Jörg Schwenk
ABSTRACT
Today, entity authentication in the TLS protocol involves at least three complex and partly insecure systems: the Domain Name System (DNS), Public Key Infrastructures (PKI), and human users, bound together by the Same Origin Policy (SOP). To solve the security threats resulting from this construction, a new concept was introduced at CCS '07: the strong locked same origin policy (SLSOP). The basic idea behind the SLSOP is to strengthen the identification of web servers through domain names, certificates and browser security warnings by a recognition of public keys to authenticate servers. Many weaknesses of current protocols emerging from an insecure PKI or DNS can thus be handled, even without involving the user. This concept has also been adapted by the IETF in RFC 5929.
The contribution of this paper is as follows: First we present a new SLSOP-based login protocol and use it to design a secure Single Sign-On (SSO) protocol. Second we provide a first full proof-of-concept of such a protocol and also the first implementation of the channel binding described in RFC 5929, implementing a cross-domain SLSOP both for a new type of authentication cookies, as well as for the HTML-based POST and Redirect bindings. Finally we evaluate the security of this protocol and describe, how our protocol copes with modern attack vectors.
- Decentralized identification. http://www.waterken.com/dev/YURL/.Google Scholar
- J. Altman, N. Williams, and L. Zhu. Channel Bindings for TLS. RFC 5929 (Proposed Standard), July 2010.Google Scholar
- M. Backes, I. Cervesato, A. D. Jaggard, A. Scedrov, and J.-K. Tsay. Cryptographically sound security proofs for basic and public-key kerberos. Cryptology ePrint Archive, Report 2006/219, 2006. http://eprint.iacr.org/.Google Scholar
- A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 75--88, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- A. Boldyreva and V. Kumar. Provable-security analysis of authenticated encryption in kerberos. Cryptology ePrint Archive, Report 2007/234, 2007. http://eprint.iacr.org/.Google Scholar
- S. Cantor, J. Kemp, R. Philpott, and E. Maler. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, 15.03.2005, 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.Google Scholar
- B. den Boer and A. Bosselaers. Collisions for the compression function of md5. In EUROCRYPT '93: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 293--304, Secaucus, NJ, USA, 1994. Springer-Verlag New York, Inc. Google ScholarDigital Library
- R. Dhamija, J. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 581--590. ACM, 2006. http://graphics8.nytimes.com/images/blogs/freakonomics/pdf/Why_Phishing%_Works-1.pdf. Google ScholarDigital Library
- Dobbertin. Postscript collisions for md5, 2005.Google Scholar
- H. Dobbertin. Cryptanalysis of MD5 Compress - presented at the Rumpsession of Eurocrypt '96, May 1996.Google Scholar
- S. Gajek, T. Jager, M. Manulis, and J. Schwenk. A browser-based kerberos authentication scheme. In ESORICS '08: Proceedings of the 13th European Symposium on Research in Computer Security, pages 115--129, Berlin, Heidelberg, 2008. Springer-Verlag. Google ScholarDigital Library
- T. Groß. Security analysis of the SAML single sign-on browser/artifact profile. In Annual Computer Security Applications Conference. IEEE Computer Society, 2003. Google ScholarDigital Library
- T. Groß and B. Pfitzmann. Saml artifact information flow revisited. Research Report RZ 3643 (99653), IBM Research, 2006. http://www.zurich.ibm.com/security/publications/2006.html.Google Scholar
- HttpOnly cookies. First implemented by Microsoft Internet Explorer developers for Internet Explorer 6 SP1, 2002.Google Scholar
- C. Jackson. Forcehttps: Protecting high-security web sites from network attacks. In In Proceedings of the 17th International World Wide Web Conference, 2008. Google ScholarDigital Library
- C. Jackson and A. Barth. Beware of finer-grained origins. In In Web 2.0 Security and Privacy (W2SP 2008), 2008.Google Scholar
- T. Jager, F. Kohlar, S. Schage, and J. Schwenk. Generic compilers for authenticated key exchange. pages 232--249, 2010.Google Scholar
- D. Kaminski. Dns server+client cache poisoning, issues with ssl, breaking *forgot my password* systems, attacking autoupdaters and unhardened parsers, rerouting internal traffic; http://www.doxpara.com/DMK_BO2K8.ppt. -, 2008.Google Scholar
