Security of Online Social Networks



Similar documents
Visa Smart Debit/Credit Certificate Authority Public Keys

SERVER CERTIFICATES OF THE VETUMA SERVICE

SERVER CERTIFICATES OF THE VETUMA SERVICE

Public Key Infrastructure. Certificates Standard X509v3

ASV Scan Report Vulnerability Details PRESTO BIZ

Criteria for web application security check. Version

EMV (Chip-and-PIN) Protocol

OPENID AUTHENTICATION SECURITY

Luxembourg (Luxembourg): Trusted List

USB HID to PS/2 Scan Code Translation Table

An Insight into Cookie Security

Web Application Report

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

ASV Scan Report Vulnerability Details. UserVoice Inc.

Online EFFECTIVE AS OF JANUARY 2013

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Automated Vulnerability Scan Results

Security Testing with Selenium

Web Application Worms & Browser Insecurity

Bank link technical specifications. Information for programmers

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

How to generate SSL certificates for use with a KVM box & XViewer with XCA v0.9.3

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

All your private keys are belong to us

How to create OpenDocument URL s with SAP BusinessObjects BI 4.0

Network Security Exercise #8

(WAPT) Web Application Penetration Testing

Message Containers and API Framework

KALE: A High-Degree Algebraic-Resistant Variant of The Advanced Encryption Standard

CROSS REFERENCE. Cross Reference Index Cast ID Number Connector ID Number 111 Engine ID Number Ford Motor Company 109

Web Based Single Sign-On and Access Control

Certificates and network security

Vulnerability Scans. Bomgar 13.1

Testing the OWASP Top 10 Security Issues

Check list for web developers

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

SL-8800 HDCP 2.2 and HDCP 1.x Protocol Analyzer for HDMI User Guide

JVA-122. Secure Java Web Development

Web Security Threat Report: January April Ryan C. Barnett WASC Member Project Lead: Distributed Open Proxy Honeypots

Introduction to Computer Security

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

The IVE also supports using the following additional features with CA certificates:

Lecture Notes for Advanced Web Security 2015

2010: and still bruteforcing

SECURITY IN ELECTRONIC COMMERCE MULTIPLE-CHOICE QUESTIONS

SECURITY IN ELECTRONIC COMMERCE - SOLUTION MULTIPLE-CHOICE QUESTIONS

Where every interaction matters.

Sniffing SAP R GUI Passwords

SENSITIVE AUSTRALIAN SPORTS COMMISSION ATHLETE MANAGEMENT SYSTEM (AMS) SMARTBASE SECURITY TEST PLAN. Final. Version 1.0

Web application security

HTML Codes - Characters and symbols

Internet Banking System Web Application Penetration Test Report

US Code (Unofficial compilation from the Legal Information Institute)

APPLICATION SECURITY AND ITS IMPORTANCE

Cross-Site Scripting

Certificate Policy and Certification Practice Statement CNRS/CNRS-Projets/Datagrid-fr

Vulnerability Scans. Bomgar 14.2

HSR TRAINING COURSE REQUIREMENTS HSR Training Course Guidance Booklet 2

WEB ATTACKS AND COUNTERMEASURES

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Data Breaches and Web Servers: The Giant Sucking Sound

Pattern Co. Monkey Trouble Wall Quilt. Size: 48" x 58"

Internet Technologies Internet Protocols and Services

Magento Security and Vulnerabilities. Roman Stepanov

Lecture 11 Web Application Security (part 1)

A DIVISION OF THE MENO. Meno proposes a question: whether virtue can be taught. Three conversations or discussions following question

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

3. April 2013 IT ZERTIFIKATE. Zertifizierungsstellen / Certification Center. IT Sicherheit UNTERNEHMENSBEREICH IT

ON-BOARDING TOOL USER GUIDE. HKEx Orion Market Data Platform Securities Market & Index Datafeed Products Mainland Market Data Hub (MMDH)

CloudOYE CDN USER MANUAL

Advanced Encryption Standard by Example. 1.0 Preface. 2.0 Terminology. Written By: Adam Berent V.1.7

Advanced Encryption Standard by Example. 1.0 Preface. 2.0 Terminology. Written By: Adam Berent V.1.5

