We are studying Federated Identity Management (FIM) protocols like Microsoft's Passport, SAML, the Liberty Alliance specifications, and the WS-Federation Passive Requestor Profile. In spite of large press coverage, there is very little other literature on the technical options and constraints. Another term for this field is cross-domain web authentication.

We have three focus areas:

• Security analysis. We analyze the security of existing FIM protocols and give guidelines for more secure design. We found several specific, avoidable protocol problems in existing products and standards proposals, in addition to previously known intrinsic problems of browser-based protocols [PfWa1_03, Gros1_03].

  As a related area, we investigate the security of non-browser-based web services [BMPV_06].

• Proofs and browser models. We are positively proving FIM protocols under certain assumptions. The biggest challenge lies in the presence of a standard browser in the protocols, and in the explicit role that the user must play. After starting with ad-hoc assumptions about these participants in [GrPf1_04], we now model browsers and users in a general, reusable way [GrPS1_05]. We just made the first proof based on this model [GrPS2_05]. Furthermore, we discuss the intricacies of abstraction in FIM protocol proofs [BaGr_05].

• Privacy. We analyze the privacy options and design consequences in the FIM space and evaluate the privacy of existing proposals [PfWa2_02]. We propose a protocol, BBAE, that is more privacy-friendly than all earlier proposals and scales better to multiple enterprise federations without any single point of control [PfWa1_02, PfWa_03]. It could be realized as a profile in any of the existing standardization activities. We also propose appropriate privacy policies within the constraints of existing protocol proposals, specifically Liberty 1 and 2 single signon [Pfit_03, Pfit_04].

Published or Accepted Papers

Michael Backes, Sebastian Mödersheim, Birgit Pfitzmann, Luca Viganò: Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario; accepted for Foundations of Software Science and Computation Structures (FOSSACS), March 2006, to appear in LNCS, Springer-Verlag.
Long version BMPV_05.

Abstract: Web services are an important series of industry standards for adding semantics to web-based and XML-based communication, in particular among enterprises. Like the entire series, the security standards and proposals are highly modular. Combinations of several standards are put together for testing as interoperability scenarios, and these scenarios are likely to evolve into industry best practices. In the terminology of security research, the interoperability scenarios correspond to security protocols. Hence, it is desirable to analyze them for security. In this paper, we analyze the security of the new Secure WS-ReliableMessaging Scenario, the first scenario to combine security elements with elements of another quality-of-service standard. We do this both symbolically and cryptographically. The results of both analyses are positive. The discussion of actual cryptographic primitives of web-services security is a novelty of independent interest in this paper.

Thomas Groß, Birgit Pfitzmann, Ahmad-Reza Sadeghi: Proving a WS-Federation Passive Requestor Profile with a Browser Model; 2005 ACM Workshop on Secure Web Services (SWS), Fairfax, Nov 2005, ACM Press, 54-64.

Abstract: Web-based services are an important business area. For usability and cost-effectiveness these services require users to rely only on standard browsers. A representative class of such applications, currently in the focus of many industrial players, is Federated Identity Management (FIM). In this context we face challenging problems: on the one hand, the security of the existing FIM protocols (including Microsoft Passport, OASIS SAML, and Liberty) is not yet based on rigorous proofs and has been challenged by several analyses. On the other hand, the existing formal security models and proof methods cannot be applied to browser-based protocols in a straightforward manner since they only consider protocol-aware principals: they assume that the involved principals behave according to the specification of the security protocol unless they are corrupted. Web browsers, in contrast, have predefined features and are unaware of the protocol they are involved in. Based on a generic framework for security proofs of browser-based protocols, we model an important FIM protocol, the WS-Federation Passive Requestor Interop profile. We rigorously prove that the protocol provides authenticity and secure channel establishment in a realistic trust scenario. This constitutes the first rigorous security proof for a browser-based identity federation protocol.

Michael Backes, Thomas Groß: Tailoring the Dolev-Yao Abstraction to Web Service Realities; 2005 ACM Workshop on Secure Web Services (SWS), Fairfax, Nov 2005, ACM Press, 65-74.

