intruder and algebraic properties of the messages being transmitted. Use model checkers to find flaws. Examples: [DOL], [LOW], [STRAND], [AVISPA], [PROVERIF], [SCYTHER].

5 © Copyright IBM Corporation 2011 Motivation for Hybrid Approach 5 In the absence of identifying keys and global identities, users are identified by actions they have recently performed. Secrets are used to associate actions with users. Establishing agreement between service providers about context of the transaction. This can be achieved using a BAN style belief analysis. Ensuring that tokens identifying users cannot be stolen or misused. Model checking approaches have been extensively used to study secrecy property Establishing security of web protocols involves two key elements:

6 © Copyright IBM Corporation 2011 Overview of Hybrid Approach 6 In the first stage of analysis, we use an extension of BAN in which some common web mechanisms have been formalized. For the second stage, we use a generic model for web protocols using Alloy – a SAT based model analysis tool – to analyze secrecy. Conclusions from belief analysis are used to further constrain the protocol model. Results in simplifications that drastically reduce the search-space needed to be explored by the model-checker.

7 © Copyright IBM Corporation 2011 Overview of Hybrid Approach 7 Idealization Protocol Spec Forward chaining using BAN logic. Ignore terms that represent neither secrets nor nonces. Retain only those messages that require possession of keys that are not public. Simplified Spec General Protocol Model in Alloy Alloy model incorporating results of BAN analysis. Alloy Analyzer BAN fomulae Correspondence about session and token parameters. Counter Example Goal Spec

8 © Copyright IBM Corporation 2011 Inference Rules: BAN 8 8 Message Origin Nonce Verification Jurisdiction Rule Operators Believes | , Sees, |~ Says, |=> Controls

9 © Copyright IBM Corporation 2011 New Inference Rules 9 9  Rules to associate actions with users.

10 © Copyright IBM Corporation 2011 Goals for Web Protocols 10 Web protocols use tokens to communicate actions across domains. A token is associated with parameters representing the action as well as the context in which the action was performed. Agreement about token between service providers. Agreement about service provider end-points. Establishing agreement about tokens identifying actions. Establishing at a service provider that an action has been performed by an identified user. Adversary model should take into account browser-based attacks. Associating user instances with actions.

11 © Copyright IBM Corporation 2011 Alloy Based Web Protocol Model 11 Principals: Server and User with honest sub-classes HServer and HUser Messages: Set of cookies, set of tokens, sender, receiver, redirect URL. Protocol trace: sequence of messages. A message from an honest user to a server must include all cookies shared previously by server Constraint A Correct handling of an HTTP redirect by an honest user (Constraint B). Examples of constraints on messages and traces. A B

12 © Copyright IBM Corporation 2011 The Single Sign-On Workflow 12

13 © Copyright IBM Corporation 2011 The Account Linking Workflow 13

14 © Copyright IBM Corporation 2011 Attack on Account Linking Workflow 14

15 © Copyright IBM Corporation 2011 Conclusions 15 A novel hybrid strategy for analysis of web protocols. A framework for reasoning about user actions. Demonstration of the approach though an extremely important cross-domain ID management workflow. The issue has gone unnoticed in previous SAML analyses. Shows that definition of authentication can be considerably different when the same protocol is used for different goals. We identify insecurity in the account linking workflow.. We propose fix for the workflow and discuss implementation in leading web protocols: SAML and OpenID.

Download ppt "Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.

Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.
Authentication & Kerberos

Authentication & Kerberos
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
By: Ansuya Chauhan.

By: Ansuya Chauhan.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CSE 914 - Michigan State University Extensions of BAN by Heather Goldsby Michelle Pirtle.

CSE Michigan State University Extensions of BAN by Heather Goldsby Michelle Pirtle.

Similar presentations

Ads by Google