DOCSLIB.ORG

On the Security of Single Sign-On

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
On the Security of Single Sign-On On the Security of Single Sign-On Vladislav Mladenov (Place of birth: Pleven/Bulgaria) [email protected] 30th June 2017 Ruhr-University Bochum Horst G¨ortz Institute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum First Supervisor: Prof. Dr. rer. nat. J¨org Schwenk Second Supervisor: Prof. Dr.-Ing. Felix Freiling www.nds.rub.de Abstract Single Sign-On (SSO) is a concept of delegated authentication, where an End- User authenticates only once at a central entity called Identity Provider (IdP) and afterwards logs in at multiple Service Providers (SPs) without reauthenti- cation. For this purpose, the IdP issues an authentication token, which is sent to the SP and must be verified. There exist different SSO protocols, which are implemented as open source libraries or integrated in commercial products. Google, Facebook, Microsoft and PayPal belong to the most popular SSO IdPs. This thesis provides a comprehensive security evaluation of the most popular and widely deployed SSO protocols: OpenID Connect, OpenID, and SAML. A starting point for this research is the development of a new concept called malicious IdP, where a maliciously acting IdP is used to attack SSO. Generic attack classes are developed and categorized according to the requirements, goals, and impact. These attack classes are adapted to different SSO proto- cols, which lead to the discovery of security critical vulnerabilities in Software- as-a-Service Cloud Providers, eCommerce products, web-based news portals, Content-Management systems, and open source implementations. The discov- ered flaws result in unauthorized access to End-User accounts, read access to locally stored sensitive files, as well as efficient Denial-of-Service (DoS) attacks. In this thesis, mechanisms strengthening the authentication in SSO will be described. Such mechanisms protect the authentication token during transport and mitigate its theft by relying on features of the established TLS channel between the participants, for example End-User and SP. The work described in this thesis influenced multiple SSO libraries and sys- tems on the web, which use SAML, OpenID and OpenID Connect for authenti- cation. The discovered vulnerabilities were reported to the responsible security teams, which we supported in fixing the issues. An important result of this the- sis is the change of the current OpenID Connect specification, which has been proposed as a countermeasure of the discovered attacks and adjusted in collab- oration with the OAuth and OpenID Connect working groups of the Internet Engineering Task Force (IETF). 3 Kurzfassung Single Sign-On (SSO) ist ein Konzept mit dessen Hilfe sich ein Benutzer ein- malig an einer zentralen Instanz, dem Identity Provider (IdP), anmeldet und diese Authentifikation anschließend benutzt, um sich bei weiteren Dienstleis- tern (Service Providern, SPs) anzumelden. Zu diesem Zweck erstellt der IdP ein Authentifizierungstoken, welches dann vom SP ¨uberpr¨uft und f¨ur den Lo- gin genutzt wird. Es existieren unterschiedliche SSO Protokolle, die in open source Bibliotheken und kommerziellen Produkten implementiert