Skip to main content
SpringerLink
Log in
Book cover

International Conference on Computational Science and Its Applications

ICCSA 2006: Computational Science and Its Applications - ICCSA 2006 pp 507–516Cite as

Weakest Link Attack on Single Sign-On and Its Case in SAML V2.0 Web SSO

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 3982))

Abstract

In many of the single sign-on (SSO) specifications that support multitiered authentication, it is not mandatory to include the authentication context in a signed response. This can be exploited by the adversaries to launch a new kind of attack specific to SSO systems. In this paper, we propose the Weakest Link Attack, which is a kind of parallel session attack feasible in the above settings. Our attack enables adversaries to succeed at all levels of authentication associate to the victim user by breaking only at the weakest one. We present a detailed case study of our attack on web SSO as specified in Security Assertions Markup Language (SAML) V2.0, an OASIS standard released in March, 2005. We also suggest the corresponding repair at the end of the paper.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   139.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Groß, T.: Security analysis of the saml single sign-on browser/artifact profile. In: Proceedings of the 19th Annual Computer Security Applications Conference (December 2003)

    Google Scholar 

  2. OASIS SSTC. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) (November 2002)

    Google Scholar 

  3. OASIS SSTC. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005)

    Google Scholar 

  4. OASIS SSTC. Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005)

    Google Scholar 

  5. OASIS SSTC. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005)

    Google Scholar 

  6. OASIS SSTC. Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005)

    Google Scholar 

  7. OASIS SSTC. SSTC Response to Scurity Analysis of the SAML Single Sign-on Browser/Artifact Profile (July 2005)

    Google Scholar 

  8. Pfitzmann, B., Waidner, M.: Analysis of liberty single-signon with enabled clients. IEEE Internet Computing 7(6), 38–44 (2003)

    Article  Google Scholar 

  9. Skriver, J., Hansen, S.M., Nielson, H.R.: Using static analysis to validate the saml single sign-on protocol. In: Proceedings of the 2005 Workshop on Issues in the Theory of Security, January 2005, pp. 27–40 (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information Engineering, The Chinese University of Hong Kong, Shatin, N.T., Hong Kong

    Yuen-Yan Chan

Authors
  1. Yuen-Yan Chan
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive N.W., T2N 1N4, Calgary, AB, Canada

    Marina Gavrilova

  2. Department of Mathematics and Computer Science, University of Perugia, via Vanvitelli, 1, I-06123, Perugia, Italy

    Osvaldo Gervasi

  3. William Norris Professor, Head of the Computer Science and Engineering Department, University of Minnesota, USA

    Vipin Kumar

  4. OptimaNumerics Ltd., Cathedral House, 23-31 Waring Street, BT1 2DX, Belfast, UK

    C. J. Kenneth Tan

  5. Clayton School of IT, Monash University, 3800, Clayton, Australia

    David Taniar

  6. Department of Chemistry, University of Perugia, Via Elce di Sotto, 8, I-06123, Perugia, Italy

    Antonio Laganá

  7. School of Computing, Soongsil University, Seoul, Korea

    Youngsong Mun

  8. School of Information and Communication Engineering, Sungkyunkwan University, Korea

    Hyunseung Choo

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chan, YY. (2006). Weakest Link Attack on Single Sign-On and Its Case in SAML V2.0 Web SSO. In: Gavrilova, M., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3982. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751595_54

Download citation

  • DOI: https://doi.org/10.1007/11751595_54

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34075-1

  • Online ISBN: 978-3-540-34076-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation