OPENID AUTHENTICATION SECURITY



Similar documents
Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

Lecture Notes for Advanced Web Security 2015

Transport Layer Security Protocols

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Thick Client Application Security

Using Foundstone CookieDigger to Analyze Web Session Management

The Misuse of RC4 in Microsoft Word and Excel

An Overview of Communication Manager Transport and Storage Encryption Algorithms

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

What is Web Security? Motivation

Transport Level Security

Criteria for web application security check. Version

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

Web Based Single Sign-On and Access Control

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Chapter 7 Transport-Level Security

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

Fairsail REST API: Guide for Developers

Network Security Essentials Chapter 5

Authenticity of Public Keys

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Secure Authentication and Session. State Management for Web Services

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...

Axway API Gateway. Version 7.4.1

[MS-SSTP]: Secure Socket Tunneling Protocol (SSTP) Intellectual Property Rights Notice for Open Specifications Documentation

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

Chapter 17. Transport-Level Security

Design Notes for an Efficient Password-Authenticated Key Exchange Implementation Using Human-Memorable Passwords

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

Secure Shell SSH provides support for secure remote login, secure file transfer, and secure TCP/IP and X11 forwarding. It can automatically encrypt,

Deployment Scenarios

RFG Secure FTP. Web Interface

Check list for web developers

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

HTTP Reverse Proxy Scenarios

Is your data safe out there? -A white Paper on Online Security

SENSE Security overview 2014

TLS and SRTP for Skype Connect. Technical Datasheet

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

Force.com REST API Developer's Guide

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

PROCEDURE FOR UPDATING LISTS THROUGH WEB INTERFACE

Network Security. Marcus Bendtsen Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT)

Three attacks in SSL protocol and their solutions

Strong and Convenient Multi-Factor Authentication on Mobile Devices

Using BroadSAFE TM Technology 07/18/05

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

The Security Behind Sticky Password

Salesforce1 Mobile Security Guide

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

ENHANCED SECURITY IN SECURE SOCKET LAYER 3.0 SPECIFICATION

Multi Factor Authentication API

INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE

Den Gode Webservice - Security Analysis

Configuring SSL Termination

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Chapter 9 Key Management 9.1 Distribution of Public Keys Public Announcement of Public Keys Publicly Available Directory

EHR OAuth 2.0 Security

National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

DKIM Enabled Two Factor Authenticated Secure Mail Client

Two-Factor Authentication and Swivel

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Dashlane Security Whitepaper

IP-based Delivery Network via OpenVPN Provider Handbook

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

March PGP White Paper. Transport Layer Security (TLS) & Encryption: Complementary Security Tools

Lesson 10: Attacks to the SSL Protocol

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Session Hijacking Exploiting TCP, UDP and HTTP Sessions

Internet Mail Client Control Library SSL Supplement

CS 3251: Computer Networking 1 Security Protocols I

Web and Security 1 / 40

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Using etoken for SSL Web Authentication. SSL V3.0 Overview

OpenHRE Security Architecture. (DRAFT v0.5)

Client Server Registration Protocol

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Skoot Secure File Transfer

Web Application Security Assessment and Vulnerability Mitigation Tests

Magento Security and Vulnerabilities. Roman Stepanov

Transcription:

OPENID AUTHENTICATION SECURITY Erik Lagercrantz and Patrik Sternudd Uppsala, May 17 2009

