How To Manage Your Web 2.0 Account On A Single Sign On On A Pc Or Mac Or Ipad (For A Free) On A Password Protected Computer (For Free) (For An Ipad) (Free) (Unhack)



Similar documents
Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Addressing threats to real-world identity management systems

Web Based Single Sign-On and Access Control

Lecture Notes for Advanced Web Security 2015

Addressing threats to real-world identity management systems

Security and Privacy Concern for Single Sign-on Protocols

The Devil is Phishing: Rethinking Web Single Sign On Systems Security. Chuan Yue USENIX Workshop on Large Scale Exploits

OPENID AUTHENTICATION SECURITY

SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web

Using Foundstone CookieDigger to Analyze Web Session Management

OpenID and identity management in consumer services on the Internet

OpenLogin: PTA, SAML, and OAuth/OpenID

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Federated Identity and Single-Sign On

seclab University of California, Santa Barbara Northwestern University! September 17th, 2014! RAID 2014 Authentication & Privacy

AccountView. Single Sign-On Guide

JVA-122. Secure Java Web Development

An Identity Management Survey. on Cloud Computing

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Web Security. Crypto (SSL) Client security Server security 2 / 40. Web Security. SSL Recent Changes in TLS. Protecting the Client.

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Egnyte Single Sign-On (SSO) Installation for OneLogin

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Case Study: SSO for All: SSOCircle Makes Single Sign-On Available to Everyone

Gateway Apps - Security Summary SECURITY SUMMARY

Yinzhi Cao, Yan Shoshitaishvili, Kevin Borgolte, Christopher Kruegel, Giovanni Vigna, and Yan Chen

Web Services and Federated Identity Management

Mobile Security. Policies, Standards, Frameworks, Guidelines

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Authentication. Agenda. IT Security course Lecture April 14 th Niels Christian Juul 2. April 14th, 2003

Evaluation of different Open Source Identity management Systems

Perceptive Experience Single Sign-On Solutions

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

The Password Problem Will Only Get Worse

Extending APS Packages with Single Sign On. Brian Spector, CEO, CertiVox / Gene Myers, VP Engineering, CertiVox

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Network Security Essentials Chapter 5

WebCallerID: Leveraging cellular networks for Web authentication

Copyright: WhosOnLocation Limited

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Integrating Moodle with an external tool

Negotiating Trust in Identity Metasystem

SAML-Based SSO Solution

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Application Security Testing. Generic Test Strategy

Smart OpenID: A Smart Card Based OpenID Protocol

Threat Modeling an Identity Management System for Mobile Internet

Data Breaches and Web Servers: The Giant Sucking Sound

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

The increasing popularity of mobile devices is rapidly changing how and where we

Absorb Single Sign-On (SSO) V3.0

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

TRIPwire HSIN Federation:

THE DEPUTIES ARE STILL CONFUSED RICH LUNDEEN

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

An Anti-Phishing mechanism for Single Sign-On based on QR-Code

Egnyte Single Sign-On (SSO) Installation for Okta

Final Project Report December 9, Cloud-based Authentication with Native Client Server Applications. Nils Dussart

Mid-Project Report August 14 th, Nils Dussart

MANAGED SECURITY TESTING

Enhanced Security for Online Banking

2012. Springer. Institutional Repository. This document is published in:

In fact, one of the biggest challenges that the evolution of the Internet is facing today, is related to the question of Identity Management [1].

Digital Identity Management

QR-SSO : Towards a QR-Code based Single Sign-On system

Logout in Single Sign-on Systems

From the Intranet to Mobile. By Divya Mehra and Stian Thorgersen

How To Use Salesforce Identity Features

An Introduction to User-Managed Access (UMA)

MCU Online and MFA (Multi Factor Authentication)

Getting Started with AD/LDAP SSO

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Identity Federation Broker for Service Cloud

What is Web Security? Motivation

Dirty use of USSD codes in cellular networks

How to create a SP and a IDP which are visible across tenant space via Config files in IS

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

How to Configure Outlook Client for Exchange

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Adobe Systems Incorporated

Transport Layer Security Protocols

Identity Management. Audun Jøsang University of Oslo. NIS 2010 Summer School. September

Safewhere*Identify 3.4. Release Notes

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. Yuchen Zhou and David Evans Presented by Yishan

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

Easy, Trusted Online Service Access

New Brunswick Internal Services Agency. RSA Self-Service Console User Guide

EECS 588: Computer and Network Security. Introduction January 14, 2014

Basic Security Considerations for and Web Browsing

SSOScan: Automated Testing of Web Applications for Single Sign-On vulnerabilities

Reparing HTTP authentication for Web security

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Transport Level Security

Transcription:

Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com BlackHat USA, Las Vegas 2007

How do you manage your 169 Web 2.0 accounts today?