sind. Zu den bekanntesten SSO Anbietern in Internet geh¨oren Google, Facebook, Microsoft und PayPal. Die vorliegende Dissertation stellt eine umfassende Sicherheitsuntersuchung von verschiedenen SSO Protokollen und deren Implementierungen vor. Aus- gangsbasis f¨ur diese protokoll-¨ubergreifende Untersuchung ist die Entwicklung eines neuartigen Konzepts (malicious IdP, mIdP), das erstmals die Benutzung eines b¨osartigen IdPs f¨ur Angriffe einf¨uhrt. Der mIdP ist in der Lage, valide wie invalide Nachrichten und Authentifizierungtokens an verschiedene SPs zu senden. Darauf aufbauend werden generische Angriffsklassen entwickelt, die entsprechend ihrer Voraussetzungen und ihrer erreichten Ziele kategorisiert wer- den. Anschließend werden diese Angriffsklassen auf verschiedene SSO Pro- tokolle angewendet, was zur Entdeckung zahlreicher kritischen Schwachstellen in Software-as-a-Service Cloud Anbietern, eCommerce Produkten, web-basierten Nachrichtenportalen, Content-Management Systemen und open source Biblio- theken f¨uhrt. Die gefundenen Schwachstellen erm¨oglichen den unerlaubten Zu- gang zu fremden Accounts, das Auslesen von gesch¨utzten Ressourcen sowie das Aussetzen von Dienstanbietern mithilfe von Denial-of-Service Techniken. Um die Sicherheit von SSO Systemen zu verbessern und einen erh¨ohten Schutz gegen Angriffe zu erlangen, werden in dieser Dissertation Technologien beschrieben, die die Authentifizierungstoken w¨ahrend des Transports zus¨atzlich absichern und einen Diebstahl verhindern bzw. erkennen. Diese Technologien nutzen einen vorliegenden TLS Kanal und binden ihn kryptografisch an den Authentifizierungstoken. Die Dissertation hat die Entwicklung vieler SSO Bibliotheken und Systeme, die SAML, OpenID oder OpenID Connect einsetzen, beeinflusst. Die gefun- denen Schwachstellen wurden mit den Entwicklern kommuniziert, die bei der Behebung unterst¨utzt wurden. Ein weiteres Ergebnis dieser Arbeit ist die Anderung¨ der OpenID Connect und OAuth Spezifikation, die aufgrund zweier neu aufgedeckter Angriffe angepasst werden musste. Eine entsprechende Gegen- maßnahme wurde in Zusammenarbeit mit der OpenID Connect und OAuth Arbeitsgruppe ver¨offentlicht. 5 Contents 1 Introduction 11 1.1 Thesis Outline and Contributions . 11 1.2 Publications . 13 2 Single Sign-On – Basics 17 2.1 Single Sign-On Roles . 17 2.2 Single Sign-On in Three Phases . 18 2.2.1 Phase 1: Trust Establishment . 18 2.2.2 Phase 2: Token Generation . 20 2.2.3 Phase 3: Token Redemption . 21 2.3 Authentication Token . 21 3 Malicious IdPs in SSO 23 3.1 Are IdPs Trusted Third Parties? . 23 3.2 Malicious IdP– Advantages and Disadvantages . 25 3.3 Additional Approaches . 26 3.4 Lessons Learned . 28 4 Attacker Goals and Capabilities 31 4.1 Attacker Goals . 31 4.2 Attacker Capabilities . 31 4.3 Impact................................. 34 5 Generic Single Sign-On Attack Concepts 35 5.1 Architecture of a SSO Provider . 35 5.2 GenericAttacks............................ 37 5.2.1 Identity Attack (IA) . 37 5.2.2 Replay Attack (RA) . 38 5.2.3 Wrong Recipient (WR) . 38 5.2.4 Signature Bypass (SB) . 39 5.2.5 CovertRedirect(CR) . 39 5.2.6 Message Serialization (MS) . 39 5.3 Single-Phase Attacks vs. Cross-Phase Attacks . 43 6 Attacks on OpenID Connect 45 6.1 OpenID Connect Basics . 