1 / 8

OpenID and the Enterprise A Model-based Analysis of Single Sign-On Authentication

OpenID and the Enterprise A Model-based Analysis of Single Sign-On Authentication.

elgin
Download Presentation

OpenID and the Enterprise A Model-based Analysis of Single Sign-On Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OpenID and the EnterpriseA Model-based Analysis of Single Sign-On Authentication Bellamy-McIntyre, J., Luterroth, C., Weber, G. OpenID and the Enterprise: A Model-Based Analysis of Single Sign-On Authentication. Enterprise Distributed Object Computing Conference (EDOC). 2011 15th IEEE International. pp.129-138, Aug. 29 2011-Sept. 2 2011 Presented by: Veo Chen

  2. Summary Problem: OpenID protocol not well understood and properly implemented, resulting in security flaws. Solution: Modelling of OpenID process from the perspective of both the user and the system.

  3. Critique Applying similar modelling approach to WS-Federation, Shibboleth, OAuth • "...seems to be applicable" • "…similar" • "…lend themselves to our modelling approach. " Lack of empirical data: 32 sites • RP discovery: using Yahoo OpenID • TLS: " wesimply had to examine HTML codeof each site"

  4. Appreciation Accurate modelling of OpenID process: • Crucial for the understanding, implementation and security analysis of any technology SHOULD vs MUST in specification: • "SHOULD" - can be ignored

  5. SHOULD or MUST? • This paper: • "SHOULD" 48 times in OpenID specification • Many should be changed to "MUST" • "SHOULD" represents a point that can be ignored in implementation

  6. SHOULD or MUST? Bradner, B., “Key words for use in RFCs to Indicate Requirement Levels,” RFC 2119 • SHOULDThis word, or the adjective "RECOMMENDED", mean that theremay exist valid reasons in particularcircumstances to ignore aparticular item, but the full implications must be understood and carefully weighed before choosing a different course. OpenID Authentication 2.0 • OpenID providers SHOULD verify that the return_to URL specified in the request is an OpenID relying party endpoint. • Relying Parties SHOULD accept and verify assertions about Identifiers for which they have not requested authentication. • It SHOULD implement a method for preventing replay attacks. • Relying Parties SHOULD use the Yadis protocol to publish their valid return_to URLs.

  7. Question How important are technical documents to security? How can we better communicate requirements to people?

  8. Thank you!

More Related