OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5....
Transcript of OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5....
![Page 1: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/1.jpg)
University of British Columbia
OpenID Security Analysis and Evaluation
San-Tsai Sun, Kirstie Hawkey, Konstantin Beznosov
Laboratory for Education and Research in Secure Systems Engineering (LERSSE)
University of British Columbia
![Page 2: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/2.jpg)
summary• CSRF attacks
– single-sign-on CSRF (force victim to login) (70%)
– account profile CSRF (50%)
– login CSRF (login as attacker) (73%)
• authentication response interception
– impersonation (67%)
– replay attack (6%)
2
![Page 3: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/3.jpg)
agenda
• background
• approach and evaluation result
• countermeasures
3
![Page 4: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/4.jpg)
OpenID
• open and user-centric Web single sign-on protocol
• OpenID Foundation (2007) [1]
• Microsoft, Google, IBM, Yahoo, VeriSign, Facebook, PayPal, PingIdentity
• over one billion OpenID enabled user accounts provided by Google, Yahoo, AOL...[1]
4[1] OpenID Foundation. http://openid.net/foundation/, 2009.
![Page 5: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/5.jpg)
Service Provider(Relying Party)
how OpenID works
5
Identity Provider
alice.myopenid.com
user name: alice.myopenid.com
password: xxxxxxxx
http://alice.myopenid.com
discover
login request
authentication
request
authentication
response
![Page 6: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/6.jpg)
agenda
• background of OpenID
• approach and evaluation results
• countermeasures
6
![Page 7: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/7.jpg)
methodology
7
OpenID Spec
Protocol Interpretation/Implementation
Protocol Modeling
sequence
diagram
known
weakness
Model Checking
Attack-VectorIdentification
RPEvaluation
attack
vectorsExploitDesign
exploits
CountermeasureDesign
Model Checking
real RPs
Countermeasure Implementation
counter
measureCountermeasure
Evaluation
RPv2
RPv1
ThreatModel
vulnerabilityevaluation
results
countermeasureevaluation
results
1. vulnerability identification
2. vulnerability evaluation
3. countermeasure evaluation
Protocol Encoding
HLPSL
Protocol EncodingA-B
notation
HLPSL
attack
traces
![Page 8: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/8.jpg)
OpenID sequence diagramBrowser IdPRPID server
fetch I
IdP
gen: b, h, kp,g,ga mod p
gb mod p, h, H(gab mod p) kcompute k
store h
user authentication (if c is missing)
user credential
check: h, cI, RP, [h], [c]
redirect to IdP: I, RP, [h]find c
verify HMACk(I,RP,h,n) if h exists
I, RP, h, n, HMACk(I,RP,h,n)
valid/invalid
or
redirect to RP: I, RP, h, n, HMACk(I,RP,h,n), c
I, RP, h, n, HMACk(I,RP,h,n)
save c
check: credential
gen: n, c,HMACk(I,RP,h,n)
login request: I (identity url)
RP: RP return_to url
IdP: IdP endpoint url
p: DH modulus
g: DH generator
I: identity url
h: session handle
k: session keyn: nonce
c: IdP cookie
IdP discovery
association
authentication request
user authentication
authentication response
signature verification
![Page 9: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/9.jpg)
IdP
known weaknessBrowser IdPRP
login request: I
gen: b, h, k
ID server
fetch I
p,g,ga mod p
gb mod p, h, H(gab mod p) kcompute k
redirect to IdP: I, RP, [h]
I, RP, [h], [c]
user authentication (if c is missing)
user credential
redirect to RP: I, RP, h, n, HMACk(I,RP,h,n), c
I, RP, h, n, HMACk(I,RP,h,n)
verify HMACk(I,RP,h,n) if h exists
I, RP, h, n, HMACk(I,RP,h,n)
valid/invalid
association
user authentication
check: h, c
save c
find c
check: credential
gen: n, c,HMACk(I,RP,h,n)
or
(login request)
(authentication request)
(authentication response)
RP: RP return_to url
IdP: IdP endpoint url
p: DH modulus
g: DH generator
I: identity url
h: session handle
k: session keyn: nonce
c: IdP cookie
![Page 10: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/10.jpg)
threat model• adversary: non-RP or IdP associated attackers
• adversary goal: unauthorized access/modification to uses’ data hosted on RP
• Web poster: post comments
• Web attacker:
– setup a malicious website
– send malicious links via spam
– deliver malicious content via Ads network
– exploit web vulnerabilities (i.e., XSS) of benign websites
• network attacker:
– setup an wireless access point
– compromise client DNS resolution10
![Page 11: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/11.jpg)
threat assumptions
• RP, IdP, user machine, and browser are not compromised
• RP, IdP are not malicious
• user credentials on IdPs are secured
• cookies in the browser are secured (integrity and confidentiality)
11
![Page 12: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/12.jpg)
non-considered threats
• availability threat
– DoS by sending massive concurrent auth requests to an IdP
– DoS by sending massive concurrent auth responses to an RP
• identity spoofing
– phishing attacks by RP
– exploits vulnerabilities on IdP
• integrity of IdP discovery process
– altering discovery information
– compromise RP DNS resolution
12
