Formal analysis of SAML 2.0 web browser single sign-on: Breaking the SAML-based single sign-on for google apps

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2008, Pages 1-9

  Armando, Alessandro ^a   Carbone, Roberto ^a   Compagna, Luca ^b   Cuellar, Jorge ^c   Tobarra, Llanos ^d  

^a UNIVERSITY OF GENOA   (Italy)

^b SAP RESEARCH   (France)

^c SIEMENS AG   (Germany)

^d UNIVERSITY OF CASTILLA LA MANCHA   (Spain)

Author keywords

[No Author keywords available]

Indexed keywords

ART MODEL; FORMAL ANALYSIS; FORMAL MODEL; SECURITY ASSERTION MARKUP LANGUAGES; SECURITY FLAWS; SECURITY PROTOCOLS; SERVICE PROVIDER; SINGLE SIGN ON; USE CASE SCENARIO;

FORMAL METHODS; INTERNET PROTOCOLS; MARKUP LANGUAGES; MODEL CHECKING; NETWORK SECURITY; SANITARY SEWERS; SECURITY SYSTEMS; WORLD WIDE WEB;

NETWORK PROTOCOLS;

EID: 70349233792     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1456396.1456397     Document Type: Conference Paper

References (17)

1. A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, P.-C. Heám, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganó, and L. Vigneron. The AVISPA Tool for the Automated Validation of Internet Security Protocolsand Applications. In Proceedings of the 17th International Conference on Computer Aided Verification (CAV'05). Springer-Verlag, 2005. Available at www.avispa-project.org.
2. A. Armando, R. Carbone, and L. Compagna. LTL model checking for security protocols. In 20th IEEE Computer Security Foundations Symposium (CSF20), Venice (Italy), July 2007.
3. A. Armando and L. Compagna. SAT-based Model-Checking for Security Protocols Analysis. International Journal of Information Security, 7(1):3-32, January 2008.
4. K. Bhargavan, C. Fournet, A. D. Gordon, and N. Swamy. Verified implementations of the information card federated identity-management protocol. In ASIACCS, pages 123-135, 2008.
5. B. Blanchet. From secrecy to authenticity in security protocols. In In 9th International Static Analysis Symposium (SAS'02), pages 342-359. Springer, 2002.
6. D. Dolev and A. Yao. On the Security of Public-Key Protocols. IEEE Transactions on Information Theory, 2(29), 1983.
7. Google. Web-based reference implementation of SAML-based SSO for Google Apps. http://code.google.com/apis/apps/sso/saml-reference-implementation-web. html, 2008.
8. T. Groß. Security analysis of the SAML Single Sign-on Browser/Artifact profile. In Proc. 19th Annual Computer Security Applications Conference. IEEE, Dec. 2003.
9. T. Groß, B. Pfitzmann, and A.-R. Sadeghi. Browser model for security analysis of browser-based protocols. In S. D. C. di Vimercati, P. F. Syverson, and D. Gollmann, editors, ESORICS, volume 3679 of Lecture Notes in Computer Science, pages 489-508. Springer, 2005.
10. S. M. Hansen, J. Skriver, and H. R. Nielson. Using static analysis to validate the SAML single sign-on protocol. In WITS '05: Proceedings of the 2005 workshop on Issues in the theory of security, pages 27-40, New York, NY, USA, 2005. ACM Press.
11. Internet2. Shibboleth Project. Available at http://shibboleth.internet2. edu/, 2007.
12. G. Lowe. A hierarchy of authentication specifications. In Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW'97), pages 31-43. IEEE Computer Society Press, 1997.
13. OASIS. Identity Federation. Liberty Alliance Project. Available at http://www.projectliberty.org/resources/specifications.php, 2004.
14. OASIS. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. Available at http://www.oasis-open.org/committees/tc-home.php?wg-abbrev= security, March 2005.
15. OASIS. Security Assertion Markup Language (SAML) v2.0. Available at http://www.oasis-open.org/committees/tc-home.php?wg-abbrev=security, April 2005.
16. B. Pfitzmann and M. Waidner. Analysis of Liberty Single-Sign-on with Enabled Clients. IEEE Internet Computing, 7(6):38-44, 2003.
17. B. Pfitzmann and M. Waidner. Federated identity-management protocols. In B. Christianson, B. Crispo, J. A. Malcolm, and M. Roe, editors, Security Protocols Workshop, volume 3364 of Lecture Notes in Computer Science, pages 153-174. Springer, 2003.