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

The current version of this document can always be found at

Web Application Penetration Testing

Configuring Digital Certificates

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

How to Configure Captive Portal

Certified Secure Web Application Security Test Checklist

What is Web Security? Motivation

Calculation of Valu-Trac Statuses

Verify Needed Root Certificates Exist in Java Trust Store for Datawire JavaAPI

Web Application Security

Community College of Philadelphia Calling Code 218 Employer Scan Client Approved: November 17, 2005 Region (CIRCLE) City MSA

Web Application Guidelines

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

NEOSHO COUNTY COMMUNITY COLLEGE MASTER COURSE SYLLABUS. Medical Professional Issues

Certificate technology on Pulse Secure Access

URL encoding uses hex code prefixed by %. Quoted Printable encoding uses hex code prefixed by =.

Preventing Abuse of Cookies Stolen by XSS

Authentication Integration

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Transcription:

Security of Online Social Networks Lehrstuhl IT-Sicherheitsmanagment Universität Siegen April 19, 2012 Lehrstuhl IT-Sicherheitsmanagment 1/36

Overview Lesson 02 Authentication Web Login Implementation Common Fails WebID OpenID Lehrstuhl IT-Sicherheitsmanagment 2/36

Authentication Lehrstuhl IT-Sicherheitsmanagment 3/36

Authentication Classes Proof of Identity Knowledge Ownership Biometric Examples: Key(card) Password Iris Fingerprint Writing Dynamics Lehrstuhl IT-Sicherheitsmanagment 4/36

SNS Scenario A Internet database Lehrstuhl IT-Sicherheitsmanagment 5/36

Authentication Subjects Person Agent/Process Computer Service (url) Lehrstuhl IT-Sicherheitsmanagment 6/36

Web Login Implementation Lehrstuhl IT-Sicherheitsmanagment 7/36

Overview Most often Uname/Passwd Web Formular Common Password Handling repeated use of password see https://www.owasp.org Lehrstuhl IT-Sicherheitsmanagment 8/36

Standard Operation Procedure 1. Login Formular Uname/Passwd/SessID 2. GET/POST Request 3. Reply Contains Session ID 4. Keeping the Session Safe depends on your Attacker Model. Lehrstuhl IT-Sicherheitsmanagment 9/36

Attacker Models Attacker Objectives: User Password Private Data Manipulation...? Attacker: Third Party (e.g. XSS) Network Operators OSN Provider... Lehrstuhl IT-Sicherheitsmanagment 10/36

Lehrstuhl IT-Sicherheitsmanagment 11/36

<form accept c h a r s e t= UTF 8 a c t i o n= / users / s i g n i n c l a s s= u s e r n e w i d= u s e r n e w method= p o s t > <i n p u t name= utf8 type= hidden v a l u e= &#x2713 ; /> <i n p u t name= a u t h e n t i c i t y t o k e n type= h i d d e n v a l u e= g7yev /17 mkfopopb0tjfigtfckkpoe8g6g7nwbtuohc= /> <l a b e l f o r= u s e r u s e r n a m e >Username</ l a b e l> <i n p u t i d= user username name= user [ username ] p l a c e h o l d e r= Username s i z e= 30 t a b i n d e x= 1 type= t e x t /> <l a b e l f o r= u s e r p a s s w o r d >Password</ l a b e l> <i n p u t i d= u s e r p a s s w o r d name= u s e r [ password ] p l a c e h o l d e r= Password s i z e= 30 tabindex= 2 type= password value= /> <a h r e f= / u s e r s / password /new i d= f o r g o t p a s s w o r d l i n k t a b i n d e x= 5 >Forgot your password?</a> <i n p u t name= user [ remember me ] type= hidden v a l u e= 0 /> <i n p u t i d= user remember me name= user [ remember me ] t a b i n d e x= 3 type= checkbox v a l u e= 1 /> <l a b e l f o r= user remember me >Remember me</ l a b e l> <i n p u t i d= user submit name= commit t a b i n d e x= 4 type= submit v a l u e= Sign in /> <a h r e f= / users / sign up >Sign up</a> </ form> Lehrstuhl IT-Sicherheitsmanagment 12/36

