TLS-federation - A secure and relying-party-friendly approach for federated identity management

Lecture Notes in Informatics (LNI), Proceedings - Series of the Gesellschaft fur Informatik (GI)

Volumn , Issue , 2008, Pages 93-104

  Bruegger, Bud P ^a   Hühnlein, Detlef ^b   Schwenk, Jörg ^c  

^a Comune di Grosseto ^*  (Italy)

^b Westfälische Hochschule und secunet Security Networks AG   (Germany)

^c RUHR UNIVERSITY BOCHUM   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

CROSS-SITE SCRIPTING; FEDERATED IDENTITY MANAGEMENTS; REAL-WORLD ATTACK; SINGLE SIGN ON; TRANSPORT LAYER SECURITY; USER AGENTS; WEB SERVERS;

BIOMETRICS; INTERNET PROTOCOLS; WORLD WIDE WEB;

WEB BROWSERS;

EID: 84873909966     PISSN: 16175468     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (38)

1. J. Grossman, R. Hansen, P. D. Petkov: Cross Site Scripting Attacks: XSS Exploits and Defense, Syngress Media, 2007
2. S. Gajek, L. Liao, J. Schwenk: Two New TLS Bindings for SAML and SAML Artifacts, to appear, 2008
3. S. Gajek, J. Schwenk, C. Xuan: On the Insecurity of Microsoft's Identity Metasystem, Ruhr University Bochum, Technical Report TR-HGI-2008-003, http://www.nds.rub.de/gajek/papers/GaScXu08-CardSpaceTR.pdf
4. Heise Online: Massive DNS security problem endangers the internet, July 9th, 2008, http://www.heise-online.co.uk/news/Massive-DNS-security- problemendangers-the-internet-/111070
5. W. Herrmann: Gartner's most important IT-Trends, (in German), http://www.computerwelt.at/detailArticle.asp?a=110421&n=2
6. Eclipse Foundation: Higgins Open Source Identity Framework, http://www.eclipse.org/higgins/
7. Information Card Foundation: Information Card Foundation Website, http://informationcard.net/
8. IDABC: Common specifications for eID interoperability in the eGovernment context, http://ec.europa.eu/idabc/servlets/Doc?id=30989
9. ISO/IEC 7816-8: Identification cards - Integrated circuit cards - Part 8: Commands for security operations. International Standard, 2004
10. Liberty Alliance Project: Specifications, via http://www.projectliberty. org/specifications-1
11. Liberty Alliance: Liberty Alliance ID-FF Bindings and Profiles Specification, Version 1.2, Errata v2.0, within http://www.projectliberty.org/ liberty/content/download/1266/8160/file/libertyidff-1.2-20050520.zip
12. Liberty Alliance: Liberty Alliance ID-FF Protocols and Schema Specification, Version 1.2, Errata v3.0, within http://www.projectliberty.org/ liberty/content/download/1266/8160/file/libertyidff-1.2-20050520.zip
13. Microsoft Inc.: Mitigating Cross-Site Scripting with HTTP-only Cookies, http://msdn.microsoft.com/en-us/library/ms533046.aspx, 2007
14. Microsoft Inc.: Windows CardSpace, via http://netfx3.com/content/ WindowsCardspaceHome.aspx
15. Microsoft Inc.: A Technical Reference for InfoCard v1.0 in Windows, August, 2005, http://download.microsoft.com/download/5/4/0/54091e0b-464c-4961- a934-d47f91b66228/infocard-techref-beta2-published.pdf
16. P. Morrissey, N.P. Smart, und B. Warinschi: A Modular Security Analysis of the TLS Handshake Protocol, Cryptology ePrint Archive, Report 2008/236, http://eprint.iacr.org/2008/236, 2008.
17. Modinis IDM Study Team: Common Terminological Framework for Interoperable Electronic Identity Management, Modinis Study on Identity Management in eGovernment - Consultation Paper, Version 2.01, via https://www.cosic.esat. kuleuven.be/modinis-idm/twiki/pub/Main/GlossaryDoc/modinis.terminology.paper.v2. 01.2005-11-23.pdf
