On the Security of Single Sign-On

On the Security of Single Sign-On

On the Security of Single Sign-On Vladislav Mladenov (Place of birth: Pleven/Bulgaria) [email protected] 30th June 2017 Ruhr-University Bochum Horst G¨ortz Institute for IT-Security Chair for Network and Data Security Dissertation zur Erlangung des Grades eines Doktor-Ingenieurs der Fakult¨atf¨urElektrotechnik und Informationstechnik an der Ruhr-Universit¨atBochum First Supervisor: Prof. Dr. rer. nat. J¨org Schwenk Second Supervisor: Prof. Dr.-Ing. Felix Freiling www.nds.rub.de Abstract Single Sign-On (SSO) is a concept of delegated authentication, where an End- User authenticates only once at a central entity called Identity Provider (IdP) and afterwards logs in at multiple Service Providers (SPs) without reauthenti- cation. For this purpose, the IdP issues an authentication token, which is sent to the SP and must be verified. There exist different SSO protocols, which are implemented as open source libraries or integrated in commercial products. Google, Facebook, Microsoft and PayPal belong to the most popular SSO IdPs. This thesis provides a comprehensive security evaluation of the most popular and widely deployed SSO protocols: OpenID Connect, OpenID, and SAML. A starting point for this research is the development of a new concept called malicious IdP, where a maliciously acting IdP is used to attack SSO. Generic attack classes are developed and categorized according to the requirements, goals, and impact. These attack classes are adapted to different SSO proto- cols, which lead to the discovery of security critical vulnerabilities in Software- as-a-Service Cloud Providers, eCommerce products, web-based news portals, Content-Management systems, and open source implementations. The discov- ered flaws result in unauthorized access to End-User accounts, read access to locally stored sensitive files, as well as efficient Denial-of-Service (DoS) attacks. In this thesis, mechanisms strengthening the authentication in SSO will be described. Such mechanisms protect the authentication token during transport and mitigate its theft by relying on features of the established TLS channel between the participants, for example End-User and SP. The work described in this thesis influenced multiple SSO libraries and sys- tems on the web, which use SAML, OpenID and OpenID Connect for authenti- cation. The discovered vulnerabilities were reported to the responsible security teams, which we supported in fixing the issues. An important result of this the- sis is the change of the current OpenID Connect specification, which has been proposed as a countermeasure of the discovered attacks and adjusted in collab- oration with the OAuth and OpenID Connect working groups of the Internet Engineering Task Force (IETF). 3 Kurzfassung Single Sign-On (SSO) ist ein Konzept mit dessen Hilfe sich ein Benutzer ein- malig an einer zentralen Instanz, dem Identity Provider (IdP), anmeldet und diese Authentifikation anschließend benutzt, um sich bei weiteren Dienstleis- tern (Service Providern, SPs) anzumelden. Zu diesem Zweck erstellt der IdP ein Authentifizierungstoken, welches dann vom SP ¨uberpr¨uft und f¨ur den Lo- gin genutzt wird. Es existieren unterschiedliche SSO Protokolle, die in open source Bibliotheken und kommerziellen Produkten implementiert sind. Zu den bekanntesten SSO Anbietern in Internet geh¨oren Google, Facebook, Microsoft und PayPal. Die vorliegende Dissertation stellt eine umfassende Sicherheitsuntersuchung von verschiedenen SSO Protokollen und deren Implementierungen vor. Aus- gangsbasis f¨ur diese protokoll-¨ubergreifende Untersuchung ist die Entwicklung eines neuartigen Konzepts (malicious IdP, mIdP), das erstmals die Benutzung eines b¨osartigen IdPs f¨ur Angriffe einf¨uhrt. Der mIdP ist in der Lage, valide wie invalide Nachrichten und Authentifizierungtokens an verschiedene SPs zu senden. Darauf aufbauend werden generische Angriffsklassen entwickelt, die entsprechend ihrer Voraussetzungen und ihrer erreichten Ziele kategorisiert wer- den. Anschließend werden diese Angriffsklassen auf verschiedene SSO Pro- tokolle angewendet, was zur Entdeckung zahlreicher kritischen Schwachstellen in Software-as-a-Service Cloud Anbietern, eCommerce Produkten, web-basierten Nachrichtenportalen, Content-Management Systemen und open source Biblio- theken f¨uhrt. Die gefundenen Schwachstellen erm¨oglichen den unerlaubten Zu- gang zu fremden Accounts, das Auslesen von gesch¨utzten Ressourcen sowie das Aussetzen von Dienstanbietern mithilfe von Denial-of-Service Techniken. Um die Sicherheit von SSO Systemen zu verbessern und einen erh¨ohten Schutz gegen Angriffe zu erlangen, werden in dieser Dissertation Technologien beschrieben, die die Authentifizierungstoken w¨ahrend des Transports zus¨atzlich absichern und einen Diebstahl verhindern bzw. erkennen. Diese Technologien nutzen einen vorliegenden TLS Kanal und binden ihn kryptografisch an den Authentifizierungstoken. Die Dissertation hat die Entwicklung vieler SSO Bibliotheken und Systeme, die SAML, OpenID oder OpenID Connect einsetzen, beeinflusst. Die gefun- denen Schwachstellen wurden mit den Entwicklern kommuniziert, die bei der Behebung unterst¨utzt wurden. Ein weiteres Ergebnis dieser Arbeit ist die Anderung¨ der OpenID Connect und OAuth Spezifikation, die aufgrund zweier neu aufgedeckter Angriffe angepasst werden musste. Eine entsprechende Gegen- maßnahme wurde in Zusammenarbeit mit der OpenID Connect und OAuth Arbeitsgruppe ver¨offentlicht. 