Facebook Login Lehrstuhl IT-Sicherheitsmanagment 13/36

Facebook Login Messages Lehrstuhl IT-Sicherheitsmanagment 14/36

Facebook Login Request POST / l o g i n. php? l o g i n a t t e m p t =1 HTTP/ 1. 1 Host : www. fa ceb ook. com User Agent : M o z i l l a / 5. 0 ( X11 ; Ubuntu ; L i n u x i 6 8 6 ; r v : 1 1. 0 ) Gecko /20100101 F i r e f o x / 1 1. 0 Accept : t e x t / html, a p p l i c a t i o n / xhtml+xml, a p p l i c a t i o n / xml ; q =0.9, / ; q=0.8 Accept Language : en us, en ; q=0.5 Accept Encoding : g z i p, d e f l a t e C o n n e c t i o n : keep a l i v e R e f e r e r : h t t p : / /www. f a c e b o o k. com/? f b n o s c r i p t =1 Cookie : datr=wfgotzek UszlQ4Z5peB3Bgm ; l s d=avp23rda ; r e g f b g a t e=h t t p%3a%2f%2fwww. f a c e b o o k. com%2f ; r e g f b r e f=h t t p%3a%2f%2fwww. f a c e b o o k. com%2f ; n o s c r i p t =1 Content Type : a p p l i c a t i o n /x www form u r l e n c o d e d Content Length : 219 l s d=avp23rda&e m a i l=k e i t 2 h. bbnoprsx%40 s a f e t y m a i l. i n f o&p a s s=xxxxxxxxxxxx d e f a u l t p e r s i s t e n t =0& c h a r s e t t e s t=%e2%82%ac%2c%c2%b4%2c%e2%82%ac%2c%c2%b4%2c%e6%b0%b4%2c%d0%94%2c%d0%84& t i m e zone=&l g n r n d =095243 8Jab&l g n j s=n&l o c a l e=en US Lehrstuhl IT-Sicherheitsmanagment 15/36

Facebook Login Response HTTP/ 1. 1 200 OK Cache C o n t r o l : p r i v a t e, no cache, no s t o r e, must r e v a l i d a t e Expires : Sat, 01 Jan 2000 00: 00: 00 GMT P3P : CP= Facebook does not have a P3P p o l i c y. Learn why here : http : / / fb. me/p3p Pragma : no cache X Content S e c u r i t y P o l i c y Report Only : a l l o w ; s c r i p t s r c h t t p s : / /. f a c e b o o k. com h t t p : / / X Content Type O p t i o n s : n o s n i f f X Frame Options : DENY Set Cookie : datr=wfgotzek UszlQ4Z5peB3Bgm ; e x p i r e s=fri, 18 Apr 2014 16: 53: 29 GMT; path =/ Set Cookie : r e g e x t r e f=d e l e t e d ; e x p i r e s=thu, 01 Jan 1970 0 0 : 0 0 : 0 1 GMT; path =/; domain =. Set Cookie : r e g f b r e f=https%3a%2f%2fwww. facebook. com%2flogin. php%3flogin attempt%3d1 ; p Content Type : text / html ; charset=utf 8 X FB Debug : fbycu8si /QaovM9ChJi/iUkicUKTvdf0AomcVOE4Eqw= X C n e c t i o n : c l o s e Date : Wed, 18 Apr 2012 1 6 : 5 3 : 3 0 GMT Content Length : 18820 <!DOCTYPE html> <html l a n g= en i d = f a c e b o o k c l a s s = n o j s > <head><meta charset= utf 8 /><s c r i p t >function envflush ( a ){ function b ( c ){ f o r ( var d in a ) Lehrstuhl IT-Sicherheitsmanagment 16/36

Common Fails Lehrstuhl IT-Sicherheitsmanagment 17/36

Insecure Transfer not using/dropping TLS Plaintext transfer in URL Request-Body Session ID in URL Lehrstuhl IT-Sicherheitsmanagment 18/36

Security Questions e.g. Your mother s maiden name. The worst since no password see WarGames 1983 uname Falken pwd Joshua Criticism: public knowable insufficiently non-random [Wikipedia File:Wargames.jpg] Lehrstuhl IT-Sicherheitsmanagment 19/36