1 ABSTRACT This documents gives an introduction to OpenID, which is a system for centralised online authentication. In particular, we describe the protocol used for authentication. The description is followed by a discussion of its security, with focus on cryptographic soundness. Finally, we provide a short discussion on what we feel the the OpenID system is suitable for. 2 SCOPE The central question of this paper is What can we trust OpenID for? Before this question can be answered, we need to be aware that there are different trust issues that must be considered. For example: Can we trust the authentication protocol itself? Can we trust the security of the authentication server (the OpenID provider)? Can we trust the strength of the authentication methods used by the OpenID system? Do we trust the organisation in charge of the OpenID server? While all of the above questions are important when considering whether to allow OpenID or not for a particular service, this document will only focus on the authentication protocol. This is perhaps the most fundamental question, because if the protocol is insecure, all the other questions lose meaning. However, if we simply do not trust a particular provider, we can always choose another one, or set up our own. 3 INTRODUCTION TO OPENID This section contain a brief introduction to OpenID. Readers who already are familiar with the concept may skip to the next chapter. The main purpose of OpenID is to reduce the amount of usernames and passwords on the Internet (in particular on websites). Today, most sites where it is possible to publish information of any kind (e.g. blogs, blog comments, forums, etc.) or retrieve privileged services (member sites, bonus programs) requires an account. To authenticate, you have to choose a username and password combination (sometimes the username is merely an email address). The problem, of course, is that there is a multitude of such sites on the Internet. Thus, we have to remember a lot of different passwords (or more likely reuse them). The goal of OpenID is to allow individuals to have one username and password at an OpenID provider. This id is then given to the website, which delegates authentication to the OpenID server. It is important to know that OpenID only handles authentication. It does not provide authorization of any kind if that is wanted, the web site would have to match the authenticated user with an internal authorization profile. Also, OpenID does not provide the web site with information beyond the user id and authentication results. That means that the user will still have to manually provide the required personal details (such as email- or postal address) when establishing an account with a web site. There are extensions to OpenID that do provide such services, but we will not cover those in this document. A final important point is that the web site requiring authentication will never see the authentication credentials; only the OpenID server does. 4 TERMINOLOGY User Agent (UA) Relying Party (RP) OpenID Provider (OP) Assertion A client program (usually a web browser) used by the end user. A service provider (usually a web site) that needs the end user to be authenticated. The server performing authentication and storing the information required to do so. A message containing information about authentication results (positive or negative). Erik Lagercrantz & Patrik Sternudd 2009-05-17 OpenID Authentication Security Page 2 of 9

5 HOW IT WORKS The OpenID concept is based on URI:s. An OpenID-configured web site requiring a user to authenticate will ask the user to provide an URI instead of a traditional username. When the user asks to be logged in, the web site (or Relying Party in OpenID terminology) redirects the user to the OpenID provider of the supplied URI. The provider can authenticate the user in any way it wants (such as by asking for a password), and then return the user to the relying party while passing along the authentication result. 6 OPENID AUTHENTICATION The latest version of the authentication protocol is 2.0, which can be found at: http://openid.net/specs/openid-authentication-2_0.txt All communication is sent over HTTP (or HTTPS), with UTF-8 encoding. 6.1 THE PROTOCOL (SLIGHTLY SIMPLIFIED) Only the steps required for authentication are described. Thus, actions for normalising URI:s and handling extensions are omitted. 6.1.1 AUTHENTICATION ACTIONS 1. 1.UA -> RP: Present URI 2. 2.RP <-> OP: [Optional] Association (negotiate a shared key for MAC) 3. 3.RP -> UA: Redirect UA to OP 4. 4.UA -> OP: Submit credentials for authentication 5. 5.OP -> UA: Return UA to RP (sending along signed authentication results including a nonce) 6. 6.UA -> RP: Provide the authentication assertion signed by the OP 7. 7.RP <-> OP: [Optional] Ask for verification of authentication results (if step 2 was skipped) 8. 8.RP -> UA: Allow or deny access to the protected resource Erik Lagercrantz & Patrik Sternudd 2009-05-17 OpenID Authentication Security Page 3 of 9