![Page 13: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/13.jpg)
found weakness
authentication response acts as an one-time access token to an RP, but
• authentication response is not bound to a specific authentication request (non-associate)
• authentication request is not bound to a specific login request
• login request is not bound to the browser session
13
![Page 14: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/14.jpg)
attack vectors• CSRF
– single sign-on (SSO) CSRF (force victim to login)
• HTTP GET Auth Request CSRF[Web poster, Web attacker]
• HTTP POST Login CSRF [Web attacker]
• HTTP GET Login CSRF [Web poster, Web attacker]
– account profile CSRF [Web poster, Web attacker]
– login CSRF (login as attacker) [Web attacker]
• authentication response interception
– impersonation [Network attacker]
– replay attack [Network attacker]
14
![Page 15: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/15.jpg)
SSO CSRF: HTTP GET Auth Request Browser IdPRPID server
I, RP, c
user credential
redirect to RP: I, RP, h, n, HMACk(I,RP,h,n)
I, RP, h, n, HMACk(I,RP,h,n)
I, RP, h, n, HMACk(I,RP,h,n)
valid/invalid
(authentication request)
check: c
gen: n, hHMACk(I,RP,h,n)
check_authentication
(authentication response)
<img
src=“idp.jsp?return_url=RP&identity=l”
style=“display:none”>
a nonce associated with
the auth request can stop
the attack
![Page 16: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/16.jpg)
IdP
SSO CSRF : HTTP POST/GET loginBrowser IdPRP
login request: I
gen: b, h, k
ID server
fetch I
p,g,ga mod p
gb mod p, h, H(gab mod p) kcompute k
redirect to IdP: I, RP, [h]
I, RP, h, c
redirect to RP: I, RP, h, n, HMACk(I,RP,h,n), c
I, RP, h, n, HMACk(I,RP,h,n)
verify HMACk(I,RP,h,n) if h exists
I, RP, h, n, HMACk(I,RP,h,n)
valid/invalid
association
(authentication request)
save c
find c
check: h,c
gen: n, HMACk(I,RP,h,n)
check_authenticationor
(authentication response)
(login request) associate the login
request with the browser
session can stop the
attack
![Page 17: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/17.jpg)
login CSRF: login as the attacker
17
RPIdP
login request
authentication
request
attacker user
name and
password
authentication
response
authentication
response
associate the
authentication response
with the browser session
can stop the attack
<img src=“auth response”
style=“display:none”>
![Page 18: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/18.jpg)
IdP
impersonation and replay attackBrowser IdPRP
login request: I
gen: b, h, k
ID server
fetch I
p,g,ga mod p
gb mod p, h, H(gab mod p) kcompute k
redirect to IdP: I, RP, [h]
I, RP, [h], [c]
user authentication (if c is missing)
user credential
redirect to RP: I, RP, h, n, HMACk(I,RP,h,n), c
I, RP, h, n, HMACk(I,RP,h,n)
verify HMACk(I,RP,h,n) if h exists
I, RP, h, n, HMACk(I,RP,h,n)
valid/invalid
association
(authentication request)
user authentication
check: h, c
save c
find c
check: credential
gen: n, c,HMACk(I,RP,h,n)
check_authenticationor
(authentication response)
(login request)
associate the
authentication response
with the browser session
can stop the attack
![Page 19: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/19.jpg)
attack summary• CSRF attacks
– single-sign-on CSRF (force victim to login) (70%)
• HTTP GET Auth Request (25%)
• HTTP POST Login (50%)
• HTTP GET Login (35%)
– account profile CSRF (50%)
– login CSRF (login as attacker) (73%)
• authentication response interception
– impersonation (67%)
– replay attack (6%)
19
![Page 20: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/20.jpg)
agenda
• background of OpenID
• approach and evaluation result
• countermeasures
20
![Page 21: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/21.jpg)
countermeasure
• when a new browser session initialized
– RP generates a nonce N = HMAC(browser session id )
– issues a new cookie CN = N
– append a parameter PN=N to the OpenID login form
• when receive a login request
– check if PN = CN and CN = HMAC(browser session id )
– initiate a new authentication request
– append a parameter RN=N to the return_to URL
• when receive an authentication response
– check if RN = CN and CN = HMAC(browser session id )
21
![Page 22: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/22.jpg)
characteristics of countermeasure
• compatible with existing OpenID
• do not require any additional storage on RP
• would not reveal browser session id
• protect from cookie overwrite
22
![Page 23: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/23.jpg)
future work
• evaluate more RPs
• apply our methodology to other Web single sign-on protocol
– Facebook connect
– Microsoft Live ID
23
![Page 24: OpenID Security Analysis and Evaluationlersse-dl.ece.ubc.ca/record/248/files/248.pdf · 2013. 5. 22. · g: DH generator I: identity url h: session handle k: session key n: nonce](https://reader035.fdocuments.in/reader035/viewer/2022081601/60ff9a96bac9905f5c0ebc4e/html5/thumbnails/24.jpg)
san-tsai sun <[email protected]>
24
University of British Columbia
OpenID Security Analysis and Evaluation
Department of Electrical and Computer Engineering
Laboratory for Education and Research in Secure Systems Engineering (LERSSE)