From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?
| Autor: | Roberto Carbone, Giancarlo Pellegrino, Jorge Cuellar, Luca Compagna, Alessandro Armando, Alessandro Sorniotti |
|---|---|
| Přispěvatelé: | Universita degli studi di Genova, Security & Trust Research Unit [Trento], Fondazione Bruno Kessler [Trento, Italy] (FBK), SAP Research, Siemens AG [Munich], IBM Research [Zurich], Jan Camenisch, Simone Fischer-Hübner, Yuko Murayama, Armand Portmann, Carlos Rieder, TC 11 |
| Jazyk: | angličtina |
| Rok vydání: | 2011 |
| Předmět: |
021110 strategic
defence & security studies Web server Authentication business.industry Computer science 0211 other engineering and technologies 020206 networking & telecommunications 02 engineering and technology Service provider computer.software_genre Computer security Security Assertion Markup Language World Wide Web ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS Resource (project management) User experience design Scripting language 0202 electrical engineering electronic engineering information engineering Single sign-on [INFO]Computer Science [cs] business computer |
| Zdroj: | IFIP Advances in Information and Communication Technology 26th International Information Security Conference (SEC) 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. pp.68-79, ⟨10.1007/978-3-642-21424-0_6⟩ IFIP Advances in Information and Communication Technology ISBN: 9783642214233 SEC |
| DOI: | 10.1007/978-3-642-21424-0_6⟩ |
| Popis: | Part 3: Authentication; International audience; Browser-based Single Sign-On (SSO) is replacing conventional solutions based on multiple, domain-specific credentials by offering an improved user experience: clients log on to their company system once and are then able to access all services offered by the company’s partners. By focusing on the emerging SAML standard, in this paper we show that the prototypical browser-based SSO use case suffers from an authentication flaw that allows a malicious service provider to hijack a client authentication attempt and force the latter to access a resource without its consent or intention. This may have serious consequences, as evidenced by a Cross-Site Scripting attack that we have identified in the SAML-based SSO for Google Apps: the attack allowed a malicious web server to impersonate a user on any Google application. We also describe solutions that can be used to mitigate and even solve the problem. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|