Abstract: Web Services are an important series of standards for adding semantics to web-based and XML-based communication. For analyzing the security of Web Services protocols composed of these standards, it is tempting to exploit their similarity to traditional security protocols by first transforming them into the Dolev-Yao abstraction, where cryptographic operators are treated symbolically as constructors of a free algebra, and as a second step by applying existing symbolic techniques for machine-assisted or even fully automated protocol verification within this abstraction.
We show in this paper that this approach tends to ignore intrinsic aspects of Web Services standards and protocols and to hence be too coarse-grained for capturing Web Services security in all its facets. We identify a series of such aspects both on the conceptual level and on the level of concrete Web Services protocols: service requestors and providers have additional properties independent of the protocol under consideration and hence offer additional attack possibilities, protocol behaviors can be defined by explicit Web Services policies and complex message parsings which do not necessarily follow the common Dolev-Yao-style parsing conventions, etc. We sketch in a series of examples how to exploit these aspects for mounting successful attacks against Web Services protocols, and we discuss possibilities to circumvent these attacks. In particular, this exemplifies the need for tailoring Dolev-Yao abstractions specifically to Web Services idiosyncrasies, which go beyond the standard Dolev-Yao assumptions.

Thomas Groß, Birgit Pfitzmann, Ahmad-Reza Sadeghi: Browser Model for Security Analysis of Browser-Based Protocols; 10th European Symposium on Research in Computer Security (ESORICS 2005), Sept. 2005, LNCS 3679, Springer-Verlag, Berlin 2005, 489-508. See preliminary version.

Abstract: Currently, many industrial initiatives focus on web applications. In this context an important requirement is often that the user should only rely on a standard web browser. Hence the underlying security services also rely solely on a browser for interaction with the user. Browser-based identity federation is a prominent example of such a service. Very little is still known about the security of browser-based protocols, and they seem at least as error-prone as standard security protocols. In particular, standard web browsers have limited cryptographic capabilities and thus new protocols are used. Furthermore, these protocols require certain care by the user in person, which must be modeled. In addition, browsers, unlike normal protocol principals, cannot be assumed to do nothing but execute the given security protocol.

In this paper, we lay the theoretical basis for the rigorous analysis and security proofs of browser-based protocols. We formally model web browsers, secure browser channels, and the security-relevant browsing behavior of a user as automata. As a first rigorous security proof of a browser-based protocol we prove the security of password-based user authentication in our model. This is not only the most common stand-alone type of browser authentication, but also a fundamental building block for more complex protocols like identity federation.

Thomas Groß, Birgit Pfitzmann: Proving a WS-Federation Passive Requestor Profile; ACM Secure Web Services Workshop, October 2004, Washington; post-conference proceedings to appear; Preproceedings 1-10

Abstract: Currently, influential industrial players are in the process of realizing identity federation, in particular the authentication of browser users across administrational domains. WS-Federation is a joint protocol framework for Web Services clients and browser clients. While browser-based federation protocols, including Microsoft Passport, OASIS SAML, and Liberty besides WS-Federation, are already widely deployed, their security is still unproven and has been challenged by several analyses. One reason is a lack of cryptographically precise protocol definitions, which impedes explicit design for security as well as proofs. Another reason is that the security properties depend on the browser and even on the browser user. We rigorously formalize a strict instantiation of the current WS-Federation Passive Requestor Interop profile and make explicit assumptions for its general use. On this basis, we prove that the protocol provides authenticity and secure channel establishment in a realistic trust scenario. This constitutes the first positive security result for a browser-based identity federation protocol.

Birgit Pfitzmann: Privacy in Enterprise Identity Federation - Policies for Liberty 2 Single Signon; Elsevier Information Security Technical Report (ISTR) 9/1 (2004) 45-58.
(Journal version of Pfit_03, but the different Liberty versions gave significantly different findings.)

Abstract: Cross-domain identity management is gaining significant interest in industry. A well-known example is the Liberty Alliance’s specifications for single signon of web users across different enterprises. The Liberty Alliance stresses that account linking is voluntary for the users and that privacy is an important consideration. We evaluate the privacy of these specifications in detail. We point out some ambiguities and propose a concrete privacy policy together with a few changes to the Liberty processing rules. Our analysis demonstrates that identity-management policies need detailed advance planning even in a limited context.

Thomas Groß: Security Analysis of the SAML Single Sign-on Browser/Artifact Profile; ACSAC 2003, Las Vegas, December 2003.
Preliminary version: IBM Research Report RZ 3501 (# 99427), June 2003.

Abstract: Many influential industrial players are currently pursuing the development of new protocols for federated identity management. The Security Assertion Markup Language (SAML) is an important standardized example of this new protocol class and will be widely used in business-to-business scenarios to reduce user-management costs. SAML utilizes a constraint-based specification that is a popular design technique of this protocol class. In general, the protocol standard is designed well and carefully. Yet, it does not come with a general security analysis, but provides an attack-by-attack list of countermeasures as security consideration. We present a security analysis of the SAML Single Sign-on Browser/Artifact profile, which is the first one for such a protocol standard. In concise analysis of the protocol design, we have revealed several flaws in the specification given that can lead to vulnerable implementations. To demonstrate the impact of that flaws we exploit some of them to mount attacks on the protocol.

Birgit Pfitzmann, Michael Waidner: Analysis of Liberty Single-Signon with Enabled Clients; IEEE Internet Computing 7(6), Nov/Dec 2003, 38-44.
Preliminary version: Token-based Web Single Signon with Enabled Clients; IBM Research Report RZ 3458 (# 93844), November 2002. (Magazine version quite different from any personal copy.)

Abstract: Channel-based enabled-client protocols, such as the Liberty-enabled client and proxy profile, offer Web single-signon service; however, several security concerns remain.

Long abstract (of preliminary version): We study a type of web single signon recently introduced by one of four proposed standard protocols of the Liberty Alliance. In contrast to the other three Liberty protocols and prior protocols like Microsoft Passport and the SAML standard, the client is not only a browser, but aware of the protocol, for instance a web-service client. We investigate how this protocol differs from standard three-party authentication, and possible benefits. We call the new protocol class token-based web single signon with enabled clients. We show a man-in-the-middle attack on the original Liberty V1.0 protocol and countermeasures against it. (Such a countermeasure was now added as an erratum, and no deployed implementation will use V1.0.) We also give general guidance for designing secure protocols in this class.(1)

(1) This erratum in [Liberty Alliance Project: Liberty Version 1.0 Errata, Edition 00, 11 October 2002,] is a reaction on our vulnerability notification to Liberty on Sept. 4. Before the errata publication, the problem was found independently by Jonathan Sergent of Sun.

Birgit Pfitzmann, Michael Waidner: Federated Identity-Management Protocols; 11th International Workshop on Security Protocols (2003), LNCS 3364, Springer-Verlag, Berlin 2005, 153-174.

Abstract: For authentication, one answer to the workshop question "where have all the protocols gone?" is "into federated identity management". At least this is what many influential industrial players are currently striving for. The best-known examples are Microsoft Passport and the Liberty Alliance's proposals, and the emerging web-services security standards might contain similar protocols. While there have been many political discussions about Passport, in particular its privacy, and some technical studies of operational risks, there is almost no public literature about the actual protocols and their security. We start with an overview of the driving factors in this space, the security properties desirable and achievable under the given design constraints, and the protocols proposed so far. We present a new protocol, BBAE, with better scalability (i.e., absence of single points of control) and privacy than existing protocols, and demonstrate its security. We also discuss particular difficulties encountered when striving for getting the rigorous design and proof techniques of the security research community applied to protocols that have a chance to win in this space.

Birgit Pfitzmann: Privacy in Enterprise Identity Federation - Policies for Liberty Single Signon -; 3rd International Workshop on Privacy Enhancing Technologies (PET 2003), LNCS 2760, Springer-Verlag, Berlin 2004, 189-204.
Preliminary version: IBM Research Report RZ 3470 (# 93909), December 2002.