Telltale Errormessages Different for Username/Passwd Errordump contains userlist Lehrstuhl IT-Sicherheitsmanagment 20/36

Password Plaintext Storage Danger of Leakage (see Facebook) e.g. http: //www.skullsecurity.org/wiki/index.php/passwords Facebook, Hotmail, MySpace, Hak5,... Lehrstuhl IT-Sicherheitsmanagment 21/36

Session Fixation Attacker fixes Session ID e.g. malicious link http: //bad-o.sn/?sid=123454 1. Set up trap-session 2. Transfer session to victim 3. Session Entrace Best countermeasure: change Session ID during login with each request [See Kolsek 2002 [1]] Lehrstuhl IT-Sicherheitsmanagment 22/36

WebID Lehrstuhl IT-Sicherheitsmanagment 23/36

WebID Overview WebID Dan Brickley, Tim Berners-Lee (2000) URI defined identity http://danbri.org/foaf.rdf http://www.w3.org/people/berners-lee/card.rdf https://bblfish.net/#hjs HTTP + SSL + RDF:FOAF WebID 1.0 Web Identification and Discovery [2] Lehrstuhl IT-Sicherheitsmanagment 24/36

[http://www.w3.org/wiki/webid] Lehrstuhl IT-Sicherheitsmanagment 25/36

Authentication Sequence hfill[http://www.w3.org/wiki/foaf%2bssl] Lehrstuhl IT-Sicherheitsmanagment 26/36

Certificates Bind Name to public key X509 http://tools.ietf.org/html/rfc5280 Formats: PEM, PKCS#7, PKCS#12 Lehrstuhl IT-Sicherheitsmanagment 27/36

X.509 Certificate I C e r t i f i c a t e : Data : V e r s i o n : 3 (0 x2 ) S e r i a l Number : 207481227 (0 xc5de98b ) S i g n a t u r e Algorithm : sha1withrsaencryption I s s u e r : C=DE, O=U n i v e r s i t a e t Siegen, OU=Zentrum f u e r I n f o r m a t i o n s und M e d i e n t e c V a l i d i t y Not Before : May 29 08: 40: 27 2008 GMT Not A f t e r : May 28 0 8 : 4 0 : 2 7 2013 GMT S u b j e c t : C=DE, O=U n i v e r s i t a e t Siegen, OU=ZIMT, CN=xims. uni s i e g e n. de S u b j e c t P u b l i c Key I n f o :. Lehrstuhl IT-Sicherheitsmanagment 28/36