46 6.1.1 Core Protocol Flow . 46 6.1.2 ID Token . 48 6.1.3 Discovery and Dynamic Client Registration . 49 6.2 Single-Phase Attacks . 49 6.2.1 ID Spoofing (IDS) . 49 6.2.2 Wrong Recipient (WR) . 50 6.2.3 Replay Attack (RA) . 51 6.2.4 Signature Bypass (SB) . 51 7 6.2.5 CovertRedirect(CR) . 52 6.2.6 Sub Claim Spoofing (SCS) . 53 6.3 Cross-Phase Attacks . 54 6.3.1 Specification Flaw: IdP Confusion . 56 6.3.2 Specification Flaw: Malicious Endpoints Attacks . 57 6.3.3 Implementation Flaw: Issuer Confusion (IC) . 61 6.4 Evaluation . 62 6.4.1 Evaluation of OpenID Connect SPs . 62 6.4.2 Evaluation of OpenID Connect IdPs . 64 6.5 Automated Analysis . 65 6.5.1 Architecture . 65 6.5.2 Automated Analysis Workflow . 66 6.5.3 Limitations . 68 6.6 Summary ............................... 69 7 Attacks on OpenID 71 7.1 OpenIDBasics ............................ 72 7.1.1 Core Protocol Flow . 72 7.1.2 OpenID Token . 75 7.2 Single-Phase Attacks . 76 7.2.1 ID Spoofing (IDS) . 76 7.2.2 Key Confusion (KC) . 78 7.2.3 Token Recipient Confusion (TRC) . 79 7.2.4 Replay Attack (RA) . 80 7.2.5 XML External Entity Attack (XXEA) . 81 7.3 Cross-Phase Attacks . 81 7.3.1 Key Confusion (KC) . 81 7.4 Evaluation . 83 7.5 Automated Analysis . 86 7.6 Summary ............................... 89 8 Attacks on SAML 91 8.1 SAML Basics . 92 8.1.1 Core Protocol Flow . 92 8.1.2 SAMLResponse . 93 8.2 Single-Phase Attacks . 94 8.2.1 Token Recipient Confusion (TRC) . 94 8.2.2 Replay Attack (RA) . 95 8.2.3 Signature Exclusion (∅Sig) . 96 8.2.4 Certificate Faking (CF) . 97 8.2.5 XML Signature Wrapping (XSW) . 98 8.2.6 XML External Entity Attack (XXEA) . 99 8.2.7 XSLT Attack (XSLTA) . 100 8.2.8 AssertionConsumerServiceURL Spoofing (ACS Spoofing) 101 8.3 Cross-Phase Attacks . 101 8.3.1 Certificate Injection (CInj) . 101 8 8.4 Evaluation . 103 8.4.1 Evaluation of SAML SPs . 103 8.4.2 Evaluation of SAML IdPs . 106 8.5 Automated Analysis . 107 8.5.1 SAML Attacker . 108 8.5.2 ACS-Scanner . 108 8.6 Summary . 109 9 TLS Channel Bindings 111 9.1 Transport Layer Security Basics . 112 9.2 TLS Unique . 113 9.2.1 TLS Unique in Two-Party Authentication . 114 9.2.2 TLS Unique in Single Sign-On . 114 9.2.3 Advantages and Disadvantages . 117 9.3 Holder-of-Key . 117 9.3.1 Holder-of-Key in Two-Party Authentication . 117 9.3.2 Holder-of-Key in Single Sign-On . 118 9.3.3 Advantages and Disadvantages . 120 9.4 Summary . 121 10 Related Work 123 10.1 Single Sign-On Protocol Security . 123 10.2 Automated Penetration Testing Tools . 124 10.3 Secure Bindings . 125 11 Conclusion and Future Work 127 12 Bibliography 129 List of Figures 141 List of Tables 145 9 1 Introduction A typical Internet user has many accounts and identities. For each identity, he is typically supposed to use a strong and unique password. The management of credentials for each system can be a challenging task or lead to the usage of short and weak passwords on multiple providers. Single Sign-On (SSO) was proposed to reduce the complexity of the authentication on different indepen- dent systems. SSO is a concept to delegate the authentication of an End-User on a Service Provider (SP) to a third party – the so-called Identity Provider (IdP). In SSO, the End-User authenticates only once at the IdP to log in at SPs.
