research-article

The power of recognition: secure single sign-on using TLS channel bindings

Authors:

Florian Kohlar,

Marcus AmonAuthors Info & Claims

DIM '11: Proceedings of the 7th ACM workshop on Digital identity management

Pages 63 - 72

https://doi.org/10.1145/2046642.2046656

Published: 21 October 2011 Publication History

Abstract

Today, entity authentication in the TLS protocol involves at least three complex and partly insecure systems: the Domain Name System (DNS), Public Key Infrastructures (PKI), and human users, bound together by the Same Origin Policy (SOP). To solve the security threats resulting from this construction, a new concept was introduced at CCS '07: the strong locked same origin policy (SLSOP). The basic idea behind the SLSOP is to strengthen the identification of web servers through domain names, certificates and browser security warnings by a recognition of public keys to authenticate servers. Many weaknesses of current protocols emerging from an insecure PKI or DNS can thus be handled, even without involving the user. This concept has also been adapted by the IETF in RFC 5929.

The contribution of this paper is as follows: First we present a new SLSOP-based login protocol and use it to design a secure Single Sign-On (SSO) protocol. Second we provide a first full proof-of-concept of such a protocol and also the first implementation of the channel binding described in RFC 5929, implementing a cross-domain SLSOP both for a new type of authentication cookies, as well as for the HTML-based POST and Redirect bindings. Finally we evaluate the security of this protocol and describe, how our protocol copes with modern attack vectors.

References

[1]

Decentralized identification. http://www.waterken.com/dev/YURL/.

[2]

J. Altman, N. Williams, and L. Zhu. Channel Bindings for TLS. RFC 5929 (Proposed Standard), July 2010.

[3]

M. Backes, I. Cervesato, A. D. Jaggard, A. Scedrov, and J.-K. Tsay. Cryptographically sound security proofs for basic and public-key kerberos. Cryptology ePrint Archive, Report 2006/219, 2006. http://eprint.iacr.org/.

[4]

A. Barth, C. Jackson, and J. C. Mitchell. Robust defenses for cross-site request forgery. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 75--88, New York, NY, USA, 2008. ACM.

Digital Library

[5]

A. Boldyreva and V. Kumar. Provable-security analysis of authenticated encryption in kerberos. Cryptology ePrint Archive, Report 2007/234, 2007. http://eprint.iacr.org/.

[6]

S. Cantor, J. Kemp, R. Philpott, and E. Maler. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, 15.03.2005, 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.

[7]

B. den Boer and A. Bosselaers. Collisions for the compression function of md5. In EUROCRYPT '93: Workshop on the theory and application of cryptographic techniques on Advances in cryptology, pages 293--304, Secaucus, NJ, USA, 1994. Springer-Verlag New York, Inc.

Digital Library

[8]

R. Dhamija, J. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 581--590. ACM, 2006. http://graphics8.nytimes.com/images/blogs/freakonomics/pdf/Why_Phishing%_Works-1.pdf.

Digital Library

[9]

Dobbertin. Postscript collisions for md5, 2005.

[10]

H. Dobbertin. Cryptanalysis of MD5 Compress - presented at the Rumpsession of Eurocrypt '96, May 1996.

[11]

S. Gajek, T. Jager, M. Manulis, and J. Schwenk. A browser-based kerberos authentication scheme. In ESORICS '08: Proceedings of the 13th European Symposium on Research in Computer Security, pages 115--129, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[12]

T. Groß. Security analysis of the SAML single sign-on browser/artifact profile. In Annual Computer Security Applications Conference. IEEE Computer Society, 2003.

Digital Library

[13]

T. Groß and B. Pfitzmann. Saml artifact information flow revisited. Research Report RZ 3643 (99653), IBM Research, 2006. http://www.zurich.ibm.com/security/publications/2006.html.

[14]

HttpOnly cookies. First implemented by Microsoft Internet Explorer developers for Internet Explorer 6 SP1, 2002.

[15]

C. Jackson. Forcehttps: Protecting high-security web sites from network attacks. In In Proceedings of the 17th International World Wide Web Conference, 2008.

Digital Library

[16]

C. Jackson and A. Barth. Beware of finer-grained origins. In In Web 2.0 Security and Privacy (W2SP 2008), 2008.

[17]

T. Jager, F. Kohlar, S. Schage, and J. Schwenk. Generic compilers for authenticated key exchange. pages 232--249, 2010.

[18]

D. Kaminski. Dns server+client cache poisoning, issues with ssl, breaking *forgot my password* systems, attacking autoupdaters and unhardened parsers, rerouting internal traffic; http://www.doxpara.com/DMK_BO2K8.ppt. -, 2008.

[19]

D. Kaminsky. It's the end of the cache as we know it - black ops 2008. Black Hat Briefings, Las Vegas, Nevada, USA, July 2008.

[20]

C. Karlof, U. Shankar, J. D. Tygar, and D. Wagner. Dynamic pharming attacks and locked same-origin policies for web browsers. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 58--71, New York, NY, USA, 2007. ACM.

Digital Library

[21]

F. Kohlar, J. Schwenk, M. Jensen, and S. Gajek. Secure bindings of saml assertions to tls sessions. In ARES, pages 62--69, 2010.

[22]

D. Kormann and A. Rubin. Risks of the passport single signon protocol. Computer Networks, 33(1-6):51--58, 2000.

Digital Library

[23]

D. Kristol and L. Montulli. Http state management mechanism, Oct. 2000.

[24]

A. Lenstra, X. Wang, and B. de Weger. Colliding x.509 certificates. Cryptology ePrint Archive, Report 2005/067, 2005. http://eprint.iacr.org/.

