Electronic Identification Based on Openid Connect a Design Proposal

Electronic Identification Based on Openid Connect a Design Proposal

DEGREE PROJECT IN COMPUTER SCIENCE AND ENGINEERING, SECOND CYCLE, 30 CREDITS STOCKHOLM, SWEDEN 2017 Electronic Identification Based on OpenID Connect A Design Proposal TOM JOHANSSON KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF COMPUTER SCIENCE AND COMMUNICATION Electronic Identification Based on OpenID Connect A Design Proposal TOM JOHANSSON Master in Computer Science Date: June 30, 2017 Supervisor: Sonja Buchegger Examiner: Johan Håstad Swedish title: E-legitimation baserad på OpenID Connect – Ett designförslag School of Computer Science and Communication i Abstract Electronic identification is used by an individual to prove who he or she is by electronic means and is normally used for logging in to various services. In Sweden there are a number of different solutions that are developed and provided by different parties. In order to promote and coordinate electronic identification for public services, the Swedish E-identification Board was founded in 2011. The Board has developed a technical frame- work for integration between the Relying Party and the Identity Provider based on the Security Assertion Markup Language V2.0 (SAML) standard. SAML is a quite old stan- dard that has some limitations complicating an electronic identification solution based on it. A newer competing standard is OpenID Connect, which could be a possible candidate as an alternative to SAML. The objective of this thesis is to determine to what extent it is possible to ensure confidentiality, integrity, and accountability in an electronic identi- fication based on OpenID Connect. To achieve this, a number of requirements for elec- tronic identifications were identified and a design proposal based on OpenID Connect was developed together with a proof-of-concept implementation. The design proposal was evaluated against the requirements, with the final result that an electronic identifica- tion based on OpenID Connect could meet the requirements. Sammanfattning E-legitimation används av en individ för visa vem han eller hon är på elektronisk väg och används vanligtvis för att logga in på olika tjänster. I Sverige finns ett antal olika lösningar som utvecklas och tillhandahålls av olika parter. För att främja och samordna elektronisk identifiering för offentliga tjänster grundades E-legitimationsnämnden 2011. Nämnden har tagit fram ett tekniskt ramverk för integrationen mellan Förlitande Part och Legitimeringstjänst baserad på Security Assertion Markup Language V2.0 (SAML) standarden. SAML är en relativt gammal standard med vissa begränsningar som kom- plicerar en e-legitimationslösning baserad på den. En nyare konkurrerande standard är OpenID Connect, vilket kan vara en möjlig kandidat som ett alternativ till SAML. Syftet med detta examensarbete är att undersöka i vilken utsträckning det är möjligt att säker- ställa sekretess, integritet och ansvarsskyldighet för en e-legitimation baserad på OpenID Connect. För att uppnå detta, identifierades ett antal krav för e-legitimationer och ett de- signförslag baserat på OpenID Connect utvecklades tillsammans med en proof-of-concept implementation. Designförslaget utvärderades mot kraven, med det slutliga resultatet att en e-legitimation baserad på OpenID Connect kan uppfylla kraven. Acknowledgments This thesis constitutes the final task of my Degree Programme in Computer Science and Engineering and Master’s Programme in Computer Science at KTH. Carrying out this task has been interesting, delightful, and enlightening. I would like to express my special thanks of gratitude to: Sonja Buchegger for accepting me into her group of students to supervise, steering me in the right direction, providing me with feedback, and supporting my work. Johan Håstad for being my examiner and ensuring that my thesis reached satisfactory academic level, providing me with feedback, and taking time to answer my questions. Johanna Mannung for proposing the degree project assignment, giving me the oppor- tunity to