Stronger TLS bindings for SAML assertions and SAML artifacts

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2008, Pages 11-19

  Gajek, Sebastian ^a   Liao, Lijun ^a   Schwenk, Jörg ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

Client certificate; FIM; SAML; TLS

Indexed keywords

ATTACK SCENARIOS; CLIENT CERTIFICATE; FIM; REAL-WORLD ATTACK; SAME-ORIGIN POLICY; SAML; TLS;

SURVEYING INSTRUMENTS; WEB SERVICES;

SEEBECK EFFECT;

EID: 70349230079     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1456492.1456495     Document Type: Conference Paper

References (29)

1. Cross site scripting (xss). http://en.wikipedia.org/wiki/Cross-site\- scripting.
2. Kerberos: The network authentication protocol. http://web.mit.edu/ Kerberos/.
3. Oasis security services (saml) tc. "http://www.oasis-open.org/ committees/security/".
4. Pharming. http://en.wikipedia.org/wiki/Pharming.
5. M. Backes, I. Cervesato, A. D. Jaggard, A. Scedrov, and J.-K. Tsay. Cryptographically sound security proofs for basic and public-key kerberos. Cryptology ePrint Archive, Report 2006/219, 2006. http://eprint.iacr.org/.
6. A. Boldyreva and V. Kumar. Provable-security analysis of authenticated encryption in kerberos. Cryptology ePrint Archive, Report 2007/234, 2007. http://eprint.iacr.org/.
7. D. Eastlake et al. Xml-signature syntax and processing. "http://www.w3.org/TR/xmldsig-core/", Feb. 2002.
8. R. Dhamija, J. D. Tygar, and M. A. Hearst. Why phishing works. In CHI, pages 581-590. ACM Press, 2006.
9. T. Dierks and C. Allen. The TLS protocol version, 1.0. RFC 2246. http://www.ietf.org/rfc/rfc2246.txt, 1999.
10. T. Dierks and E. Rescorla. The Transport Layer Security (TLS) protocol, version 1.1. RFC 4346. http://www.ietf.org/rfc/rfc4346.txt, 2006.
11. S. Gajek, M. Manulis, A.-R. Sadeghi, and J. Schwenk. Provably Secure Browser-Based User-Aware Mutual Authentication over TLS. In M. Abe and V. Gligor, editors, ACM Symposium on Information, Computer and Communications Security (ASIACCS 2008), pages 300-311. ACM Press, 2008.
12. S. Gajek, J. Schwenk, and X. Chen. On the insecurity of microsoft's identity metasystem cardspace. Technical Report HGI TR-2008-004, Horst Görtz Institute for IT-Security, 2008.
13. T. Groß. Security analysis of the SAML single sign-on browser/artifact profile. In Annual Computer Security Applications Conference. IEEE Computer Society, 2003.
14. T. Großand B. Pfitzmann. Saml artifact information flow revisited. Research Report RZ 3643 (99653), IBM Research, 2006. http://www.zurich.ibm.com/ security/publications/2006.html.
15. A. Herzberg. Why johnny can't surf (safely)?, 2007. (Work in Progress).
16. J. Kemp et al. Authentication context for the oasis security assertion markup language (saml) v2.0. "http://docs.oasis-open.org/security/saml/v2. 0/saml-authncontext-2.0-os.pdf", Mar. 2005.
17. C. Karlof et al. Dynamic pharming attacks and locked same-origin policies for web browsers. In P. Ning, S. D. C. di Vimercati, and P. F. Syverson, editors, ACM Conference on Computer and Communications Security, pages 58-71. ACM, 2007.
18. D. Kormann and A. Rubin. Risks of the passport single signon protocol. Computer Networks, 33(1-6):51-58, 2000.
19. D. Kristol and L. Montulli. HTTP State Management Mechanism. RFC 2109 (Proposed Standard), Feb. 1997. Obsoleted by RFC 2965.
20. C. Masone, K.-H. Baek, and S. Smith. Wske: Web server key enabled cookies. In S. Dietrich and R. Dhamija, editors, Financial Cryptography, volume 4886 of Lecture Notes in Computer Science, pages 294-306. Springer, 2007.
21. MSDN. Mitigating cross-site scripting with http-only cookies, 2006. http://msdn.microsoft.com/enus/library/ms533046.aspx.
22. B. Pfitzmann and M. Waidner. Analysis of liberty single-signon with enabled clients. IEEE Internet Computing, 7(6):38-44, 2003.
23. S. Cantor et al. Bindings for the oasis security assertion markup language (saml) v2.0. "http://docs.oasis-open.org/security/saml/v2.0/saml- bindings-2.0-os.pdf, Mar.
24. S. Cantor et al. Assertions and protocols for the oasis security assertion markup language (saml) v2.0. "http://docs.oasis-open.org/ security/saml/v2.0/saml-core-2.0-os.pdf", Mar. 2005.
25. S. Cantor et al. Profiles for the oasis security assertion markup language (saml) v2.0. "http://docs.oasis-open.org/security/saml/v2.0/saml- profiles-2.0-os.pdf", Mar. 2005.
26. Z. R. Sid Stamm and M. Jakobsson. Drive-by pharming. Technical report, Indiana University Computer Science Technical Report number 641, December 13, 2006.
27. M. Slemko. Microsoft passport to trouble, 2001. http://alive.znep.com/ ̃marcs/passport/page2.html.
28. C. Soghoian and M. Jakobsson. A deceit-augmented man in the middle attack against bank of america's sitekey service, 2007. http://paranoia.dubfire.net/ 2007/04/deceit-augmented-man-in-middle-attack.html.
29. A. O. Stuart Schechter, Rachna Dhamija and I. Fischer. The emperor's new security indicators. In Symposium on Security and Privacy. IEEE Computer Society, 2007.