X.509 Certificate II S u b j e c t P u b l i c Key I n f o : P u b l i c Key Algorithm : r s a E n c r y p t i o n P u b l i c Key : (2048 b i t ) Modulus : 0 0 : c4 : c7 : a f : 4 6 : 8 7 : 7 b : 9 0 : 8 9 : 7 6 : bc : 6 b : 4 5 : 0 2 : 5 2 : 2 f : 8 d : 5 4 : da : 6 8 : c4 : 4 9 : 2 b : 4 b : 5 7 : 3 4 : e9 : c8 : 2 f : 4 d : bc : b5 : 2 8 : 2 5 : 6 6 : 1 c : e8 : 2 6 : db : b6 : 7 a : 8 8 : b4 : 4 f : ac : 2 e : f 5 : a5 : bd : 9 2 : 9 3 : 5 1 : 0 9 : f 2 : 7 e : 9 6 : b9 : 7 6 : de : d5 : a3 : 9 b : e2 : f b : 8 1 : 4 6 : a9 : d9 : 3 b : ac : 5 1 : 4 0 : 1 f : 6 8 : 6 a : b0 : 3 6 : 6 6 : 3 2 : 9 2 : 1 b : 1 4 : 7 4 : 0 8 : 7 7 : c4 : 9 0 : 4 a : 5 4 : 1 9 : 6 3 : 5 7 : f a : 2 9 : 7 0 : 2 f : a6 : c0 : 6 b : 3 6 : c6 : 0 0 : eb : 8 5 : ea : 9 0 : c1 : a1 : 5 0 : aa : 3 3 : 2 b : db : e4 : 9 6 : 2 6 : 3 8 : c1 : e8 : 9 0 : 8 2 : 4 5 : ea : bc : 1 3 : a4 : 2 1 : 3 d : 0 5 : b3 : be : 7 9 : 8 e : bb : c3 : 5b : 5 1 : 9 6 : c3 : 9 5 : 6 1 : 9 f : b8 : 9 f : ea : 1 6 : 4 1 : 9 e : c4 : d6 : b4 : 1 e : 4 3 : eb : e9 : f f : cc : 2 4 : 8 8 : e1 : 4 4 : 6 4 : a f : b0 : 9 0 : 9b : 5 f : 7 7 : 1 b : 0 6 : 5 9 : 5 d : 0 d : 9 a : 0 d : f 5 : e2 : a4 : 7 b : 9 b : b1 : 4 2 : 5 8 : c9 : a f : a0 : ee : d6 : e8 : 5 6 : e6 : 4 8 : 9 7 : 0 5 : dd : 8 0 : 9 7 : 4 0 : 0 8 : cb : 5 e : 7 d : f 1 : ae : d2 : 0 5 : c8 : a3 : 6 7 : 1 d : 4 3 : ba : d8 : 3 e : a f : aa : ed : c f : 4 f : 1 1 : 5 9 : 3 b : b4 : c2 : 3 a : dc : 9 a : 6 c : 3 e : 1 b : b6 : c1 : cd : d6 : 6 d : b f : 2 c : cd : f c : b9 : ea : cb : b9 : f f : 3 1 : 6 8 : 3 2 : 5 8 : 1 8 : 2 3 : 0 e : a6 : 8 f : 6 a : 9 2 : 7 2 : e7 Exponent : 65537 (0 x10001 ) X509v3 e x t e n s i o n s :. Lehrstuhl IT-Sicherheitsmanagment 29/36

X.509 Certificate III X509v3 e x t e n s i o n s : X509v3 Basic Constraints : CA : FALSE X509v3 Key Usage : D i g i t a l Signature, Non Repudiation, Key Encipherment, Data Encipherment X509v3 Extended Key Usage : TLS Web S e r v e r A u t h e n t i c a t i o n X509v3 S u b j e c t Key I d e n t i f i e r : D3 : 9D: F5 : 7 0 : C7 : E0 : 1 4 : 0 0 : 3 A : C7 : 2 F : 2 F : 4 E : 0 1 : AB : 5 3 :DA: 1 F : C0 : 7 7 X509v3 A u t h o r i t y Key I d e n t i f i e r : k e y i d : FF : 7 4 : C2 : 6 9 : 3 A : F0 : 8 4 : 9 F : 9 C : 0 2 : 9 3 :CD: 9 F : 9 E : F7 :DD: FF : 0 1 : C5 : 6 5 X509v3 CRL D i s t r i b u t i o n P o i n t s : F u l l Name : URI : h t t p : / / cdp1. pca. dfn. de / uni s i e g e n ca /pub/ c r l / g c a c r l. c r l F u l l Name : URI : h t t p : / / cdp2. pca. dfn. de / uni s i e g e n ca /pub/ c r l / g c a c r l. c r l A u t h o r i t y I n f o r m a t i o n Access : CA I s s u e r s URI : h t t p : / / cdp1. pca. dfn. de / uni s i e g e n ca /pub/ c a c e r t / g c a c e r CA I s s u e r s URI : h t t p : / / cdp2. pca. dfn. de / uni s i e g e n ca /pub/ c a c e r t / g c a c e r. Lehrstuhl IT-Sicherheitsmanagment 30/36

