single sign on for the internet a security story
play

Single Sign-On for the Internet: A Security Story - PowerPoint PPT Presentation

Apr 04, 2023 •137 likes •599 views

Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com BlackHat USA, Las Vegas 2007 How do you manage your 169 Web 2.0 accounts today? Does your SSO consist of A login (e.g. johndoe) + 2

  1. Single Sign-On for the Internet: A Security Story eugene@tsyrklevich.name vlad902@gmail.com BlackHat USA, Las Vegas 2007

  2. How do you manage your 169 Web 2.0 accounts today?

  3. Does your “SSO” consist of A login (e.g. johndoe) + 2 passwords (one insecure for web 2.0 sites and one secure for banking sites) ?

  4. Attack #1 a. Fail a user’s login b. Observe the user try every single combination of their username and password, including the secure password..

  5. Lesson #1 Complexity breeds insecurity

  6. One login to rule them all… …a story about reducing complexity

  7. Proves that a user owns a URL You get to choose who manages your identity e.g. http://john.doe.name/ or http://jonny.myopenid.com/

  8. Answers the who? question (authentication) are you john.doe.name? Does NOT answer the what? (authorization) is john.doe.name allowed to access this page?

  9. (demo) How?

  14. That was easy!

  15. Oh. Never mind.

  16. Let’s start at the beginning

  17. Attack #2 – Which one are you? http://nsa.gov:1/, http://nsa.gov:2/, … https://192.168.1.15/internal/auth?ip=1.1.1.1 http://localhost:8080/ http://www.youtube.com/largemovie.flv http://www.tarpit.com/cgi-bin/hang.pl file:///dev/null

  18. Lesson #2 Flexibility and security do not get along (or, why it’s important to be less flexible and more paranoid)

  19. Everybody loves crypto “associate mode”

  20. Why is crypto required? to protect request & response URLs

  21. Shared symmetric key is generated using Diffie-Hellman

  22. Attack #3 - Diffie-Hellman is vulnerable to man-in-the-middle attacks! The spec suggests running DH over https to improve protocol security So what’s the point of using DH in the first place?

  23. Lesson #3 Home brewed crypto is a no no (or, why you should stick to https)

  24. Where are you going?

  25. This way! No, that way! Location: http://www.myopenid.com/server? openid.assoc_handle=%7BHMAC-SHA1%7D%7B4..& openid.identity=http%3A%2F%2Fjohn.doe.name%2F& openid.mode=checkid_setup& openid.return_to=http%3A%2F%2www.somesite.com%2F& openid.trust_root=http%3A%2F%2www.somesite.com%2F

  26. Phishing with malicious RPs Attack #4a

  27. Phishing with malicious URL hosts Attack #4b

  28. Lesson #4 Phishers 1 – OpenID 0 (or, why Johnny will never learn to read URLs)

  29. Let me in!

  30. Once signed in, you will no longer need to re-enter your password for other OpenID enabled sites Convenient, eh?

  31. In other words… your identity provider receives and processes ALL your login requests on your behalf …privacy, anyone?

  32. Lesson #5 OpenID makes privacy difficult (or, why some paranoid users might want to use one OpenID login per site)

  33. Not another redirect!

  34. Attack #6 – Replay attack Location: http://www.somesite.com/finish_auth.php? openid.assoc_handle=%7BHMAC-HA1%7D%7B47bb..& openid.identity=http%3A%2F%2Fjohn.doe.name%2F& openid.mode=id_res& openid.return_to=http%3A%2F%2www.somesite.com& openid.sig=vbUyND6n39Ss8IkpKl19RT83O%2F4%3D& openid.signed=mode%2Cidentity%2Creturn_to& nonce=wVso75KH

  35. Problems with Nonces a. Not part of the OpenID spec (v1) b. Do not actually protect against active attackers!

  36. Lesson #6 Nonces are nonsense (or, why you must be drinking absolut kool-aid if you believe nonces will protect you against an active attacker)

  37. I am secure once I am logged in though, right?

  38. Attack #7 – Cross-site request forgery <html><body> <iframe id="login" src="http://bank.com/login?openid_url=john.doe.name" width="0" height="0"></iframe> <iframe id=“transfer" src="http://bank.com/transfer_money?amount=100&to=attacker" width="0" height="0"></iframe> </body></html>