Load more

Recommended publications
  • Idaho Highway Wildlife Mortality
    Idaho Highway Wildlife Mortality A. James Frankman Abstract—Idaho wildlife mortalities on highways and roads is tracked by the Idaho Fish and Game and the data is made available to the general public through an API called IFWIS Core. While the data supplied does offer species information and geographic coordinates, it can be difficult to organize and understand. This paper will attempt to organize and present this data in visual form using Google Maps and Visualizations APIs to show facets of wildlife mortality in Idaho by density of occurance, time of year, and species variety Index Terms—Information Visualization, Idaho Fish and Game, IFWIS Core, road kill, wildlife mortality, Google Visualization API. 1 INTRODUCTION Amongst the rural communities throughout the United States, the only shows 250 of the latest observations, the density of markers on attrition of wildlife by highway collision is a common occurrence. the map make it difficult to distinguish individual incidents. In an effort to better track and understand wildlife collisions occurrences, the Idaho Fish and Game tracks highway collisions that have occurred since 2001. This data can be useful and relevant to several areas of study. First, understanding how and where collisions occur can help prevent traffic accidents. According to the National Highway Traffic Administration 4% of all traffic accidents in the United States are collisions with wildlife[1]. The collisions with wildlife on U.S. roads and highways represent a significant safety concern to motorists. Besides the risks posed to motorists, the affect on wildlife populations is also significant. America’s wildlife is a natural resource, and highway collisions have a negative impact on wildlife populations.
    [Show full text]
  • Detecting and Exploiting Misexposed Components of Android Applications
    POLITECNICO DI TORINO Corso di Laurea in Ingegneria Informatica Tesi di Laurea Magistrale Detecting and exploiting misexposed components of Android applications Relatori prof. Antonio Lioy prof. Ugo Buy Francesco Pinci December 2018 To my parents, my sister, and my relatives, who have been my supporters throughout my entire journey, always believing in me, and providing me with continous encouragement. This accomplishment would not have been possible without them. Thank you. Summary Smartphones and tablets have become an essential element in our everyday lives. Everyone use these devices to send messages, make phone calls, make payments, manage appointments and surf the web. All these use cases imply that they have access to and collect user sensitive information at every moment. This has attracted the attention of attackers, who started targetting them. The attraction is demon- strated by the continuous increase in the sophistication and number of malware that has mobile devices as the target [1][2]. The Android project is an open-source software which can be downloaded and studied by anyone. Its openness has allowed, during the years, an intensive in- spection and testing by developers and researches. This led Google to constantly updating its product with new functionalities as well as with bug fixes. Various types of attacks have targetted the Android software but all of them have been mitigated with the introduction of new security mechanisms and extra prevention methods. Starting from September 2018, 16 major versions of the OS have been realized, reducing incredibly the attack surface exposed by the system. The application ecosystem developed by the Android project is a key factor for the incredible popularity of the mobile devices manufactured and sold with the OS.
    [Show full text]
  • Empirical Study on Media Monitoring and Internationalisation Resources
    MULTISENSOR Mining and Understanding of multilinguaL contenT for Intelligent Sentiment Enriched coNtext and Social Oriented inteRpretation FP7-610411 D2.1 Empirical study on media monitoring and internationalisation resources Dissemination level: Public Contractual date of delivery: Month 6, 30 April 2014 Actual date of delivery: Month 6, 30 April 2014 Workpackage: WP2 Multilingual and multimedia content extraction Task: T2.1 Empirical study Type: Report Approval Status: Final Draft Version: 1.1 Number of pages: 172 Filename: D2.1_EmpiricalStudy_2014-04-30_v1.1.pdf Abstract This empirical study identifies the resources and the type of information that needs to be extracted in the project and their encoding types. In addition it reports information retrieval and crawling techniques that could be employed for the extraction of this information. The information in this document reflects only the author’s views and the European Community is not liable for any use that may be made of the information contained therein. The information in this document is provided as is and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. Page 1 Co-funded by the European Union Page 2 D2.1 – V1.1 History Version Date Reason Revised by 0.1 20/03/2014 Draft V. Aleksić (LT) 0.2 03/04/2014 Comments S. Vrochidis (CERTH), I. Arapakis (BM-Y!) 0.3 15/04/2014 Update V.Aleksić (LT) 0.4 16/04/2014 Document for internal review V.Aleksić (LT) 0.5 24/04/2014 Review A.