Abstract: Cross-domain identity management is gaining significant interest in industry. A recent example is the Liberty Alliance’s specifications for single signon of users across a federation of enterprises. These specifications stress that the federation process is voluntary for the users and that privacy is preserved, e.g., by using pseudonyms. We evaluate the privacy of these specifications in detail. We point out ambiguities and propose a concrete privacy policy together with a few changes to the Liberty processing rules. Our analysis demonstrates that identity-management policies are non-trivial even in a limited context. We also discuss how such low-tech proposals from industry relate to high-tech privacy-enhancing proposals from the research community.

Birgit Pfitzmann, Michael Waidner: Privacy in Browser-Based Attribute Exchange; ACM Workshop on Privacy in the Electronic Society (WPES) 2002, ACM Press 2003, 52-621-58113-633-1/02/0011.
Personal copy (© ACM, 2002.)
Preliminary version: IBM Research Report RZ 3412 (# 93644), June 2002.

Abstract: Browser-based attribute-exchange protocols enable users of normal web browsers to conveniently send attributes, such as authentication or demographic data, to web sites. Such protocols might become very common and almost mandatory in general consumer scenarios over the next few years. We derive the privacy requirements on such protocols from general privacy principles and study their consequences for the protocol design. We also survey to what extent proposals like Microsoft's Passport, IBM's e-Community Single Signon, SAML, Shibboleth, the Liberty Alliance specifications and a protocol BBAE of our own conform to these design consequences, and how one could go forward.

Additional Technical Reports

Michael Backes, Sebastian Mödersheim, Birgit Pfitzmann, Luca Viganò: Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario; IBM Research Report RZ 3619 (# 99629), July 2005.
Published shorter version BMPV_06.

Thomas Groß, Birgit Pfitzmann, Ahmad-Reza Sadeghi: Browser Model for Security Analysis of Browser-Based Protocols; IBM Research Report RZ 3600 (#99610), April 2005.

Abstract: Currently, many industrial initiatives focus on web-based applications. In this context an important requirement is that the user should only rely on a standard web browser. Hence the underlying security services also rely solely on a browser for interaction with the user. Browser-based identity federation is a prominent example of such a protocol. Unfortunately, very little is still known about the security of browser-based protocols, and they seem at least as error-prone as standard security protocols. In particular, standard web browsers have limited cryptographic capabilities and thus new protocols are used. Furthermore, these protocols require certain care by the user in person, which must be modeled. In addition, browsers, unlike normal protocol principals, cannot be assumed to do nothing but execute the given security protocol. In this paper, we lay the theoretical basis for the rigorous analysis and security proofs of browser-based security protocols. We formally model web browsers, secure browser channels, and the security-relevant browsing behavior of a user as automata. As a first rigorous security proof of a browser-based protocol we prove the security of password-based user authentication in our model. This is not only the most common stand-alone type of browser authentication, but also a fundamental building block for more complex protocols like identity federation.

Birgit Pfitzmann, Michael Waidner: BBAE -- A General Protocol for Browser-based Attribute Exchange; IBM Research Report RZ 3455 (#93800), September 2002.

Abstract: Browser-based attribute-exchange protocols enable users of normal web browsers to conveniently send attributes, such as authentication or demographic data, to web sites. This is also called federated identity. Such protocols might become very common and almost mandatory in general consumer scenarios over the next few years. Several product and standards proposals have been made, most notably Microsoft Passport, OASIS SAML, and the Liberty Alliance V1 specifications. However, none of the current proposals -- by statements of the proposers themselves -- addresses the full functionality for a general consumer scenario. We propose a protocol BBAE that addresses the missing issues. It has been fully specified with existing standards elements and prototyped, and we present an initial security analysis. We also discuss how it can be used as a step forward in existing standardization processes.

Public Slides

Birgit Pfitzmann (with Thomas Groß): Web Services Security and Federated Identity Management; Workshop CASSIS: Construction and Analysis of Safe, Secure and Interoperable Smart devices, Nice, March 2005.

Birgit Pfitzmann (with Thomas Groß and Ahmad-Reza Sadeghi): Web Services and Federated Identity Management; DIMACS Workshop on Security of Web Services and E-Commerce, Piscataway, May 2005.