  39. Lesson #7 OpenID robs you of control (or IdP, not RP, makes the security decisions)

  40. Is it really all that bad?! No! OpenID can make your logins far more secure than they are today!

  41. How?! Only one service to secure so we can afford to use • Client-side certificates • SecurID • Smartcards

  42. Lesson #8 There is only 1 front door with OpenID (or, how I got over my privacy and learnt to love OpenID)

  43. Lessons Learnt 1. Complexity breeds insecurity 2. Flexibility and security do not get along 3. Home brewed crypto is a no no 4. Phishers 1 – OpenID 0 5. OpenID makes privacy difficult 6. Nonces are nonsense 7. OpenID robs you of control 8. There is only 1 front door with OpenID

  44. Is OpenID doomed? Absolutely not It’s a great system solving a very real problem But its security and privacy concerns need further thought

  45. Thanks! Try it today. http://www.openid.net/ http://www.freeyourid.com/ eugene@tsyrklevich.name vlad902@gmail.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms Pavel Slav ek, pavel.slavicek@qbizm.cz Brno, The Czech Republic, 2. 5. 2008 Content Single sign-on introduction (SSO) Introduction to

959 views • 24 slides
Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga Artiaga Ernest CERN - - OpenLab OpenLab Security Workshop Security Workshop April 2004 April 2004 CERN Outline Outline Motivation and

352 views • 23 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old approach in multiple systems SSO Security Benefits Common SSO based configurations Examples of SSO usage Conclusion 15/12/11

379 views • 16 slides
Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief

Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief

Single Sign-On: Myth vs Reality Mark Wilcox mark@mjwilcox.com My Involvement Chief Integration Geek for WebCT Wrote a book on LDAP Became expert on authentication Participant in Internet 2 authentication working groups

789 views • 19 slides
of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health

of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health

Clinical Impact and Value of Workstation Single Sign-On George A. Gellert, MD, MPH, MPA Associate CMIO, CHRISTUS Health San Antonio, Texas The Challenge: Providers using EHRs must maintain the security of protected health information and

588 views • 26 slides
The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with

The Internet Security Alliance The Internet Security Alliance is a collaborative effort with Carnegie Mellon University. It is a cross-sector, internationally- based trade association devoted to cyber security. ISA has individual corporate

349 views • 30 slides
Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet

Communication security over the Internet The big picture Me Internet Resource Internet Server Client Attack vectors MAN DNS LAN Client Internet Back Bone Router Networking WWW overview MITM (Man In The Middle) 3 2 4 5 LAN

244 views • 23 slides
Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security:

Network Security Architecture 1 Additional Reading Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second edition Firewall and Internet Security, the Second Hundred (Internet)

801 views • 78 slides
Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology

ITS335 Internet Security Internet Security Secure Email Internet Security Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015 its335y15s2l10,

450 views • 25 slides
1 QC STORY -32 QC STORY -32 QC STORY -32 QC Story-1 QC Story-1 QC Story-1 Awards and

1 QC STORY -32 QC STORY -32 QC STORY -32 QC Story-1 QC Story-1 QC Story-1 Awards and

QC STORY -32 QC STORY -32 QC STORY -32 Shop Floor view QC Story-1 QC Story-1 FACTORY OVERVIEW QC Story-1 On Behalf of Susira Industries Ltd., Chennai. We Welcome the Delegates for the QCI DL SHAH NATIONAL AWARDS ON ECONOMICS OF

976 views • 13 slides
Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du

Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du

EuroCAMP 8may2008 Integration of N-tiers application Using CAS Single Sign On system with Horde webmail Jan Du Caju ICT security officer K.U.Leuven Belgium Jan.DuCaju@icts.KULeuven.be EuroCAMP 8may2008 Integration of N-tiers application

792 views • 36 slides
Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel Jeffery Linux Foundation Why HTTPS? As our dependency on the internet has grown, the risk to users' privacy and safety has grown along with it.

