Browser-based identity federation
نویسنده
چکیده
Given the increasing popularity of Web 2.0 applications, web-based three-party authentication gets more and more important. Identity federation fulfills this requirement through standardized protocols that authenticate Web users across trust domains. This thesis considers the problem of secure authentication by browser-based identity federation. This special class of identity federation only uses a standard web browser as client and therefore provides a zero-footprint authentication. Instead of a traditional key exchange and subsequent channel establishment, browser-based identity federation bootstraps a server-authenticated secure channel with a third-party credential to obtain mutual authentication. Thanks to this deviation from prevalent security research, it represents an interesting research area. We will discuss the most important archetypes and standards of browser-based identity federation. The results of our careful investigation include vulnerabilities as well as novel security mechanisms, which have improved major standards. We will present the first formal model for browser-based protocols built upon the Reactive Simulatability framework, and establish channel authenticity as new security goal for this area. Through our formal model of the standardized WS-Federation Passive Requestor Profile, we achieve the first rigorous security proof for browser-based identity federation.
منابع مشابه
Browser Model for Security Analysis of Browser-Based Protocols
Currently, many industrial initiatives focus on web-based applications. In this context an important requirement is that the user should only rely on a standard web browser. Hence the underlying security services also rely solely on a browser for interaction with the user. Browser-based identity federation is a prominent example of such a protocol. Unfortunately, very little is still known abou...
متن کاملClient Authentication in Federations Using a Security Mode
Nowadays, identity-based client authentication (e.g., by username/ password) over SSL is the standard for user authentication on the Web. In particular, browser-based federated identity management (FIM) protocols prefer this technique to authenticate customers due to its user-convenience and lightweight access management. However, recent attacks known as phishing provide evidence that this auth...
متن کاملBrowser-based Identity Federation—An Introduction
Many people use web browsers each and every day. Whether for gathering information, reading news, consulting a map, or socializing with friends, the web browser is their trusted companion. The idea of such web-based services is simple: users request services through a web browser with basic capabilities, and then receive the resulting content transparently. In the verge of Web 2.0, the browser ...
متن کاملTLS-Federation - a Secure and Relying-Party-Friendly Approach for Federated Identity Management
Federated Single-Sign-On using web browsers as User Agents becomes increasingly important. However, current proposals require substantial changes in the implementation of the Relying-Party, and concentrate on functionality rather than security against real-world attacks like Cross Site Scripting (XSS) and Pharming. We therefore propose a different approach based on Transport Layer Security (TLS...
متن کاملF-SAMS: Reliably Identifying Attributes and Their Identity Providers in a Federation
We describe the Federation Semantic Attribute Mapping System (F-SAMS), a web services based system that automatically collects, in a trustworthy manner, the semantic mappings of Identity Provider (IdP) assigned attributes into a federation agreed set of standard attributes. The collected knowledge may be used by federation service providers (SPs) to support the dynamic management of IdPs and th...
متن کامل