Does your SSO consist of A login (e.g. johndoe) + 2 passwords (one insecure for web 2.0 sites and one secure for banking sites)?

Attack #1 a. Fail a user s login b. Observe the user try every single combination of their username and password, including the secure password..

Lesson #1 Complexity breeds insecurity

One login to rule them all a story about reducing complexity

Proves that a user owns a URL You get to choose who manages your identity e.g. http://john.doe.name/ or http://jonny.myopenid.com/

Answers the who? question (authentication) are you john.doe.name? Does NOT answer the what? (authorization) is john.doe.name allowed to access this page?

How? (demo)

That was easy!

Oh. Never mind.

Let s start at the beginning

Attack #2 Which one are you? http://nsa.gov:1/, http://nsa.gov:2/, https://192.168.1.15/internal/auth?ip=1.1.1.1 http://localhost:8080/ http://www.youtube.com/largemovie.flv http://www.tarpit.com/cgi-bin/hang.pl file:///dev/null

Lesson #2 Flexibility and security do not get along (or, why it s important to be less flexible and more paranoid)

Everybody loves crypto associate mode

Why is crypto required? to protect request & response URLs

Shared symmetric key is generated using Diffie-Hellman

Attack #3 - Diffie-Hellman is vulnerable to man-in-the-middle attacks! The spec suggests running DH over https to improve protocol security So what s the point of using DH in the first place?

Lesson #3 Home brewed crypto is a no no (or, why you should stick to https)

Where are you going?

This way! No, that way! Location: http://www.myopenid.com/server? openid.assoc_handle=%7bhmac-sha1%7d%7b4..& openid.identity=http%3a%2f%2fjohn.doe.name%2f& openid.mode=checkid_setup& openid.return_to=http%3a%2f%2www.somesite.com%2f& openid.trust_root=http%3a%2f%2www.somesite.com%2f

Attack #4a Phishing with malicious RPs

Attack #4b Phishing with malicious URL hosts

Lesson #4 Phishers 1 OpenID 0 (or, why Johnny will never learn to read URLs)

Let me in!

Once signed in, you will no longer need to re-enter your password for other OpenID enabled sites Convenient, eh?

In other words your identity provider receives and processes ALL your login requests on your behalf privacy, anyone?

Lesson #5 OpenID makes privacy difficult (or, why some paranoid users might want to use one OpenID login per site)

Not another redirect!

Attack #6 Replay attack Location: http://www.somesite.com/finish_auth.php? openid.assoc_handle=%7bhmac-ha1%7d%7b47bb..& openid.identity=http%3a%2f%2fjohn.doe.name%2f& openid.mode=id_res& openid.return_to=http%3a%2f%2www.somesite.com& openid.sig=vbuynd6n39ss8ikpkl19rt83o%2f4%3d& openid.signed=mode%2cidentity%2creturn_to& nonce=wvso75kh

Problems with Nonces a. Not part of the OpenID spec (v1) b. Do not actually protect against active attackers!

Lesson #6 Nonces are nonsense (or, why you must be drinking absolut kool-aid if you believe nonces will protect you against an active attacker)

I am secure once I am logged in though, right?

Attack #7 Cross-site request forgery <html><body> <iframe id="login" src="http://bank.com/login?openid_url=john.doe.name" width="0" height="0"></iframe> <iframe id= transfer" src="http://bank.com/transfer_money?amount=100&to=attacker" width="0" height="0"></iframe> </body></html>

Lesson #7 OpenID robs you of control (or IdP, not RP, makes the security decisions)

Is it really all that bad?! No! OpenID can make your logins far more secure than they are today!

How?! Only one service to secure so we can afford to use Client-side certificates SecurID Smartcards

Lesson #8 There is only 1 front door with OpenID (or, how I got over my privacy and learnt to love OpenID)

Lessons Learnt 1. Complexity breeds insecurity 2. Flexibility and security do not get along 3. Home brewed crypto is a no no 4. Phishers 1 OpenID 0 5. OpenID makes privacy difficult 6. Nonces are nonsense 7. OpenID robs you of control 8. There is only 1 front door with OpenID

Is OpenID doomed? Absolutely not It s a great system solving a very real problem But its security and privacy concerns need further thought

Thanks! Try it today. http://www.openid.net/ http://www.freeyourid.com/ eugene@tsyrklevich.name vlad902@gmail.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information