746 views • 40 slides
The Internet Security Alliance The Internet Security Alliance is a collaborative effort between

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between

The Internet Security Alliance The Internet Security Alliance is a collaborative effort between Carnegie Mellon Universitys Software Engineering Institute (SEI) and its CERT Coordination Center (CERT/CC) and the Electronic Industries Alliance

294 views • 10 slides
Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International

CSS441 Internet Security Web Security TLS/SSL Internet Security HTTPS SSH CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 20 December 2015

832 views • 32 slides
Greatest Internet Mystery That you probably dont know about. @iBotPeaches Story Time

Greatest Internet Mystery That you probably dont know about. @iBotPeaches Story Time

Greatest Internet Mystery That you probably dont know about. @iBotPeaches Story Time Cicada 3301 3 Puzzles Worldwide Hunt Largely Unknown in Public Scary January 5, 2012 - 4chan Weird part of Internet No

700 views • 43 slides
UNIFORM SEPTEMBER 2014 STAFF INFORMATION Pilot uniform

UNIFORM SEPTEMBER 2014 STAFF INFORMATION Pilot uniform

UNIFORM SEPTEMBER 2014 STAFF INFORMATION Pilot uniform strategy. IT IS VERY SIMPLE.. IF PUPILS ARE NOT WEARING THIS ON THE FIRST, OR

204 views • 17 slides
Explanation On October 1 st, The Meadows joined their family of schools, which means we are now

Explanation On October 1 st, The Meadows joined their family of schools, which means we are now

Our conversion to an Academy Childrens Explanation On October 1 st, The Meadows joined their family of schools, which means we are now an Academy. Who are The Shaw Education Trust? What is an Academy? Why have we made this decision? Shaw

216 views • 10 slides
Welcome to the Y6 parents information meeting The year six team: Teachers Wednesdays Miss

Welcome to the Y6 parents information meeting The year six team: Teachers Wednesdays Miss

Welcome to the Y6 parents information meeting The year six team: Teachers Wednesdays Miss Guest 6W RE teachers: Miss Smith 6C Mrs Griffin and Mrs Bowman Miss Costello 6B Music teacher: Mr Perry (student teacher mainly

381 views • 27 slides
The Power of an Agile Mindset Presented by: Linda Rising Independent Consultant Brought to

The Power of an Agile Mindset Presented by: Linda Rising Independent Consultant Brought to

K2 Keynote 6/8/16 10:00 AM The Power of an Agile Mindset Presented by: Linda Rising Independent Consultant Brought to you by: 350 Corporate Way, Suite 400, Orange Park, FL 32073 888 --- 268 --- 8770 904 --- 278 --- 0524 -

668 views • 19 slides
NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time

NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time

MINDSET The work of Carol Dweck MOST PEOPLE ARE HELD BACK NOT BY THEIR INNATE ABILITY, BUT BY THEIR MINDSET. NEURON DEVELOPMENT Think about the last time you had a major setback, failure or rejection in your life. Did you hear the fixed

199 views • 17 slides
Discovery method for a DNSSEC validating stub resolver Xavier Torrent Gorj on Supervisor:

Discovery method for a DNSSEC validating stub resolver Xavier Torrent Gorj on Supervisor:

Discovery method for a DNSSEC validating stub resolver Xavier Torrent Gorj on Supervisor: Willem Toorop System and Network Engineering Universiteit van Amsterdam Research Project 2 Xavier Torrent Gorj on Supervisor: Willem Toorop

446 views • 20 slides
Mapping a New Direction Using Process Maps to Improve your business and your forms Outline

Mapping a New Direction Using Process Maps to Improve your business and your forms Outline

Mapping a New Direction Using Process Maps to Improve your business and your forms Outline Workshop goals Introduction Tools (map styles and conventions) Analysis Examples Workshop Goals - to understand the uses and

658 views • 55 slides
Outpatient Quality Reporting Program Support Contractor The Lifecycle of Healthcare Quality

Outpatient Quality Reporting Program Support Contractor The Lifecycle of Healthcare Quality

Outpatient Quality Reporting Program Support Contractor The Lifecycle of Healthcare Quality Measures Presentation Moderator: Karen VanBourgondien Education Coordinator, HSAG Speaker: Elizabeth Bainger Program Lead, Hospital OQR Program, CMS

449 views • 26 slides

More recommend