5 Contents 1 Introduction 11 1.1 Thesis Outline and Contributions . 11 1.2 Publications . 13 2 Single Sign-On – Basics 17 2.1 Single Sign-On Roles . 17 2.2 Single Sign-On in Three Phases . 18 2.2.1 Phase 1: Trust Establishment . 18 2.2.2 Phase 2: Token Generation . 20 2.2.3 Phase 3: Token Redemption . 21 2.3 Authentication Token . 21 3 Malicious IdPs in SSO 23 3.1 Are IdPs Trusted Third Parties? . 23 3.2 Malicious IdP– Advantages and Disadvantages . 25 3.3 Additional Approaches . 26 3.4 Lessons Learned . 28 4 Attacker Goals and Capabilities 31 4.1 Attacker Goals . 31 4.2 Attacker Capabilities . 31 4.3 Impact................................. 34 5 Generic Single Sign-On Attack Concepts 35 5.1 Architecture of a SSO Provider . 35 5.2 GenericAttacks............................ 37 5.2.1 Identity Attack (IA) . 37 5.2.2 Replay Attack (RA) . 38 5.2.3 Wrong Recipient (WR) . 38 5.2.4 Signature Bypass (SB) . 39 5.2.5 CovertRedirect(CR) . 39 5.2.6 Message Serialization (MS) . 39 5.3 Single-Phase Attacks vs. Cross-Phase Attacks . 43 6 Attacks on OpenID Connect 45 6.1 OpenID Connect Basics . 46 6.1.1 Core Protocol Flow . 46 6.1.2 ID Token . 48 6.1.3 Discovery and Dynamic Client Registration . 49 6.2 Single-Phase Attacks . 49 6.2.1 ID Spoofing (IDS) . 49 6.2.2 Wrong Recipient (WR) . 50 6.2.3 Replay Attack (RA) . 51 6.2.4 Signature Bypass (SB) . 51 7 6.2.5 CovertRedirect(CR) . 52 6.2.6 Sub Claim Spoofing (SCS) . 53 6.3 Cross-Phase Attacks . 54 6.3.1 Specification Flaw: IdP Confusion . 56 6.3.2 Specification Flaw: Malicious Endpoints Attacks . 57 6.3.3 Implementation Flaw: Issuer Confusion (IC) . 61 6.4 Evaluation . 62 6.4.1 Evaluation of OpenID Connect SPs . 62 6.4.2 Evaluation of OpenID Connect IdPs . 64 6.5 Automated Analysis . 65 6.5.1 Architecture . 65 6.5.2 Automated Analysis Workflow . 66 6.5.3 Limitations . 68 6.6 Summary ............................... 69 7 Attacks on OpenID 71 7.1 OpenIDBasics ............................ 72 7.1.1 Core Protocol Flow . 72 7.1.2 OpenID Token . 75 7.2 Single-Phase Attacks . 76 7.2.1 ID Spoofing (IDS) . 76 7.2.2 Key Confusion (KC) . 78 7.2.3 Token Recipient Confusion (TRC) . 79 7.2.4 Replay Attack (RA) . 80 7.2.5 XML External Entity Attack (XXEA) . 81 7.3 Cross-Phase Attacks . 81 7.3.1 Key Confusion (KC) . 81 7.4 Evaluation . 83 7.5 Automated Analysis . 86 7.6 Summary ............................... 89 8 Attacks on SAML 91 8.1 SAML Basics . 92 8.1.1 Core Protocol Flow . 92 8.1.2 SAMLResponse . 93 8.2 Single-Phase Attacks . 94 8.2.1 Token Recipient Confusion (TRC) . 94 8.2.2 Replay Attack (RA) . 95 8.2.3 Signature Exclusion (∅Sig) . 96 8.2.4 Certificate Faking (CF) . 97 8.2.5 XML Signature Wrapping (XSW) . 98 8.2.6 XML External Entity Attack (XXEA) . 99 8.2.7 XSLT Attack (XSLTA) . 100 8.2.8 AssertionConsumerServiceURL Spoofing (ACS Spoofing) 101 8.3 Cross-Phase Attacks . 101 8.3.1 Certificate Injection (CInj) . 101 8 8.4 Evaluation . 103 8.4.1 Evaluation of SAML SPs . 103 8.4.2 Evaluation of SAML IdPs . 106 8.5 Automated Analysis . 107 8.5.1 SAML Attacker . 108 8.5.2 ACS-Scanner . 108 8.6 Summary . 109 9 TLS Channel Bindings 111 9.1 Transport Layer Security Basics . 112 9.2 TLS Unique . 113 9.2.1 TLS Unique in Two-Party Authentication . 114 9.2.2 TLS Unique in Single Sign-On . 114 9.2.3 Advantages and Disadvantages . 117 9.3 Holder-of-Key . 117 9.3.1 Holder-of-Key in Two-Party Authentication . 117 9.3.2 Holder-of-Key in Single Sign-On . 118 9.3.3 Advantages and Disadvantages . 120 9.4 Summary . 121 10 Related Work 123 10.1 Single Sign-On Protocol Security . 123 10.2 Automated Penetration Testing Tools . 124 10.3 Secure Bindings . 125 11 Conclusion and Future Work 127 12 Bibliography 129 List of Figures 141 List of Tables 145 9 1 Introduction A typical Internet user has many accounts and identities. For each identity, he is typically supposed to use a strong and unique password. The management of credentials for each system can be a challenging task or lead to the usage of short and weak passwords on multiple providers. Single Sign-On (SSO) was proposed to reduce the complexity of the authentication on different indepen- dent systems. SSO is a concept to delegate the authentication of an End-User on a Service Provider (SP) to a third party – the so-called Identity Provider (IdP). In SSO, the End-User authenticates only once at the IdP to log in at SPs.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    147 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us