[25]

A. K. Lenstra and B. de Weger. On the possibility of constructing meaningful hash collisions for public keys. pages 267--279, 2005.

Digital Library

[26]

E. Maler, P. Mishra, and R. Philpott. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1. OASIS Standard, 02.09.2003, 2003. http://www.oasis-open.org/committees/download.php/3406/oasis-sstc-saml-%core-1.1.pdf.

[27]

M. Marlinspike. More tricks for defeating ssl in practice. Blackhat DC, 2009. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-M%arlinspike-Defeating-SSL.pdf.

[28]

C. Masone, K.-H. Baek, and S. Smith. Wske: Web server key enabled cookies. In S. Dietrich and R. Dhamija, editors, Financial Cryptography, volume 4886 of Lecture Notes in Computer Science, pages 294--306. Springer, 2007.

Digital Library

[29]

D. Molnar, M. Stevens, A. Lenstra, B. de Weger, A. Sotirov, J. Appelbaum, and D. A. Osvik. MD5 considered harmful today - Creating a rogue CA Certificate. 25th Chaos Communication Congress, Berlin, Germany, 2008.

[30]

B. Pfitzmann and M. Waidner. Analysis of liberty single-signon with enabled clients. IEEE Internet Computing, 7(6):38--44, 2003.

Digital Library

[31]

D. Recordon and D. Reed. Openid 2.0: a platform for user-centric identity management. In DIM '06: Proceedings of the second ACM workshop on Digital identity management, pages 11--16, New York, NY, USA, 2006. ACM.

Digital Library

[32]

J. Schwenk, L. Liao, and S. Gajek. Stronger bindings for saml assertions and saml artifacts. In Proceedings of the 5th ACM CCS Workshop on Secure Web Services (SWS'08), pages 11--20. ACM Press, 2008.

Digital Library

[33]

M. Slemko. Microsoft passport to trouble, 2001. http://alive.znep.com/ marcs/passport/page2.html.

[34]

M. Stevens, A. Lenstra, and B. de Weger. Chosen-prefix Collisions for MD5 and Applications. Submitted to Journal of Cryptology, June 2009. https://documents.epfl.ch/users/l/le/lenstra/public/papers/lat.pdf.

[35]

M. Stevens, A. K. Lenstra, and B. de Weger. Chosen-prefix collisions for MD5 and colliding X.509 certificates for different identities. pages 1--22, 2007.

Digital Library

[36]

M. Stevens, A. Sotirov, J. Appelbaum, A. K. Lenstra, D. Molnar, D. A. Osvik, and B. de Weger. Short chosen-prefix collisions for MD5 and the creation of a rogue CA certificate. pages 55--69, 2009.

Digital Library

Cited By

Berbecaru DLioy A(2016)Efficient Attribute Management in a Federated Identity Management Infrastructure2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP)10.1109/PDP.2016.102(590-595)Online publication date: Feb-2016
https://doi.org/10.1109/PDP.2016.102
Hühnlein DSchwenk JWich TMladenov VFeldmann FMayer ASchmölz JBruegger BHorsch MGroß THansen M(2013)Options for integrating eID and SAMLProceedings of the 2013 ACM workshop on Digital identity management10.1145/2517881.2517892(85-96)Online publication date: 8-Nov-2013
https://dl.acm.org/doi/10.1145/2517881.2517892

Index Terms

The power of recognition: secure single sign-on using TLS channel bindings
1. Information systems
2. Software and its engineering
  1. Software notations and tools
    1. General programming languages
      1. Language features
        Data types and structures

Recommendations

Establishing and protecting digital identity in federation systems
The First ACM Workshop on Digital Identity Management -- DIM 2005

We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information ...
Establishing and protecting digital identity in federation systems
DIM '05: Proceedings of the 2005 workshop on Digital identity management

We develop solutions for the security and privacy of user identity information in a federation. By federation we mean a group of organizations or service providers which have built trust among each other and enable sharing of user identity information ...
Identity-Embedding Method for Decentralized Public-Key Infrastructure
INTRUST 2014: Revised Selected Papers of the 6th International Conference on Trusted Systems - Volume 9473

A public key infrastructure PKI is for facilitating the authentication and distribution of public keys. Currently, the most commonly employed approach to PKI is to rely on certificate authorities CAs, but recently there has been arising more need for ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

DIM '11: Proceedings of the 7th ACM workshop on Digital identity management

October 2011

102 pages

ISBN:9781450310062

DOI:10.1145/2046642

Program Chairs:
Abhilasha Bhargav-Spantzel
Intel, USA
,
Thomas Groß
University of Newcastle upon Tyne, UK

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 21 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 21, 2011

Illinois, Chicago, USA

Acceptance Rates

Overall Acceptance Rate 16 of 34 submissions, 47%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
339
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)1

Reflects downloads up to 04 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Berbecaru DLioy A(2016)Efficient Attribute Management in a Federated Identity Management Infrastructure2016 24th Euromicro International Conference on Parallel, Distributed, and Network-Based Processing (PDP)10.1109/PDP.2016.102(590-595)Online publication date: Feb-2016
https://doi.org/10.1109/PDP.2016.102
Hühnlein DSchwenk JWich TMladenov VFeldmann FMayer ASchmölz JBruegger BHorsch MGroß THansen M(2013)Options for integrating eID and SAMLProceedings of the 2013 ACM workshop on Digital identity management10.1145/2517881.2517892(85-96)Online publication date: 8-Nov-2013
https://dl.acm.org/doi/10.1145/2517881.2517892

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten