On breaking SAML: Be whoever you want to be

Proceedings of the 21st USENIX Security Symposium

Volumn , Issue , 2012, Pages 397-412

  Somorovsky, Juraj ^a   Mayer, Andreas ^b   Schwenk, Jörg ^a   Kampmann, Marco ^a   Jensen, Meiko ^a  

^a RUHR UNIVERSITY BOCHUM   (Germany)

^b Adolf Würth GmbH and Co KG Künzelsau Gaisbach   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

CRITICAL COMPONENT; FEDERATED IDENTITY; IN-DEPTH ANALYSIS; INFORMATION FLOWS; INTEGRITY PROTECTION; PENETRATION TESTING TOOLS; SECURITY ASSERTION MARKUP LANGUAGES; SIGNATURE VERIFICATION;

XML;

EID: 84915774545     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (39)

1. IEEE International Conference on Web Services, ICWS 2009, Los Angeles, CA, USA, 6-10 July 2009 (2009), IEEE.
2. ARMANDO, A., CARBONE, R., COMPAGNA, L., CUÉLLAR, J., PELLEGRINO, G., AND SORNIOTTI, A. From Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure? In Future Challenges in Security and Privacy for Academia and Industry, J. Camenisch, S. Fischer-Hbner, Y. Murayama, A. Portmann, and C. Rieder, Eds., vol. 354 of IFIP Advances in Information and Communication Technology. Springer Boston, 2011.
3. ARMANDO, A., CARBONE, R., COMPAGNA, L., CUÉLLAR, J., AND TOBARRA, M. L. Formal Analysis of SAML 2.0 Web Browser Single Sign-On: Breaking the SAML-based Single Sign-On for Google Apps. In Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, FMSE 2008, V. Shmatikov, Ed. ACM, Alexandria and VA and USA, 2008.
4. BACKES, M., AND GROSS, T. Tailoring the dolev-yao abstraction to web services realities. In SWS (2005), E. Damiani and H. Maruyama, Eds., ACM, pp. 65–74.
5. BARD, G. V. A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL. In SECRYPT (2006), M. Malek, E. Fernández-Medina, and J. Hernando, Eds., INSTICC Press, pp. 99–109.
6. BENAMEUR, A., KADIR, F. A., AND FENET, S. XML Rewriting Attacks: Existing Solutions and their Limitations. In IADIS Applied Computing 2008 (Apr. 2008), IADIS Press.
7. BHARGAVAN, K., FOURNET, C., AND GORDON, A. D. Verifying policy-based security for web services. In CCS’04: Proceedings of the 11th ACM conference on Computer and communications security (2004), pp. 268–277.
8. BHARGAVAN, K., FOURNET, C., GORDON, A. D., AND O’SHEA, G. An advisor for web services security policies. In SWS’05: Proceedings of the 2005 workshop on Secure web services (New York, NY, USA, 2005), ACM, pp. 1–9.
9. BLEICHENBACHER, D. Chosen ciphertext attacks against protocols based on the rsa encryption standard pkcs #1. In CRYPTO (1998), pp. 1–12.
10. CANTOR, S., KEMP, J., MALER, E., AND PHILPOTT, R. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, 15.03.2005, 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf.
11. CANTOR, S., KEMP, J., PHILPOTT, R., AND MALER, E. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, 15.03.2005, 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf.
12. CANTOR, S., MOREH, J., PHILPOTT, R., AND MALER, E. Metadata for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard, 15.03.2005, 2005. http://docs.oasis-open.org/security/saml/v2.0/saml-metadata-2.0-os.pdf.
13. CHAN, Y.-Y. Weakest link attack on single sign-on and its case in saml v2.0 web sso. In Computational Science and Its Applications - ICCSA 2006, M. Gavrilova, O. Gervasi, V. Kumar, C. Tan, D. Taniar, A. Lagan, Y. Mun, and H. Choo, Eds., vol. 3982 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2006, pp. 507–516. 10.1007/11751595 54.
14. EASTLAKE, D., REAGLE, J., SOLO, D., HIRSCH, F., AND ROESSLER, T. XML Signature Syntax and Processing (Second Edition), 2008. http://www.w3.org/TR/xmldsig-core/.
15. GAJEK, S., JENSEN, M., LIAO, L., AND SCHWENK, J. Analysis of signature wrapping attacks and countermeasures. In ICWS [1], pp. 575–582.
