Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures

Computers and Security

Volumn 31, Issue 4, 2012, Pages 465-483

  Sun, San Tsai ^a   Hawkey, Kirstie ^b   Beznosov, Konstantin ^a  

^a UNIVERSITY OF BRITISH COLUMBIA   (Canada)

^b DALHOUSIE UNIVERSITY   (Canada)

Author keywords

Authentication; Empirical evaluation; OpenID; Security protocol analysis; Web application security; Web single sign on

Indexed keywords

EMPIRICAL EVALUATIONS; OPENID; SECURITY PROTOCOL ANALYSIS; SINGLE SIGN ON; WEB APPLICATION SECURITY;

AUTHENTICATION; FORMAL METHODS; MODEL CHECKING; WEBSITES;

INTERNET PROTOCOLS;

EID: 84861098079     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2012.02.005     Document Type: Article

References (37)

1. B. Adida Sessionlock: securing web sessions against eavesdropping Proceeding of the 17th International Conference on World Wide Web (WWW'08) 2008 ACM New York, NY 517 524
2. AOL LLC AOL open authentication API January 2008 http://dev.aol.com/api/ openauth [Online; accessed 23.08.11]
3. A. Barth, C. Jackson, and J.C. Mitchell Robust defenses for cross-site request forgery Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08) 2008 ACM New York, NY 75 88
4. S. Blake-Wilson, M. Nystrom, D. Hopwood, J. Mikkelsen, and T. Wright Transport layer security extensions June 2003 http://www.ietf.org/rfc/rfc3546. txt [Online; accessed 23.08.11]
5. J. Bufu OpenID4Java 2009 http://code.google.com/p/openid4java/ [Online; accessed 23.08.11]
6. C. Caleiro, L. Vigan, and D. Basin Deconstructing Alice and Bob Electronic Notes in Theoretical Computer Science 135 1 2005 3 22 URL: http://www.sciencedirect.com/science/article/pii/S1571066105050498 (Pubitemid 41082142)
7. B. Delft, and M. Oostdijk A security analysis of OpenID Proceedings of the 2nd IFIP WG 11.6 Working Conference on Policies and Research in Identity Management (IDMAN'10) November 2010
8. G. Denker, and J. Millen Capsl integrated protocol environment Proceedings of DARPA Information Survivability Conference and Exposition vol. 1 2000 207 221
9. D. Dolev, and A. Yao On the security of public key protocols IEEE Transactions on Information Theory 29 2 Mar. 1983 198 208
10. Facebook, Inc Facebook for websites: authentication 2010 http://developers.facebook.com/docs/guides/web/ [Online; accessed 23.08.11]
11. D. Florencio, and C. Herley A large-scale study of web password habits Proceedings of the 16th International Conference on World Wide Web (WWW'07) 2007 ACM New York, NY, USA 657 666 (Pubitemid 47582295)
12. S. Gaw, and E.W. Felten Password management strategies for online accounts Proceedings of the Second Symposium on Usable Privacy and Security (SOUPS'06) 2006 44 55 (Pubitemid 46966968)
13. R. Graham Sidejacking with hamster August 2007 http://erratasec.blogspot. com/2007/08/sidejacking-with-hamster-05.html [Online; accessed 23.08.11]
14. E. Hammer-Lahav, D. Recordon, and D. Hardt The OAuth 2.0 authorization protocol September 2011 http://tools.ietf.org/html/draft-ietf-oauth-v2-22 [Online; accessed 09.12.11]
15. Lindholm A. Security evaluation of the OpenID protocol. Master of Science Thesis from Royal Institute of Technology; 2009.
16. G. Lowe Casper: a compiler for the analysis of security protocols Journal of Computer Security 6 1 1998 53 84 URL: http://iospress.metapress.com/content/ ADNXU4KPRPL21RC9
17. LSV Security protocols open repository (SPORE) 2003 www.lsv.ens-cachan. fr/spore/ [Online; accessed 12.12.11]
