Federated identity management

In a related effort, we are investigating the security of non-browser-based Web services [BMPV_06].

Abstract: Web services are an important series of industry standards for adding semantics to web-based and XML-based communication, in particular among enterprises. Like the entire series, the security standards and proposals are highly modular. Combinations of several standards are put together for testing as interoperability scenarios, and these scenarios are likely to evolve into industry best practices. In the terminology of security research, the interoperability scenarios correspond to security protocols. Hence, it is desirable to analyze them for security. In this paper, we analyze the security of the new Secure WS-ReliableMessaging Scenario, the first scenario to combine security elements with elements of another quality-of-service standard. We do this both symbolically and cryptographically. The results of both analyses are positive. The discussion of actual cryptographic primitives of web-services security is a novelty of independent interest in this paper.

Abstract: Web-based services are an important business area. For usability and cost-effectiveness these services require users to rely only on standard browsers. A representative class of such applications, currently in the focus of many industrial players, is Federated Identity Management (FIM). In this context we face challenging problems: on the one hand, the security of the existing FIM protocols (including Microsoft Passport, OASIS SAML, and Liberty) is not yet based on rigorous proofs and has been challenged by several analyses. On the other hand, the existing formal security models and proof methods cannot be applied to browser-based protocols in a straightforward manner since they only consider protocol-aware principals: they assume that the involved principals behave according to the specification of the security protocol unless they are corrupted. Web browsers, in contrast, have predefined features and are unaware of the protocol they are involved in. Based on a generic framework for security proofs of browser-based protocols, we model an important FIM protocol, the WS-Federation Passive Requestor Interop profile. We rigorously prove that the protocol provides authenticity and secure channel establishment in a realistic trust scenario. This constitutes the first rigorous security proof for a browser-based identity federation protocol.

Abstract: Web Services are an important series of standards for adding semantics to web-based and XML-based communication. For analyzing the security of Web Services protocols composed of these standards, it is tempting to exploit their similarity to traditional security protocols by first transforming them into the Dolev-Yao abstraction, where cryptographic operators are treated symbolically as constructors of a free algebra, and as a second step by applying existing symbolic techniques for machine-assisted or even fully automated protocol verification within this abstraction.
We show in this paper that this approach tends to ignore intrinsic aspects of Web Services standards and protocols and to hence be too coarse-grained for capturing Web Services security in all its facets. We identify a series of such aspects both on the conceptual level and on the level of concrete Web Services protocols: service requestors and providers have additional properties independent of the protocol under consideration and hence offer additional attack possibilities, protocol behaviors can be defined by explicit Web Services policies and complex message parsings which do not necessarily follow the common Dolev-Yao-style parsing conventions, etc. We sketch in a series of examples how to exploit these aspects for mounting successful attacks against Web Services protocols, and we discuss possibilities to circumvent these attacks. In particular, this exemplifies the need for tailoring Dolev-Yao abstractions specifically to Web Services idiosyncrasies, which go beyond the standard Dolev-Yao assumptions.

Abstract: Currently, many industrial initiatives focus on web applications. In this context an important requirement is often that the user should only rely on a standard web browser. Hence the underlying security services also rely solely on a browser for interaction with the user. Browser-based identity federation is a prominent example of such a service. Very little is still known about the security of browser-based protocols, and they seem at least as error-prone as standard security protocols. In particular, standard web browsers have limited cryptographic capabilities and thus new protocols are used. Furthermore, these protocols require certain care by the user in person, which must be modeled. In addition, browsers, unlike normal protocol principals, cannot be assumed to do nothing but execute the given security protocol.

In this paper, we lay the theoretical basis for the rigorous analysis and security proofs of browser-based protocols. We formally model web browsers, secure browser channels, and the security-relevant browsing behavior of a user as automata. As a first rigorous security proof of a browser-based protocol we prove the security of password-based user authentication in our model. This is not only the most common stand-alone type of browser authentication, but also a fundamental building block for more complex protocols like identity federation.

Abstract: Currently, influential industrial players are in the process of realizing identity federation, in particular the authentication of browser users across administrational domains. WS-Federation is a joint protocol framework for Web Services clients and browser clients. While browser-based federation protocols, including Microsoft Passport, OASIS SAML, and Liberty besides WS-Federation, are already widely deployed, their security is still unproven and has been challenged by several analyses. One reason is a lack of cryptographically precise protocol definitions, which impedes explicit design for security as well as proofs. Another reason is that the security properties depend on the browser and even on the browser user. We rigorously formalize a strict instantiation of the current WS-Federation Passive Requestor Interop profile and make explicit assumptions for its general use. On this basis, we prove that the protocol provides authenticity and secure channel establishment in a realistic trust scenario. This constitutes the first positive security result for a browser-based identity federation protocol.

Abstract: Cross-domain identity management is gaining significant interest in industry. A well-known example is the Liberty Alliance’s specifications for single signon of web users across different enterprises. The Liberty Alliance stresses that account linking is voluntary for the users and that privacy is an important consideration. We evaluate the privacy of these specifications in detail. We point out some ambiguities and propose a concrete privacy policy together with a few changes to the Liberty processing rules. Our analysis demonstrates that identity-management policies need detailed advance planning even in a limited context.

