Hardening Persona - Improving Federated Web Login
نویسندگان
چکیده
Federated login protocols for the Web are intended to increase user security by reducing the proliferation of passwords that users are expected to remember and use on a day to day basis, however these protocols are vulnerable to recent attacks against TLS that allow attackers to extract session cookies and other such authentication tokens from within TLS sessions. A recent technique, TLS-OBC (origin bound certificates), allows these tokens to be hardened against extraction. This paper describes the design and engineering of OBC-based extensions to federated login protocols. We present two OBC-based variants on the popular Persona federated login protocol, formalizing them with BAN logic and using the automated proof checker from the related Nexus Authentication Logic. We also present a proof of concept implementation, exploring the necessary browser extensions and server support.
منابع مشابه
Usable Persona Interface: Persona-Bookmark
We present a design that assigns persona information and uses it to selects one identity from several user identities in user resources such as bookmarks. As a proof of concept, we implemented a persona-bookmark system. In this system, a user can assign his persona information to his bookmarks so that the system automates login processes using the persona information. Thus, the user can log int...
متن کاملPseudoID: Enhancing Privacy for Federated Login
PseudoID is a federated login system that protects users from disclosure of private login data held by identity providers. We offer a proof of concept implementation of PseudoID based on blind digital signatures that is backward-compatible with a popular federated login system named OpenID. We also propose several extensions and discuss some of the practical challenges that must be overcome to ...
متن کاملAnalyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web
BrowserID is a complex, real-world Single Sign-On (SSO) System for web applications recently developed by Mozilla. This open source system employs new HTML5 features (such as web messaging and web storage) and cryptographic assertions to provide decentralized and federated login, with the intent to respect users’ privacy. It can operate in two modes, the primary identity provider mode and the s...
متن کاملLogout in Single Sign-on Systems
Single sign-on (SSO) helps users to cope with many online services that require authentication. Systems such as OpenID and SAML-based Shibboleth offer federated identity management where an Identity Provider authenticates the user on behalf of the services. Much research concentrates on making authentication stronger, preventing phishing and making the systems more user friendly but less attent...
متن کاملSecurity, Privacy and Usability Requirements for Federated Identity
Federated Identity systems promise to solve the increasingly vexing problem of password overload. However, existing systems, such as OpenID and CardSpace have failed to gain the expected levels of adoption, due in part to usability and security issues, while proprietary systems such as Facebook Connect raise serious privacy concerns over their usage of the data collected. In this paper, we exam...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2014