6.1.2 AUTHENTICATION FLOWCHART The above diagram provides a slightly more detailed description of the authentication process. Note in particular the discovery phase in the beginning, in which the RP sends a request to get the resource pointed at by the URL that the user provided as its identity. The resource can be an HTML document containing a link to the actual OP service. Note that the process described in the diagram corresponds to the sequence that is used when the RP is stateful. In the stateless version, the association step is skipped, and the OP is contacted for a direct verification at the end instead. 6.1.3 SHARED KEY NEGOTIATION The shared key is used in the MAC algorithms. The purpose is to be able to sign and verify authentication assertions in subsequent messages. The specification recommends that shared key negotiation is performed if the participating parties are able to do so. This step is called association. If the parties are unable to perform key agreement, for example because the RP cannot keep state between requests, they will have to do more communication in the last step (verifying authentication). 1. 1.RP -> OP: Preferred MAC and session protection types, and other parameters Possible MAC types are HMAC-SHA1 and HMAC-SHA256. Possible session protection types are no-encryption, DH-SHA1, and DH-SHA256. No-encryption must not be used unless transport security is available (e.g. TLS). When using one of the DH (Diffie-Hellman) options, the parameters modulus, generator, and public key are included. Erik Lagercrantz & Patrik Sternudd 2009-05-17 OpenID Authentication Security Page 4 of 9

Notes: 2. OP -> RP: Session response, including Common response parameters: Association handle Session type Association type Expiration (lifetime) AND Unencrypted response parameters The MAC key OR DH response parameters The public key of the OP The MAC key, encrypted with Diffie-Hellman OR Unsuccessful response parameters Error messages and codes, indicating the problem (e.g. the OP does not support the preferred algorithms) 1. If the MAC key is protected by Diffie-Hellman, it is prepared as follows, before being sent over the network: base64(h(btwoc(g ^ (xa * xb) mod p)) XOR MAC key) g, p, xa, and xb are previously agreed DH parameters. btwoc is an integer encoding function (see Section 4.2 for more details). The following condition must hold (Section 8.4.2): The MAC key MUST be the same length as the output of H, the hash function - 160 bits (20 bytes) for DH-SHA1 or 256 bits (32 bytes) for DH-SHA256, as well as the output of the signature algorithm [..] 6.2 SECURITY MEASURES 6.2.1 NONCE USAGE An important part for protection against replay attacks is the nonce. It is described in section 10.1 of the specification. In short, it is an unique string less than 255 characters, starting with current time (formatted as per section 5.6 in RFC3339, and in UTC with no fractal seconds), followed (if necessary for uniqueness) by printable, non-whitespace characters. An example would be 2009-05-16T11:47:11ZFOO. To quote from Section 11.3 (a positive assertion is when the OP informs the RP that the authentication attempt was successful): To prevent replay attacks, the agent checking the signature keeps track of the nonce values included in positive assertions and never accepts the same value more than once for the same OP Endpoint URL. 6.2.2 SIGNED MESSAGES As previously stated, using MAC for message authentication is recommended. Furthermore, HMAC- SHA256 is preferred over HMAC-SHA1. The specification notes the importance of choosing a random key, Erik Lagercrantz & Patrik Sternudd 2009-05-17 OpenID Authentication Security Page 5 of 9

and refers to a RFC that provide guidance for secure random numbers (RFC 1750). When MAC is used, the following fields in the positive assertion must be signed: op_endpoint: - Authentication endpoint return_to: - The return address (to the RP) response_nonce: - Nonce (previously described) assoc_handle: - Session handle claimed_id and identity (if available): - The authenticated identity 6.2.3 TRANSPORT SECURITY As previously stated, if no session encryption with Diffie-Hellman is performed while negotiating the MAC key, the specification instead require that a transport encryption such as TLS or SSL is used. Erik Lagercrantz & Patrik Sternudd 2009-05-17 OpenID Authentication Security Page 6 of 9