    [Show full text]
  • Release 0.0.2 Hypothes.Is Project and Contributors
    The h Documentation Release 0.0.2 Hypothes.is Project and contributors Sep 27, 2021 Contents 1 Contents 3 Index 25 i ii The h Documentation, Release 0.0.2 h is the web app that serves most of the https://hypothes.is/ website, including the web annotations API at https: //hypothes.is/api/. The Hypothesis client is a browser-based annotator that is a client for h’s API, see the client’s own documentation site for docs about the client. This documentation is for: • Developers working with data stored in h • Contributors to h Contents 1 The h Documentation, Release 0.0.2 2 Contents CHAPTER 1 Contents 1.1 The Hypothesis community Please be courteous and respectful in your communication on Slack (request an invite or log in once you’ve created an account), IRC (#hypothes.is on freenode.net), the mailing list (subscribe, archive), and GitHub. Humor is appreciated, but remember that some nuance may be lost in the medium and plan accordingly. If you plan to be an active contributor please join our mailing list to coordinate development effort. This coordination helps us avoid duplicating efforts and raises the level of collaboration. For small fixes, feel free to open a pull request without any prior discussion. 1.2 Advice for publishers If you publish content on the web and want to allow people to annotate your content, the following documents will help you get started. 1.2.1 Generating authorization grant tokens Warning: This document describes an integration mechanism that is undergoing early-stage testing.
    [Show full text]
  • Seamless Interoperability and Data Portability in the Social Web for Facilitating an Open and Heterogeneous Online Social Network Federation
    Seamless Interoperability and Data Portability in the Social Web for Facilitating an Open and Heterogeneous Online Social Network Federation vorgelegt von Dipl.-Inform. Sebastian Jürg Göndör geb. in Duisburg von der Fakultät IV – Elektrotechnik und Informatik der Technischen Universität Berlin zur Erlangung des akademischen Grades Doktor der Ingenieurwissenschaften - Dr.-Ing. - genehmigte Dissertation Promotionsausschuss: Vorsitzender: Prof. Dr. Thomas Magedanz Gutachter: Prof. Dr. Axel Küpper Gutachter: Prof. Dr. Ulrik Schroeder Gutachter: Prof. Dr. Maurizio Marchese Tag der wissenschaftlichen Aussprache: 6. Juni 2018 Berlin 2018 iii A Bill of Rights for Users of the Social Web Authored by Joseph Smarr, Marc Canter, Robert Scoble, and Michael Arrington1 September 4, 2007 Preamble: There are already many who support the ideas laid out in this Bill of Rights, but we are actively seeking to grow the roster of those publicly backing the principles and approaches it outlines. That said, this Bill of Rights is not a document “carved in stone” (or written on paper). It is a blog post, and it is intended to spur conversation and debate, which will naturally lead to tweaks of the language. So, let’s get the dialogue going and get as many of the major stakeholders on board as we can! A Bill of Rights for Users of the Social Web We publicly assert that all users of the social web are entitled to certain fundamental rights, specifically: Ownership of their own personal information, including: • their own profile data • the list of people they are connected to • the activity stream of content they create; • Control of whether and how such personal information is shared with others; and • Freedom to grant persistent access to their personal information to trusted external sites.