X.509 Certificate IV S i g n a t u r e Algorithm : sha1withrsaencryption 4 c : 1 8 : b0 : 0 4 : 2 e : 0 1 : ae : 6 7 : d8 : c4 : 7 9 : cb : 8 5 : 1 b : a1 : 6 d : ec : f f : ba : 8 4 : 3 c : e1 : 5 0 : 9 d : 9 5 : 9 1 : b0 : 5 e : ca : 7 5 : 4 c : 6 a : 4 f : 6 9 : 0 e : 7 e : c8 : 6 f : eb : 3 e : 2 c : 4 e : e9 : 1 9 : 8 b : 3 5 : 9 e : 1 f : 1 9 : 0 d : 1 0 : b4 : 8 8 : a3 : f b : 8 b : b4 : f 2 : da : 1 0 : 0 8 : e0 : 8 3 : 4 f : d8 : 1 5 : 9 0 : 5 d : 4 a : b3 : f d : 1 0 : 2b : 9 4 : 5 b : 7 9 : 6 1 : e5 : 8 e : d4 : 1 d : 4 f : 1 1 : ac : c2 : 2 a : 4 4 : bb : 1 1 : 4 e : 2 c : 4 2 : 5 4 : 1 3 : 1 5 : 2 a : a1 : a5 : bd : 2 0 : 8 9 : c4 : 8 3 : 8 c : db : aa : 6 6 : 2 8 : 5 c : 9 9 : 4 4 : 0 0 : 3 6 : e1 : 1 a : d9 : a8 : 8 7 : e8 : a9 : 2 4 : bc : 5 6 : 3 9 : 6 3 : 0 e : 1 0 : 8 4 : f 2 : 0 3 : 7 e : 8 5 : 8 8 : 7 0 : a1 : 2 b : da : 3 9 : 7 5 : c5 : b7 : 2 f : 3 a : 4 1 : 4 f : b1 : 5 3 : ba : c1 : 6 6 : 5 c : 0 b : a0 : 5 a : f f : 0 f : 6 5 : 2 0 : bd : b0 : 1 f : 2 c : 3d : 4 2 : ca : 6 a : f 8 : 4 c : 7 3 : a f : 2 0 : 9 3 : 9 8 : 9 d : ca : a9 : 1 7 : 4 9 : 7 a : 9 c : 0 4 : d8 : 5 d : 1 e : 2 e : 1 b : 3 6 : 8 5 : f 5 : 8 f : 8 3 : a6 : ab : 4 9 : e f : a5 : 2 b : d0 : 7b : 9 e : 8 0 : a6 : eb : 8 7 : 1 d : 8 f : 1 6 : 7 9 : d5 : a2 : 4 f : f 1 : e6 : 6 e : 4 d : 0 c : ea : f 1 : a1 : 9 5 : ec : db : dd : 0 2 : 8 e : 4 1 : 1 4 : 9 b : 4 7 : f 6 : 6 c : 4 6 : 1 a : f 6 : 7b : 8 5 : 9 b : d6 : 8 0 : 0 b : 2 9 : 0 e : 5 4 : b4 : f b : e6 : ab : 2 a : 1 b : 0 9 : 6 4 : aa : a4 : 4 4 : 3 c : 6 8. Lehrstuhl IT-Sicherheitsmanagment 31/36

