Security analysis of the SAML single sign-on browser/artifact profile

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn 2003-January, Issue , 2003, Pages 298-307

  Groß, Thomas ^a  

^a IBM RESEARCH ZURICH   (Switzerland)

Author keywords

[No Author keywords available]

Indexed keywords

MARKUP LANGUAGES; SECURITY OF DATA; SPECIFICATIONS;

BUSINESS TO BUSINESS; CONSTRAINT-BASED; DESIGN TECHNIQUE; FEDERATED IDENTITY MANAGEMENTS; SECURITY ANALYSIS; SECURITY ASSERTION MARKUP LANGUAGES; SECURITY CONSIDERATIONS; USER MANAGEMENT;

SECURITY SYSTEMS;

EID: 84944734046     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/CSAC.2003.1254334     Document Type: Conference Paper

References (21)

1. M. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering, 22(1):6-15, 1996.
2. R. Anderson and R. Needham. Robustness principles for public key protocols. In CRYPTO: Proceedings of Crypto, pages 236-247, Berlin, 1995. Springer-Verlag.
3. B. B. Bhansali. Man-in-the-middle attack - a brief, February 2001.
4. S. Cantor and M. Erdos. Shibboleth-architecture draft v05, May 2002.
5. P. Dave and N. Moussa. TCP connection hijacking, 2002.
6. T. Dierks and C. Allen. RFC 2246: The TLS protocol, January 1999. Status: Standards Track.
7. P. H.-B. et al. Assertions and protocol for the OASIS security assertion markup language (SAML), 2002.
8. P. M. et al. Bindings and profiles for the OASIS security assertion markup language (SAML), 2002.
9. R. T. Fielding, J. Gettys, J. C. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. RFC 2616: Hypertext transfer protocol - HTTP/1.1, June 1999. Status: Standards Track.
10. K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and don'ts of client authentication on the web. In Proceedings of the 10th USENIX Security Symposium, 2001.
11. J. Hodges and T. Wason. Liberty architecture overview, 2003.
12. D. P. Kormann and A. D. Rubin. Risks of the passport single signon protocol. Computer Networks, 33:51-58, 2000.
13. G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS), volume 1055, pages 147-166. Springer-Verlag, Berlin Germany, 1996.
14. C. Meadows. Analyzing the needham-schroeder publickey protocol: A comparison of two approaches. In ESORICS: European Symposium on Research in Computer Security. LNCS, Springer-Verlag, 1996.
15. Microsoft. .net passport review guide, 2002.
16. R. Needham and M. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):393-399, 1978.
17. B. Pfitzmann and M. Waidner. BBAE - a general protocol for browser-based attribute exchange. Research report RZ 3455 (# 93800), IBM Research Division, Zurich, June 2002.
18. B. Pfitzmann and M. Waidner. Privacy in browser-based attribute exchange. In Proceeding of the ACM Workshop on Privacy in the Electronic Society, pages 52-62, Washington, DC, 2002. ACM Press.
19. B. Pfitzmann and M. Waidner. Token-based web single signon with enabled clients. Technical Report IBM Research Report RZ 3458, IBM Research Division, 2002.
20. J. Rouault and T. Wason. Liberty bindings and profiles specification, 2003.
21. M. Slemko. Microsoft passport to trouble, 2001.