    [Show full text]
  • Documents to Go Iphone
    Documents To Go Iphone scornsWhich Averyher baloney recrystallized evolves so whitherward cantabile that or hokes Jeremie leftward, enkindled is Denis her devisors? unimpugnable? Godfree miswritten feignedly. Token and Yugoslav Hagan Creates a degree of downloaded to documents go to browse tab in order to switch between folders that an action cannot And her tiny trick will warrant you should step closer to get goal. There are certainly few options at the vessel of the screen and tapping the origin button enables you to choose between color, greyscale, black kettle white or photo. You this share any folders, only single files. Kindle app is incumbent and does best job fine. Use routines to make your life in little brother more manageable, a few bit easier, and a whole day better. The app will automatically correct because any tilting. For HP products a product number. Your document will be saved to your original folder. HEY World blog, and David has his. Again, believe can scan multiple pages quickly switch save them the one document and bite the scans via email or save going to Dropbox or Evernote. Google Developer Expert in Google Workspace and Google Apps Script. The file will people be building for offline use. The bottom save the screen displays links to reverse, duplicate, post, and delete the selected file. Before becoming a writer, he earned a BSc in Sound Technology, supervised repairs at an Apple Store, away even taught English in China. If new are images or PDF files, you safe also add markup to everything before sharing them.
    [Show full text]
  • How to Analyze the Cyber Threat from Drones
    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
    [Show full text]
  • Signing Me Onto Your Accounts Through Facebook And
    Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services Rui Wang Shuo Chen XiaoFeng Wang Indiana University Bloomington Microsoft Research Indiana University Bloomington Bloomington, IN, USA Redmond, WA, USA Bloomington, IN, USA [email protected] [email protected] [email protected] Abstract— With the boom of software-as-a-service and social extensive commercial deployments as what happen on networking, web-based single sign-on (SSO) schemes are being today’s web, thanks to the increasing popularity of social deployed by more and more commercial websites to safeguard networks, cloud computing and other web applications. many web resources. Despite prior research in formal verification, little has been done to analyze the security quality Today, leading web technology companies such as of SSO schemes that are commercially deployed in the real Facebook, Google, Yahoo, Twitter and PayPal all offer SSO world. Such an analysis faces unique technical challenges, services. Such services, which we call web SSO, work including lack of access to well-documented protocols and code, through the interactions among three parties: the user and the complexity brought in by the rich browser elements represented by a browser, the ID provider (a.k.a, IdP, e.g., (script, Flash, etc.). In this paper, we report the first “field Facebook) and the relying party (a.k.a, RP, e.g., Sears). Like study” on popular web SSO systems. In every studied case, we any authentication scheme, a secure web SSO system is focused on the actual web traffic going through the browser, and used an algorithm to recover important semantic expected to prevent an unauthorized party from gaining information and identify potential exploit opportunities.
    [Show full text]
  • How to Write a Scientific Report
    How to Write an EEI Contents: 1. Formatting your report………………………………………………………….page 3 Grammar v Tense………………………. page 5 Data V Crap………………………………… page 5 Googling ……………………………………. page 6 Referencing………………………………… page 8 Bibliography………………………………. page 12 2. Planning your investigation…………………………………………………..page 14 Variables……………………………………… page 16 Assumptions……………………………….. page 16 Experimental Replication……………. page 17 Checklist for Experimental Design page 17 3. Writing your Report……………………………………………………………….page 17 Title ……………………………………………… page 19 Abstract ………………………………………. page 20 Introduction…………………………………. page 21 Hypothesis ………………………………….. page 22 Risk Assessment………………………….. page 23 Variables………………………………………. Page 24/25 Method…………………………………………. Page 26 Results…………………………………………. page 27 Discussion ………………………………….. page 28, 29, 30 Conclusion ………………………………….. page 31 Literature Cited / Bibliography ….. page 33 Appendices………………………………….. page 34 APPENDICIES Appendix 1 – Data Analysis Appendix 3 – Scientific Drawings Appendix 4 – Literature Reviews Appendix 5 – Example/model reports Appendix 6 – False Positive Data Analysis FORMATTING YOUR REPORT Before you start Grammar and Tense FORMATTING Data v Crap! Qualitative v Quantitative data „Googling‟ How to search online Referencing How to cite reference within your text Bibliography How to write a scientific bibliography Use past tense, third person when writing your report…. e.g. “The research into the corrosion of metals was performed to see if …..” not “We did the experiment to see if….” FORMATTING “It
    [Show full text]