Abstract: Many influential industrial players are currently pursuing the development of new protocols for federated identity management. The Security Assertion Markup Language (SAML) is an important standardized example of this new protocol class and will be widely used in business-to-business scenarios to reduce user-management costs. SAML utilizes a constraint-based specification that is a popular design technique of this protocol class. In general, the protocol standard is designed well and carefully. Yet, it does not come with a general security analysis, but provides an attack-by-attack list of countermeasures as security consideration. We present a security analysis of the SAML Single Sign-on Browser/Artifact profile, which is the first one for such a protocol standard. In concise analysis of the protocol design, we have revealed several flaws in the specification given that can lead to vulnerable implementations. To demonstrate the impact of that flaws we exploit some of them to mount attacks on the protocol.

Abstract: Channel-based enabled-client protocols, such as the Liberty-enabled client and proxy profile, offer Web single-signon service; however, several security concerns remain.

Long abstract (of preliminary version): We study a type of web single signon recently introduced by one of four proposed standard protocols of the Liberty Alliance. In contrast to the other three Liberty protocols and prior protocols like Microsoft Passport and the SAML standard, the client is not only a browser, but aware of the protocol, for instance a web-service client. We investigate how this protocol differs from standard three-party authentication, and possible benefits. We call the new protocol class token-based web single signon with enabled clients. We show a man-in-the-middle attack on the original Liberty V1.0 protocol and countermeasures against it. (Such a countermeasure was now added as an erratum, and no deployed implementation will use V1.0.) We also give general guidance for designing secure protocols in this class.(1)

(1) This erratum in [Liberty Alliance Project: Liberty Version 1.0 Errata, Edition 00, 11 October 2002,] is a reaction on our vulnerability notification to Liberty on Sept. 4. Before the errata publication, the problem was found independently by Jonathan Sergent of Sun.

Abstract: For authentication, one answer to the workshop question "where have all the protocols gone?" is "into federated identity management". At least this is what many influential industrial players are currently striving for. The best-known examples are Microsoft Passport and the Liberty Alliance's proposals, and the emerging web-services security standards might contain similar protocols. While there have been many political discussions about Passport, in particular its privacy, and some technical studies of operational risks, there is almost no public literature about the actual protocols and their security. We start with an overview of the driving factors in this space, the security properties desirable and achievable under the given design constraints, and the protocols proposed so far. We present a new protocol, BBAE, with better scalability (i.e., absence of single points of control) and privacy than existing protocols, and demonstrate its security. We also discuss particular difficulties encountered when striving for getting the rigorous design and proof techniques of the security research community applied to protocols that have a chance to win in this space.

Abstract: Cross-domain identity management is gaining significant interest in industry. A recent example is the Liberty Alliance’s specifications for single signon of users across a federation of enterprises. These specifications stress that the federation process is voluntary for the users and that privacy is preserved, e.g., by using pseudonyms. We evaluate the privacy of these specifications in detail. We point out ambiguities and propose a concrete privacy policy together with a few changes to the Liberty processing rules. Our analysis demonstrates that identity-management policies are non-trivial even in a limited context. We also discuss how such low-tech proposals from industry relate to high-tech privacy-enhancing proposals from the research community.

Abstract: Browser-based attribute-exchange protocols enable users of normal web browsers to conveniently send attributes, such as authentication or demographic data, to web sites. Such protocols might become very common and almost mandatory in general consumer scenarios over the next few years. We derive the privacy requirements on such protocols from general privacy principles and study their consequences for the protocol design. We also survey to what extent proposals like Microsoft's Passport, IBM's e-Community Single Signon, SAML, Shibboleth, the Liberty Alliance specifications and a protocol BBAE of our own conform to these design consequences, and how one could go forward.

Abstract: Currently, many industrial initiatives focus on web-based applications. In this context an important requirement is that the user should only rely on a standard web browser. Hence the underlying security services also rely solely on a browser for interaction with the user. Browser-based identity federation is a prominent example of such a protocol. Unfortunately, very little is still known about the security of browser-based protocols, and they seem at least as error-prone as standard security protocols. In particular, standard web browsers have limited cryptographic capabilities and thus new protocols are used. Furthermore, these protocols require certain care by the user in person, which must be modeled. In addition, browsers, unlike normal protocol principals, cannot be assumed to do nothing but execute the given security protocol. In this paper, we lay the theoretical basis for the rigorous analysis and security proofs of browser-based security protocols. We formally model web browsers, secure browser channels, and the security-relevant browsing behavior of a user as automata. As a first rigorous security proof of a browser-based protocol we prove the security of password-based user authentication in our model. This is not only the most common stand-alone type of browser authentication, but also a fundamental building block for more complex protocols like identity federation.

Abstract: Browser-based attribute-exchange protocols enable users of normal web browsers to conveniently send attributes, such as authentication or demographic data, to web sites. This is also called federated identity. Such protocols might become very common and almost mandatory in general consumer scenarios over the next few years. Several product and standards proposals have been made, most notably Microsoft Passport, OASIS SAML, and the Liberty Alliance V1 specifications. However, none of the current proposals -- by statements of the proposers themselves -- addresses the full functionality for a general consumer scenario. We propose a protocol BBAE that addresses the missing issues. It has been fully specified with existing standards elements and prototyped, and we present an initial security analysis. We also discuss how it can be used as a step forward in existing standardization processes.