Analysing the Security of Google's Implementation of OpenID Connect
作者: Wanpeng Li , Chris J. Mitchell
DOI: 10.1007/978-3-319-40667-1_18
关键词: Authentication 、 Computer security 、 Service (systems architecture) 、 OpenID Connect 、 Computer science 、 Identity management 、 Protocol (object-oriented programming) 、 End user 、 Forensic examination 、 World Wide Web 、 Identity (object-oriented programming)
摘要: Many millions of users routinely use Google to log ini¾?to relying party RP websites supporting Google's OpenID Connect service. builds an identity layer on top the OAuth 2.0 protocol, which has itself been widely adopted support management. allows obtain authentication assurances regarding end user. A number authors have analysed security, but whether is secure in practice remains open question. We report a large-scale practical study implementation Connect, involving forensic examination 103 it. Our reveals widespread serious vulnerabilities types, many allowing attacker website as victim These issues appear be caused by combination design its service and developers making decisions sacrificing security for ease implementation. give recommendations both RPs OPs help improve real world systems.
springer.com
core.ac.uk
harvard.edu
elsevier.com
chrismitchell.net 
abdn.ac.uk 
sci-hub.st 参考文章(29)
Wanpeng Li, Chris J. Mitchell, Security Issues in OAuth 2.0 SSO Implementations international conference on information security. pp. 529- 541 ,(2014) , 10.1007/978-3-319-13257-0_34
Bart van Delft, Martijn Oostdijk, A Security Analysis of OpenID Policies and Research in Identity Management. pp. 73- 84 ,(2010) , 10.1007/978-3-642-17303-5_6
Ethan Shernan, Henry Carter, Dave Tian, Patrick Traynor, Kevin Butler, More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations Detection of Intrusions and Malware, and Vulnerability Assessment. pp. 239- 260 ,(2015) , 10.1007/978-3-319-20550-2_13
Engin Kirda, Christopher Krügel, Nenad Jovanovic, Giovanni Vigna, Philipp Vogt, Florian Nentwich, Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis. network and distributed system security symposium. ,(2007)
Philippe De Ryck, Lieven Desmet, Wouter Joosen, Frank Piessens, Automatic and Precise Client-Side Protection against CSRF Attacks Computer Security – ESORICS 2011. pp. 100- 116 ,(2011) , 10.1007/978-3-642-23822-2_6
Yacin Nadji, Prateek Saxena, Dawn Song, Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense. network and distributed system security symposium. ,(2009)
David L. Dill, The Murphi Verification System computer aided verification. pp. 390- 393 ,(1996)
Chetan Bansal, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Sergio Maffeis, Discovering concrete attacks on website authorization by formal analysis Journal of Computer Security. ,vol. 22, pp. 601- 657 ,(2014) , 10.3233/JCS-140503
Ben Smyth, Bruno Blanchet, ProVerif 1.85: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial ,(2011)
Ziqing Mao, Ninghui Li, Ian Molloy, Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection Financial Cryptography and Data Security. ,vol. 5628, pp. 238- 255 ,(2009) , 10.1007/978-3-642-03549-4_15