单点登录协议实现的安全分析

信息安全研究 ›› 2019, Vol. 5 ›› Issue (1): 59-67.

单点登录协议实现的安全分析

郭丞乾¹,蔡权伟¹,林璟锵²,刘丽敏¹

1. 中国科学院数据与通信保护研究教育中心
2. 中国科学院大学网络空间安全学院

收稿日期:2019-01-08 出版日期:2019-01-15 发布日期:2019-01-08
通讯作者: 郭丞乾
作者简介:郭丞乾博士研究生，主要研究方向为密码工程与应用. guocqian@gmail.com 蔡权伟博士，助理研究员，主要研究方向为网络服务安全. caiquanwei@iie.ac.cn 中国科学院数据与通信保护研究教育中心林璟锵博士，研究员，主要研究方向为应用密码学、数据安全与隐私、网络与系统安全. linjq@is.ac.cn 刘丽敏博士，副研究员，主要研究方向为应用密码学、网络与系统安全. liulimin@iee.ac.cn

Security Analysis on the Implementations of SingleSignOn Protocols

Received:2019-01-08 Online:2019-01-15 Published:2019-01-08

摘要/Abstract

摘要： 身份鉴别是保证信息系统安全性和用户隐私的必要前提，单点登录协议和系统使得专业的身份服务提供商能够在确保用户隐私得到有效保护的前提下，为用户提供良好的体验(无需记忆多个口令，1次登录即可使用多个应用等)，同时又避免了网络服务提供商重复开发用户身份鉴别功能.然而，已有研究成果表明单点登录协议在实现时存在诸多安全问题，本次安全分析针对当前主流的单点登录协议，如OAuth 20，OpenIDConnect以及SAML，抽象出单点登录协议的基本流程和攻击者目标；针对协议参与方的能力形成不同的攻击场景，在此基础上形成了单点登录系统必须满足的7条安全假设.针对现有单点登录系统漏洞的分析，表明实际系统中的漏洞均是由于违背了7条安全假设中的1条或多条.对单点登录系统面临的安全问题进行了系统研究，为单点登录系统的设计、实现和分析奠定了基础.

关键词: 身份鉴别, 单点登录, OAuth 2.0, OpenID-Connect, SAML, 安全假设

Abstract: Web applications rely on the authentication to ensure the security of systems and protect the users' privacy. The single-sign-on (SSO) services, provided by the identity service providers (IdP), allow the Web applicatioins to integrate the authentication directly, instead of maintaining and protecting the users' credentials by themselves. Moreover, SSO systems make it easier for users to visit multiple applications, for example, each user only needs to maintain one credential, and completes the authentication at the chosen IdP. However, various vulnerabilities have been found in the implementations of SSO systems. In this paper, we analyze three mainstream SSO protocols, namely, OAuth 2.0, OpenID-Connect and SAML, and provide the common process for SSO systems. Based on the goals of adversaries and the ability of each participant, we propose four attack scenarios, and present seven security assumptions that should be satisfied in SSO systems. The analysis on existing attacks demonstrate that at least one assumption has been broken for each vulnerability. Our work help to design, implement and analyze secure SSO services.

Key words: authentication, single-sign-on, OAuth 2.0, OpenID-Connect, SAML, security rule

郭丞乾蔡权伟林璟锵刘丽敏. 单点登录协议实现的安全分析[J]. 信息安全研究, 2019, 5(1): 59-67.

参考文献

[1] Hardt D, Ed. The OAuth 2.0 Authorization Framework [S]. Fremont: Internet Engineering Task Force (IETF), 2012. [2] Jones M. The OAuth 2.0 Authorization Framework: Bearer Token Usage [S]. Fremont: Internet Engineering Task Force (IETF), 2012. [3] Sakimura N, Bradley J, Jones M, et al. OpenID Connect Core 1.0 incorporating errata set 1 [S]. San Ramon: OpenID Foundation (OIDF), 2014. [4] Jones M. JSON Web Token (JWT) [S]. Fremont: Internet Engineering Task Force (IETF), 2015. [5] Cahill Conor P, Hughes J, Lockhart H, et al. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 [S]. Burlington: Organization for the Advancement of Structured Information Standards (OASIS), 2005. [6] Lodderstedt T, Ed. OAuth 2.0 Threat Model and Security Considerations [S]. Fremont: Internet Engineering Task Force (IETF), 2013. [7] 陈君, 张生. 基于OAuth单点登录系统的安全性分析和评估[J]. 电子科技, 2017, 30(9):165-168. [8] Wang R, Chen S, Wang X, et al. Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services[C]// Symposium on Security and Privacy. Piscataway, NJ: IEEE, 2012: 365-379. [9] Zhou Y, Evans D. SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities[C]// Usenix Security Symposium. Berkeley: USENIX, 2014. [10] Chen E Y, Pei Y, Chen S, et al. OAuth Demystified for Mobile Application Developers[C]// Conference on Computer and Communications Security. New York: ACM, 2014:892-903. [11] Wang H , Zhang Y , Li J , et al. The Achilles heel of OAuth: a multi-platform study of OAuth-based authentication[C]// Annual Computer Security Applications Conference. Piscataway, NJ: IEEE, 2016: 167-176. [12] Facebook. Manually Build a Login Flow [EB/OL]. [2018-12-11]. https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow. [13] Yang R, Li G, Lau W C, et al. Model-based Security Testing:An Empirical Study on OAuth 2.0 Implementations[C]// Computer and Communications Security. Piscataway, NJ: IEEE, 2016:651-662. [14] Luo T, Hao H, Du W, et al. Attacks on WebView in the Android system[C]// Computer Security Applications Conference. New York: ACM, 2011:343-352. [15] Mohsen F, Shehab M. Hardening the OAuth-WebView Implementations in Android Applications by Re-Factoring the Chromium Library[C]// International Conference on Collaboration and Internet Computing. Piscataway, NJ: IEEE, 2017. [16] Wang R, Xing L, Wang X F, et al. Unauthorized origin crossing on mobile platforms:threats and mitigation[C]// ACM Sigsac Conference on Computer & Communications Security. New York: ACM, 2013:635-646. [17] Yang R, Lau W C, Shi S. Breaking and Fixing Mobile App Authentication with OAuth 2.0-based Protocols[C]// Applied Cryptography and Network Security. New York: Springer, 2017:313-335. [18] Wang H, Zhang Y, Li J, et al. Vulnerability Assessment of OAuth Implementations in Android Applications[C]// Computer Security Applications Conference. New York: ACM, 2015:61-70.