perform my thesis at the Swedish Police Authority, supervising my work, and providing both design and technical guidance. Walter Thyselius for giving me feedback, discussing alternative solutions, and providing useful advices and insights. Magnus K Karlsson for sharing his deep knowledge and explaining various concepts. Veronika Lindström for supporting me with love and care. Chloetta and Trottz for carrying me, helping me to think more clearly and be more cre- ative and productive. ii Contents 1 Introduction 1 1.1 Thesis Objective . .2 1.2 Problem Statement . .2 1.3 Delimitations . .2 1.4 Motivation . .2 1.5 Choice of Methodology . .3 2 Background 4 2.1 Requirement Levels . .4 2.2 Level of Assurance (LoA) . .4 2.3 Confidentiality, Integrity, Availability, and Accountability . .5 2.4 OpenID Connect (OIDC) . .6 2.4.1 Terminology . .6 2.4.2 Protocol Flows . .7 2.4.3 OAuth 2.0 . .9 2.4.4 JavaScript Object Notation (JSON) . .9 2.5 Cryptography . 10 2.5.1 Secure Hash Functions . 10 2.5.2 Public Key Cryptography . 10 2.5.3 Digital Signatures . 11 2.5.4 Digital Certificate . 11 2.5.5 Secure Enclave and Trusted Execution Environment . 13 2.5.6 Transport Layer Security . 13 2.6 Authentication . 13 2.6.1 Something You Know . 13 2.6.2 Something You Have . 14 2.6.3 Something You Are . 14 2.7 Security Threats . 14 2.7.1 Man-in-the-Middle . 14 2.7.2 Man-in-the-Browser . 15 2.7.3 Replay Attack . 15 2.7.4 Cut and Pasted Code Attack . 16 2.7.5 Social Engineering . 17 iii iv CONTENTS 3 Related Work 18 3.1 The Swedish E-identification . 18 3.2 Electronic Identification Solutions . 20 3.3 OAuth . 20 3.4 Research Gap . 20 4 The Design Proposal 21 4.1 System Model . 21 4.2 Problem Identification and Motivation . 22 4.3 Define the Objectives for a Solution . 22 4.4 Assumptions . 23 4.5 Overview . 23 4.5.1 OpenID Provider . 23 4.5.2 Relying Party . 24 4.5.3 eID-app . 24 4.5.4 The eID Solution Flow . 25 4.5.5 Authentication Request . 27 4.5.6 ID Token . 32 4.5.7 Authentication . 34 4.5.8 Authentication with eID Certificate . 35 4.6 Proof of Concept . 36 4.6.1 Overview . 36 4.6.2 Authentication Provider . 37 5 Evaluation 38 5.1 Confidentiality . 38 5.2 Integrity . 38 5.3 Accountability . 38 5.4 Authentication . 39 5.5 eID Certificate Revocation . 40 5.6 Model of Adversary and Potential Abuse Scenarios . 40 5.6.1 Man-in-the-Middle . 40 5.6.2 Man-in-the-Browser . 41 5.6.3 Replay Attack . 41 5.6.4 Cut and Pasted Code Attack . 42 5.6.5 Social Engineering . 42 5.6.6 Relatives and Related Persons . 42 6 Discussion 43 6.1 Confidentiality . 43 6.2 Integrity . 43 6.3 Accountability . 43 6.4 Authentication . 44 6.5 eID Certificate Revocation . 44 6.6 Model of Adversary and Potential Abuse Scenarios . 45 6.6.1 Man-in-the-Middle . 45 6.6.2 Man-in-the-Browser . 45 6.6.3 Replay Attack . 45 CONTENTS v 6.6.4 Cut and Pasted Code Attack . 45 6.6.5 Social Engineering . 46 6.6.6 Relatives and Related Persons . 46 6.7 Proof of Concept . 46 6.8 Design Choices . 46 6.9 Level of Assurance . 48 6.10 Sustainability and Ethics . 48 6.11 Societal Aspects . 48 7 Conclusions 50 8 Future Work 51 Bibliography 52 Chapter 1 Introduction This chapter introduces the thesis and presents the objective, motivation, and delimitations of the thesis. The chosen methodology will also be described. Electronic Identification (eID) is the process of utilizing a persons identification data to elec- tronically prove the identity of a person or an organization, for example when logging in to services provided by government authorities, banks etc. It can also be used to sign electronic documents. The importance of eID has increased along with the digitalization of the society and most likely the importance will continue to increase, as more services are dependent on eID. In Sweden there are a number of different solutions for eID; the most widely used is BankID [1] with over 7 million1 users [2] and 1.8 billion transactions during 2016 [3]. BankID is developed and maintained by Finansiell ID-Teknik BID AB [4],.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    70 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us