18. B. Pfitzmann, M. Waidner: Analysis of liberty single-sign-on with enabled clients, Internet Computing, IEEE, Vol. 7, Issue 6, Nov.-Dec. 2003, pp. 38- 44
19. J. Kohl: The Kerberos Network Authentication Service (V5), IETF RFC 1510, via http://www.ietf.org/rfc/rfc1510.txt
20. T. Dierks, C. Allen: The TLS Protocol, Version 1.0, IETF RFC 2246, via http://www.ietf.org/rfc/rfc2246.txt
21. R. Housley, W. Polk, W. Ford, D. Solo: Internet X.509 Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile, IETF RFC 3280, via http://www.ietf.org/rfc/rfc3280
22. S. Farrell, R. Housley: An Internet Attribute Certificate Profile for Authorization, IETF RFC 3281, via http://www.ietf.org/rfc/rfc3281
23. U. Rutishauser, A. Schäfer: Open reference implementation of a SCEP v2 client, http://www.urut.ch/scep/scepclient.pdf
24. S. Cantor, J. Kemp, R. Philpott, E. Maler: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V1.1, OASIS Standard, 02.09.2003, http://www.oasis-open.org/committees/download.php/3406/oasissstc- saml-core-1.1.pdf, 2003
25. E. Maler, P. Mishra, R. Philpott: Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML) V1.1, OASIS Standard, 02.09.2003, http://www.oasis-open.org/committees/download.php/3405/oasis-sstc-samlbindings- 1.1.pdf, 2003
26. S. Cantor, J. Kemp, R. Philpott, E. Maler: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, 15.03.2005. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, 2005.
27. S. Cantor, F. Hirsch, J. Kemp, R. Philpott, E. Maler: Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0, OASIS Standard, 15.03.2005, http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os. pdf
28. M. Slemko: Microsoft passport to trouble, 2001. http://alive.znep.com/ marcs/passport/
29. D. Box, D. Ehnebuske, G. Kakivaya, A. Layman, N. Mendelsohn, H. F. Nielsen, S. Thatte, D. Winer: Simple Object Access Protocol (SOAP) 1.1, W3C Note, 08 May 2000, via http://www.w3.org/TR/2000/NOTE-SOAP-20000508
30. OpenSSL Project: SPKAC printing and generating utility documentation, http://www.openssl.org/docs/apps/spkac.html
31. Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. Drive-by pharming. Technical report, Indiana University Computer Science Technical Report number 641, December 13, 2006
32. STORK-Consortium: STORK project website, http://www.eid-stork.eu/
33. C. Kaler, A. Nadalin:: Web Services Federation Language (WS-Federation), Version 1.1 December 2006, http://download.boulder.ibm.com/ibmdl/pub/software/ dw/specs/ws-fed/WSFederation-V1-1B.pdf
34. F. Curbera, S. Parastatidis, J. Schlimmer. Web Services Metadata Exchange (WS-MetadataExchange), Version 1.1, August 2006. http://download.boulder.ibm. com/ibmdl/pub/software/dw/specs/wsmex/metadataexchange.pdf, 2006
35. C. Kaler, A. Nadalin: Web Services Security Policy Language (WSSecurityPolicy), July 2005, Version 1.1, http://download.boulder.ibm.com/ ibmdl/pub/software/dw/specs/ws-secpol/wssecpol.pdf, 2005.
36. A. Nadalin, M. Goodner, M. Gudgin, A. Barbir, H. Granqvist: WS-Trust 1.3. OASIS Standard, 19.03.2007. http://docs.oasis-open.org/ws-sx/wstrust/200512/ws- trust-1.3-os.pdf, 2007
37. A. Nadalin, C. Kaler, R. Monzillo, P. Hallam-Baker: Web Services Security: SOAP Message Security 1.1. OASIS Standard, 01.02.2006. http://www.oasisopen.org/committees/download.php/16790/wss-v1. 1-spec-os-SOAPMessageSecurity.pdf, 2006.
38. ITU-T: ITU-T Recommendation X.509:2000 - ISO-IEC 9594-8:2000. Information technology Open Systems Interconnection The Directory: Publickey and attribute certificate frameworks, March 2000