18. OASIS OASIS extensible resource identifier 2008 www.oasis-open.org/ committees/xri/ [Online; accessed 23.12.11]
19. OpenID Foundation Promotes, protects and nurtures the OpenID community and technologies 2009 http://openid.net/foundation/ [Online; accessed 23.08.11]
20. R. Oppliger Microsoft.NET Passport and identity management Information Security Technical Report 9 1 2004 26 34
21. OWASP Session hijacking attack 2009 https://www.owasp.org/index.php/ Session-hijacking-attack [Online; accessed 23.08.11]
22. OWASP Open web application security project (OWASP) top ten project 2010 http://www.owasp.org/index.php/Category:OWASP-Top-Ten-Project [Online; accessed 23.08.11]
23. D. Recordon, and B. Fitzpatrick OpenID authentication 2.0 December 2007 http://openid.net/specs/openid-authentication-2-0.html [Online; accessed 23.08.11]
24. N. Sakimura, J. Bradley, B. de Medeiros, M.B. Jones, and E. Jay Openid connect standard 1.0-draft 07 2011 http://openid.net/specs/openid-connect- standard-1-0.html [Online; accessed 03.01.12]
25. K. Singh, H. Wang, A. Moshchuk, C. Jackson, and W. Lee HTTPi for practical end-to-end web content integrity Microsoft technical report May 2011 [Online; accessed 23.08.11]
26. Skybound Software GeckoFX: an open-source component for embedding Firefox in.NET applications 2010 http://www.geckofx.org/ [Online; accessed 23.08.11]
27. P. Sovis, F. Kohlar, and J. Schwenk Security analysis of OpenID Proceedings of the Securing Electronic Business Processes-Highlights of the Information Security Solutions Europe 2010 Conference October 2010
28. S. Stamm, Z. Ramzan, and M. Jakobsson Drive-by pharming Information and communications security Lecture notes in Computer Science vol. 4861 2007 Springer Berlin/Heidelberg 495 506
29. S.-T. Sun, K. Hawkey, and K. Beznosov Secure Web 2.0 content sharing beyond walled gardens Proceedings of the 25th Annual Computer Security Applications Conference (ACSAC'09) December 7-11 2009 IEEE Press 409 418
30. S.-T. Sun, Y. Boshmaf, K. Hawkey, and K. Beznosov A billion keys, but few locks: the crisis of Web single sign-on Proceedings of the New Security Paradigms Workshop (NSPW'10) 2010 61 72
31. S.-T. Sun, K. Hawkey, and K. Beznosov OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle Proceedings of the 6th ACM Workshop on Digital Identity Management (DIM'10) 2010 ACM New York, NY, USA 49 58
32. S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov OpenID-enabled browser: towards usable and secure web single sign-on Proceedings of the 29th International Conference Extended Abstracts on Human Factors in Computing Systems (CHI'11) 2011 New York, NY, USA
33. S.-T. Sun, E. Pospisil, I. Muslukhov, N. Dindar, K. Hawkey, and K. Beznosov What makes users refuse web single sign-on? An empirical investigation of OpenID Proceedings of Symposium on Usable Privacy and Security (SOUPS'11) 2011
34. E. Tsyrklevich, and V. Tsyrklevich Single sign-on for the Internet: a security story Proceedings of the BlackHat'07 July 2007
35. L. Vigano Automated security protocol analysis with the AVISPA tool Electronic Notes in Theoretical Computer Science 155 2006 61 86
36. R. Wang, S. Chen, and X. Wang Attribute exchange security alert http://openid.net/2011/05/05/attribute-exchange-security-alert/ May 2011 [Online; accessed 23.08.11]
37. Yahoo Inc Browser-based authentication (BBAuth) December 2008 http://developer.yahoo.com/auth/ [Online; accessed 23.08.11]