7 DISCUSSION 7.1 POSSIBLE ATTACKS Man in the middle attacks are a real threat when the OpenID protocol is improperly used. In particular, it is trivial to control the outcome of any authentication attempt if one is able to modify the communication between the relying party and the provider without being detected. Fooling the RP into connecting to a malicious OP can be done by manipulating DNS information, the information in the discovery document, or by simply impersonating the original OP after intercepting the traffic from the RP. There is nothing in the OpenID protocol itself that prevents the RP from accepting information from such a malicious OP. The shared key that is exchanged in the association step serves only to verify that the signed authentication assertions are delivered by the OP that was first contacted, it does not enable the RP to verify that it was in fact talking to the right OP in the first place. The implications of the above is that real security can only be achieved if the RP uses some means outside of the OpenID protocol to verify the identity of the OP and the authenticity of critical messages. This can be achieved by requiring that all direct communication between the RP and the OP is protected with TLS, and that the OP has a certificate signed by a trusted party. It is sufficient to protect the direct communication (discovery, association and direct verification messages) in this manner. Other messages (e.g. authentication assertions) are sent indirectly between the OP and the RP via the UA, but critical parts of these messages are signed by the shared key to detect modifications done by the UA, and thus need not be protected with TLS. Even when not using TLS, the protocol may be considered secure enough in some cases. Once the RP has negotiated an associated with an OP, they can both store the shared key and reuse it in the future. This means that in future authentication attempts, all critical messages are signed with the MAC that was determined during association, meaning that a man in the middle attack is only possible if the MAC can be broken. It is however unclear if any existing OpenID implementations actually enforce reuse of the shared key, or if a malicious OP could get an old shared key to be discarded and generate a new one. In any case, TLS is the appropriate way to protect against man in the middle attacks, since it also protects on first contact. It goes without saying that communication between the UA and the OP should be encrypted if authentication is performed by transmitting a password. How to perform this is outside the scope of the OpenID specification, but the obvious solution is to use TLS also for this communication. If trusted certificates are used and validated this also helps to prevent phishing attacks, where a user is tricked into supplying their authentication credentials on a malicious web site. 7.2 CONCLUSION CAN WE TRUST IT? The OpenID protocol itself can be trusted provided that the MAC can be trusted, and that the communication channel can be trusted such as when using TLS as described in the previous section. However, the security ultimately depends on the authentication methods used by the provider. Some providers employ passwords while others have more advanced solutions. This is not covered by the OpenID specification. A user must also be able to trust the general security and integrity of its OpenID provider. If a provider is compromised a malicious person will able to impersonate any user of that provider on any OpenID-enabled service. For this reason, OpenID or any similar system is unlikely to be widely adopted in security-critical areas such as online banking, unless these institutions can find a way to only admit users of secure providers. One solution could be to have only a few officially trusted providers, much like the way that it works for the Swedish e-legitimation. Until then however, OpenID will remain a tool that is used when convenience is considered more important than security. Erik Lagercrantz & Patrik Sternudd 2009-05-17 OpenID Authentication Security Page 7 of 9

7.3 OTHER CONSIDERATIONS Since the Relying Party need to communicate to OpenID providers through HTTP/HTTPS, outbound firewall rules must be opened. This is a security risk in itself, especially when considering that there have been a lot of worms that specifically target web servers. Another issue that is not directly technical, but rather social, is the question who would you like to host your identity?. That company or organisation would be able to put together a pretty good picture of your online habits (which sites are you member of, how often do you log in there, at what times, etc.). This exposure could be limited by using several OpenID providers, but that sort of defeats the whole idea. Erik Lagercrantz & Patrik Sternudd 2009-05-17 OpenID Authentication Security Page 8 of 9

8 REFERENCES [RFC 1750] [RFC2104] [FIPS180-2] [RFC1750] OpenID Authentication 2.0 Final, 2007, http://openid.net/specs/openid-authentication-2_0.html (Accessed 2009-06-17) Eastlake, D., Crocker, S. and J. Schiller, Randomness Requirements for Security, RFC 1750, December 1994. Krawczyk, H., Bellare, M., and R. Canetti, HMAC: Keyed-Hashing for Message Authentication, RFC 2104. U.S. Department of Commerce and National Institute of Standards and Technology, Secure Hash Signature Standard, FIPS 180-2. Eastlake, D., Crocker, S., and J. Schiller, Randomness Recommendations for Security, RFC 1750. Erik Lagercrantz & Patrik Sternudd 2009-05-17 OpenID Authentication Security Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information