16. GAJEK, S., LIAO, L., AND SCHWENK, J. Breaking and fixing the inline approach. In SWS’07: Proceedings of the 2007 ACM workshop on Secure web services (New York, NY, USA, 2007), ACM, pp. 37–43.
17. GAJEK, S., LIAO, L., AND SCHWENK, J. Towards a formal semantic of xml signature. W3C Workshop Next Steps for XML Signature and XML Encryption, 2007.
18. GROSS, T. Security Analysis of the SAML SSO Browser/Artifact Profile. In ACSAC (2003), IEEE Computer Society, pp. 298–307.
19. GROSS, T., AND PFITZMANN, B. SAML artifact information flow revisited. In In IEEE Workshop on Web Services Security (WSSS) (Berkeley, May 2006), IEEE, pp. 84–100.
20. GRUSCHKA, N., AND IACONO, L. L. Vulnerable cloud: Soap message security validation revisited. In ICWS [1], pp. 625–631.
21. GUDGIN, M., HADLEY, M., MENDELSOHN, N., MOREAU, J.J., AND NIELSEN, H. F. SOAP Version 1.2 Part 1: Messaging Framework. W3C Recommendation (2003).
22. HARDING, P., JOHANSSON, L., AND KLINGENSTEIN, N. Dynamic security assertion markup language: Simplifying single sign-on. Security Privacy, IEEE 6, 2 (march-april 2008), 83 – 85.
23. JENSEN, M., LIAO, L., AND SCHWENK, J. The curse of names-paces in the domain of xml signature. In SWS (2009), E. Damiani, S. Proctor, and A. Singhal, Eds., ACM, pp. 29–36.
24. JENSEN, M., MEYER, C., SOMOROVSKY, J., AND SCHWENK, J. On the effectiveness of xml schema validation for countering xml signature wrapping attacks. In Securing Services on the Cloud (IWSSC), 2011 1st International Workshop on (sept. 2011), pp. 7 –13.
25. LUTZ, D., AND STILLER, B. Combining identity federation with payment: The saml-based payment protocol. In Network Operations and Management Symposium (NOMS), 2010 IEEE (april 2010), pp. 495 –502.
26. MALER, E., AND REED, D. The venn of identity: Options and issues in federated identity management. Security Privacy, IEEE 6, 2 (march-april 2008), 16 –23.
27. MCINTOSH, M., AND AUSTEL, P. XML Signature Element Wrapping Attacks and Countermeasures. In SWS’05: Proceedings of the 2005 workshop on Secure web services (New York, NY, USA, 2005), ACM Press, pp. 20–27.
28. MCINTOSH, M., AND AUSTEL, P. XML signature element wrapping attacks and countermeasures. In Workshop on Secure Web Services (2005).
29. NADALIN, A., KALER, C., MONZILLO, R., AND HALLAMBAKER, P. Web Services Security: SOAP Message Security 1.1 (WS-Security 2004). OASIS Standard (2006).
30. RAHAMAN, M. A., MARTEN, R., AND SCHAAD, A. An inline approach for secure soap requests and early validation. OWASP AppSec Europe, 2006.
31. RAHAMAN, M. A., AND SCHAAD, A. Soap-based secure conversation and collaboration. In ICWS (2007), pp. 471–480.
32. RAHAMAN, M. A., SCHAAD, A., AND RITS, M. Towards secure soap message exchange in a soa. In Workshop on Secure Web Services (2006).
33. SOMOROVSKY, J., HEIDERICH, M., JENSEN, M., SCHWENK, J., GRUSCHKA, N., AND IACONO, L. L. All Your Clouds are Belong to us – Security Analysis of Cloud Management Interfaces. In The ACM Cloud Computing Security Workshop (CCSW) (Oct. 2011).
34. THE APACHE SOFTWARE FOUNDATION. Apache Xerces.
35. TSCHOFENIG, H., FALK, R., PETERSON, J., HODGES, J., SICKER, D., AND POLK, J. Using saml to protect the session initiation protocol (sip). Network, IEEE 20, 5 (sept.-oct. 2006), 14 –17.
36. VAN DER VLIST, E. XML Schema. O’Reilly, 2002.
37. WAGNER, D., AND SCHNEIER, B. Analysis of the SSL 3.0 protocol. In In Proceedings of the Second USENIX Workshop on Electronic Commerce (1996), USENIX Association, pp. 29–40.
38. WANG, R., CHEN, S., AND WANG, X. Signing Me onto Your Accounts through Facebook and Google: a Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society (May 2012).
39. YONG-SHENG, Z., AND JING, Y. Research of dynamic authentication mechanism crossing domains for web services based on saml. In Future Computer and Communication (ICFCC), 2010 2nd International Conference on (may 2010), vol. 2, pp. V2–395 –V2–398.