X.509 Certificate PEM encoded BEGIN CERTIFICATE MIIFAjCCA+qgAwIBAgIEDF3pizANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMC REUxHDAaBgNVBAoTE1VuaXZlcnNpdGFldCBTaWVnZW4xOTA3BgNVBAsTMFplbnRy dw0gznvlcibjbmzvcm1hdglvbnmtihvuzcbnzwrpzw50zwnobm9sb2dpztecmbog A1UEAxMTVW5pLVNpZWdlbiBDQSAtIEcwMjAeFw0wODA1MjkwODQwMjdaFw0xMzA1 MjgwODQwMjdaMFcxCzAJBgNVBAYTAkRFMRwwGgYDVQQKExNVbml2ZXJzaXRhZXQg U2llZ2VuMQ0wCwYDVQQLEwRaSU1UMRswGQYDVQQDExJ4aW1zLnVuaS1zaWVnZW4u ZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEx69Gh3uQiXa8a0UC Ui+NVNpoxEkrS1c06cgvTby1KCVmHOgm27Z6iLRPrC71pb2Sk1EJ8n6WuXbe1aOb 4vuBRqnZO6xRQB9oarA2ZjKSGxR0CHfEkEpUGWNX+ilwL6bAazbGAOuF6pDBoVCq Myvb5JYmOMHokIJF6rwTpCE9BbO+eY67w1tRlsOVYZ+4n+oWQZ7E1rQeQ+vp /8wk iofezk+wkjtfdxsgwv0nmg314qr7m7fcwmmvoo7w6fbmsjcf3ycxqajlxn3xrtif yknnhuo62d6vqu3ptxfzo7tcotyabd4btshn1m2/lm38uerluf8xadjygcmopo9q knlnagmbaagjgggmmiibojajbgnvhrmeajaamasga1uddwqeawie8datbgnvhsue DDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU0531cMfgFAA6xy8vTgGrU9ofwHcwHwYD VR0jBBgwFoAU/3TCaTrwhJ+cApPNn5733f8BxWUwgYsGA1UdHwSBgzCBgDA+oDyg OoY4aHR0cDovL2NkcDEucGNhLmRmbi5kZS91bmktc2llZ2VuLWNhL3B1Yi9jcmwv Z19jYWNybC5jcmwwPqA8oDqGOGh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvdW5pLXNp ZWdlbi1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIGkBggrBgEFBQcBAQSBlzCBlDBI BggrBgEFBQcwAoY8aHR0cDovL2NkcDEucGNhLmRmbi5kZS91bmktc2llZ2VuLWNh L3B1Yi9jYWNlcnQvZ19jYWNlcnQuY3J0MEgGCCsGAQUFBzAChjxodHRwOi8vY2Rw Mi5wY2EuZGZuLmRlL3VuaS1zaWVnZW4tY2EvcHViL2NhY2VydC9nX2NhY2VydC5j cnqwdqyjkozihvcnaqefbqadggebaewysaquaa5n2mr5y4ubow3s/7qepofqnzwr sf7kduxqt2kofshv6z4stukzizwehxknelsio / ultplaeajgg0 /YFZBdSrP9ECuU W3lh5Y7UHU8RrMIqRLsRTixCVBMVKqGlvSCJxIOM26pmKFyZRAA24RrZqIfoqSS8 VjljDhCE8gN+hYhwoSvaOXXFty86QU+xU7rBZlwLoFr /D2UgvbAfLD1Cymr4THOv IJOYncqpF0l6nATYXR4uGzaF9Y+DpqtJ76Ur0HuegKbrhx2PFnnVok /x5m5ndorx Lehrstuhl ozxs290cjkeum0f2beya9nufm9aacykovlt75qsqgwlkqqrepgg= IT-Sicherheitsmanagment 32/36 END CERTIFICATE

Certificate in FoaF <c e r t : key> <c e r t : RSAPublicKey> <c e r t : l a b e l >L a r s F i s c h e r </ c e r t : l a b e l > <c e r t : modulus r d f : d a t a t y p e = h t t p : / /www. w3. org /2001/XMLSchema#h e x B i n a r y > BAAFB2E38A4E4FD49F9F0285D5929CA45EB1833607425E60CBB28AD31 </ c e r t : modulus> <c e r t : exponent r d f : d a t a t y p e = h t t p : / /www. w3. org /2001/XMLSchema#i n t e g e r > 65537 </ c e r t : exponent> </ c e r t : RSAPublicKey> </ c e r t : key> Lehrstuhl IT-Sicherheitsmanagment 33/36

WebID Summary SSL based authentication Browser has private key any user action authenticated identifier: URI Webservices to write Lehrstuhl IT-Sicherheitsmanagment 34/36

Lehrstuhl IT-Sicherheitsmanagment 35/36

OpenID Overview Federated Authentication Standardisation http://openid.net URI based ID Roles: End-User, Relying Party, OpenID Provider Relying Party learns attributes next week Lehrstuhl IT-Sicherheitsmanagment 36/36

Literatur I M. Kolsek, Session fixation vulnerability in web-based applications, ACROS Security, Tech. Rep., 2002. [Online]. Available: http://www.acrossecurity.com/papers/session fixation.pdf M. Sporny, T. Inkster, H. Story, B. Harbulot, and R. Bachmann-Gmür, WebID 1.0 Web Identification and Discovery W3C Editor s Draft 12 December 2011, W3C Std. [Online]. Available: http://www.w3.org/2005/incubator/ webid/spec/drafts/ed-webid-20111212 Lehrstuhl IT-Sicherheitsmanagment 37/36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information