- D. Kaminsky. It's the end of the cache as we know it - black ops 2008. Black Hat Briefings, Las Vegas, Nevada, USA, July 2008.Google Scholar
- C. Karlof, U. Shankar, J. D. Tygar, and D. Wagner. Dynamic pharming attacks and locked same-origin policies for web browsers. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 58--71, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- F. Kohlar, J. Schwenk, M. Jensen, and S. Gajek. Secure bindings of saml assertions to tls sessions. In ARES, pages 62--69, 2010.Google Scholar
- D. Kormann and A. Rubin. Risks of the passport single signon protocol. Computer Networks, 33(1-6):51--58, 2000. Google ScholarDigital Library
- D. Kristol and L. Montulli. Http state management mechanism, Oct. 2000.Google Scholar
- A. Lenstra, X. Wang, and B. de Weger. Colliding x.509 certificates. Cryptology ePrint Archive, Report 2005/067, 2005. http://eprint.iacr.org/.Google Scholar
- A. K. Lenstra and B. de Weger. On the possibility of constructing meaningful hash collisions for public keys. pages 267--279, 2005. Google ScholarDigital Library
- E. Maler, P. Mishra, and R. Philpott. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS Standard, 02.09.2003, 2003. http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-%core-1.1.pdf.Google Scholar
- M. Marlinspike. More tricks for defeating ssl in practice. Blackhat DC, 2009. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-M%arlinspike-Defeating-SSL.pdf.Google Scholar
- C. Masone, K.-H. Baek, and S. Smith. Wske: Web server key enabled cookies. In S. Dietrich and R. Dhamija, editors, Financial Cryptography, volume 4886 of Lecture Notes in Computer Science, pages 294--306. Springer, 2007. Google ScholarDigital Library
- D. Molnar, M. Stevens, A. Lenstra, B. de Weger, A. Sotirov, J. Appelbaum, and D. A. Osvik. MD5 considered harmful today - Creating a rogue CA Certificate. 25th Chaos Communication Congress, Berlin, Germany, 2008.Google Scholar
- B. Pfitzmann and M. Waidner. Analysis of liberty single-signon with enabled clients. IEEE Internet Computing, 7(6):38--44, 2003. Google ScholarDigital Library
- D. Recordon and D. Reed. Openid 2.0: a platform for user-centric identity management. In DIM '06: Proceedings of the second ACM workshop on Digital identity management, pages 11--16, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- J. Schwenk, L. Liao, and S. Gajek. Stronger bindings for saml assertions and saml artifacts. In Proceedings of the 5th ACM CCS Workshop on Secure Web Services (SWS'08), pages 11--20. ACM Press, 2008. Google ScholarDigital Library
- M. Slemko. Microsoft passport to trouble, 2001. http://alive.znep.com/ marcs/passport/page2.html.Google Scholar
- M. Stevens, A. Lenstra, and B. de Weger. Chosen-prefix Collisions for MD5 and Applications. Submitted to Journal of Cryptology, June 2009. https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf.Google Scholar
- M. Stevens, A. K. Lenstra, and B. de Weger. Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. pages 1--22, 2007. Google ScholarDigital Library
- M. Stevens, A. Sotirov, J. Appelbaum, A. K. Lenstra, D. Molnar, D. A. Osvik, and B. de Weger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. pages 55--69, 2009. Google ScholarDigital Library
Index Terms
- The power of recognition: secure single sign-on using TLS channel bindings
Recommendations
Establishing and protecting digital identity in federation systems
The First ACM Workshop on Digital Identity Management -- DIM 2005We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information ...
Establishing and protecting digital identity in federation systems
DIM '05: Proceedings of the 2005 workshop on Digital identity managementWe develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information ...
Identity-Embedding Method for Decentralized Public-Key Infrastructure
INTRUST 2014: Revised Selected Papers of the 6th International Conference on Trusted Systems - Volume 9473A public key infrastructure PKI is for facilitating the authentication and distribution of public keys. Currently, the most commonly employed approach to PKI is to rely on certificate authorities CAs, but recently there has been arising more need for ...
Comments