  • An Email Application with Active Spoof Monitoring and Control
    2016 International Conference on Computer Communication and Informatics (ICCCI -2016), Jan. 07 – 09, 2016, Coimbatore, INDIA An Email Application with Active Spoof Monitoring and Control T.P. Fowdur, Member IEEE and L.Veerasoo [email protected] [email protected] Department of Electrical and Electronic Engineering University of Mauritius Mauritius Abstract- Spoofing is a serious security issue for email overview of some recent anti-spoofing mechanisms is now applications. Although several anti-email spoofing techniques presented have been developed, most of them do not provide users with sufficient control and information on spoof attacks. In this paper In [11], the authors proposed an anti-spoofing scheme for IP a web-based client oriented anti-spoofing email application is packets which provides an extended inter-domain packet filter proposed which actively detects, monitors and controls email architecture along with an algorithm for filter placement. A spoofing attacks. When the application detects a spoofed security key is first placed in the identification field of the IP message, it triggers an alert message and sends the spoofed header and a border router checks the key on the source message into a spoof filter. Moreover, the user who has received packet. If this key corresponds to the key of the target packet, the spoofed message is given the option of notifying the real sender of the spoofing attack. In this way an active spoof control the packet is considered valid, else it is flagged as a spoofed is achieved. The application is hosted using the HTTPS protocol packet. A Packet Resonance Strategy (PRS) which detects and uses notification messages that are sent in parallel with email different types of spoofing attacks that use up the resources of messages via a channel that has been secured by the Secure the server or commit data theft at a datacenter was proposed in Socket Layer (SSL) protocol.
    [Show full text]
  • O14/A2 Second Pilot Workshop Summary Report
    INNOENTRE FRAMEWORK FOR INNOVATION AND ENTREPRENEURSHIP SUPPORT IN OPEN HIGHER EDUCATION O14/A2 SECOND PILOT WORKSHOP SUMMARY REPORT Author Ioannis Stamelos (AUTH) Contributors Pantelis Papadopoulos (AU) Anastasia Deliga (AUTH) Vaios Kolofotias (AUTH) Ilias Zosimadis (AUTH) George Topalidis (AUTH) Maria Kouvela (AUTH) Konstantina Papadopoulou (AUTH) Disclaimer The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any use which may be made of the information contained therein. 1 Table of Content Executive Summary ........................................................................................................ 3 1. Introduction ................................................................................................................. 4 2. Workshop Description ................................................................................................ 5 3. Participants .................................................................................................................. 6 4. Workshop implementation ......................................................................................... 7 4.1 Welcome Note and INNOENTRE Project Presentation .................................. 7 4.2 INNOENTRE Platform Presentation ................................................................. 7 4.3 Augmented Reality Presentation ...................................................................
    [Show full text]
  • CIAM Platforms LEADERSHIP COMPASS
    KuppingerCole Report LEADERSHIP COMPASS by John Tolbert December 2018 CIAM Platforms This report provides an overview of the market for Consumer Identity and AcCess Management and provides you with a Compass to help you to find the Consumer Identity and ACCess Management produCt that best meets your needs. We examine the market segment, vendor product and service functionality, relative market share, and innovative approaChes to providing CIAM solutions. by John Tolbert [email protected] December 2018 Leadership Compass CIAM Platforms KuppingerCole Leadership Compass CIAM Platforms By KuppingerCole Report No.: 79059 Content 1 Introduction .................................................................................................................................... 6 1.1 Market Segment ...................................................................................................................... 7 1.2 Delivery models ....................................................................................................................... 9 1.3 Required Capabilities .............................................................................................................. 9 2 Leadership .................................................................................................................................... 12 3 Correlated View ............................................................................................................................ 20 3.1 The Market/Product Matrix .................................................................................................
    [Show full text]