SPRESSO: A secure, privacy-respecting single sign-on system for the web

Proceedings of the ACM Conference on Computer and Communications Security

Volumn 2015-October, Issue , 2015, Pages 1358-1369

  Fett, Daniel ^a   Küsters, Ralf ^a   Schmitz, Guido ^a  

^a UNIVERSITY OF TRIER   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

WEB BROWSERS;

DELEGATE USERS; FORMAL ANALYSIS; IDENTITY PROVIDERS; PLATFORM INDEPENDENT; SINGLE SIGN ON; STRONG AUTHENTICATION; USER AUTHENTICATION; WEB FEATURES;

AUTHENTICATION;

EID: 84954169151     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2810103.2813726     Document Type: Conference Paper

References (27)

1. M. Abadi and C. Fournet. Mobile Values, New Names, and Secure Communication. In POPL 2001, pages 104-115. ACM Press, 2001.
2. D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song. Towards a Formal Foundation of Web Security. In CSF 2010, pages 290-304. IEEE Computer Society, 2010.
3. A. Armando, R. Carbone, L. Compagna, J. Cuéllar, and M. L. Tobarra. Formal Analysis of SAML 2.0 Web Browser Single Sign-on: Breaking the SAML-based Single Sign-on for Google Apps. In FMSE 2008, pages 1-10. ACM, 2008.
4. G. Bai, J. Lei, G. Meng, S. S. Venkatraman, P. Saxena, J. Sun, Y. Liu, and J. S. Dong. AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. In NDSS'13. The Internet Society, 2013.
5. C. Bansal, K. Bhargavan, A. Delignat-Lavaud, and S. Maffeis. Keys to the Cloud: Formal Analysis and Concrete Attacks on Encrypted Web Storage. In POST 2013, volume 7796 of LNCS, pages 126-146. Springer, 2013.
6. C. Bansal, K. Bhargavan, and S. Maffeis. Discovering Concrete Attacks on Website Authorization by Formal Analysis. In CSF 2012, pages 247-262. IEEE Computer Society, 2012.
7. B. Blanchet. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In CSFW-14, pages 82-96. IEEE Computer Society, 2001.
8. S. Chari, C. S. Jutla, and A. Roy. Universally Composable Security Analysis of OAuth v2.0. IACR Cryptology ePrint Archive, 2011:526, 2011.
9. V. Cheval, H. Comon-Lundh, and S. Delaune. Trace equivalence decision: negative tests and non-determinism. In CCS 2011, pages 321-330. ACM, 2011.
10. D. Fett, R. Küsters, and G. Schmitz. An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System. In S&P 2014, pages 673-688. IEEE Computer Society, 2014.
11. D. Fett, R. Küsters, and G. Schmitz. Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web. In ESORICS 2015, LNCS. Springer, 2015. To appear. Full version available at http://arxiv.org/abs/1411.7210.
12. D. Fett, R. Küsters, and G. Schmitz. SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web. Technical Report arXiv:1508.01719, arXiv, 2015. Available at http://arxiv.org/abs/1508.01719.
13. B. Fitzpatrick, D. Recordon, et al. OpenID Authentication 2.0. Dec. 5, 2007. http://openid.net/specs/openid-authentication-2-0.html.
14. D. Hardt. RFC6749-The OAuth 2.0 Authorization Framework. Oct. 2012. http://tools.ietf.org/html/rfc6749.
15. D. Jackson. Alloy: A New Technology for Software Modelling. In TACAS 2002, volume 2280 of LNCS, page 20. Springer, 2002.
16. F. Kerschbaum. Simple Cross-Site Attack Prevention. In SecureComm 2007, pages 464-472. IEEE Computer Society, 2007.
17. A. Kumar. A Lightweight Formal Approach for Analyzing Security of Web Protocols. In RAID 2014, volume 8688 of LNCS, pages 192-211. Springer, 2014.
18. Mozilla Identity Team. Persona. https://login.persona.org.
19. T. Nitot. Persona: more privacy, better security while making developers and users happy! Beyond the Code Blog. Apr. 9, 2013. https://blog.mozilla.org/beyond-the-code/2013/04/09/persona-beta2/.
20. J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen. On Breaking SAML: Be Whoever You Want to Be. In USENIX 2012, pages 397-412. USENIX Association, 2012.
21. P. Sovis, F. Kohlar, and J. Schwenk. Security Analysis of OpenID. In Sicherheit, volume 170 of LNI, pages 329-340. GI, 2010.
22. SPRESSO Demo Site and Source Code, 2015. https://spresso.me.
23. S.-T. Sun and K. Beznosov. The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. In CCS'12, pages 378-390. ACM, 2012.
24. S.-T. Sun, K. Hawkey, and K. Beznosov. Systematically Breaking and Fixing OpenID Security: Formal Analysis, Semi-Automated Empirical Evaluation, and Practical Countermeasures. Computers & Security, 31(4):465-483, 2012.
25. R. Wang, S. Chen, and X. Wang. Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services. In S&P 2012, pages 365-379. IEEE Computer Society, 2012.
26. R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In USENIX 2013, pages 399-314. USENIX Association, 2013.
27. Y. Zhou and D. Evans. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities. In USENIX 2014, pages 495-510. USENIX Association, 2014.