You are here

Web-based Authentication and Authorization Protocols

Related Projects

Web-based security protocols aim at securing the interaction between web-applications. For they proper functioning web-based security protocols rely on a number of assumptions: HTTP is used as transport protocol, interaction with the end-user is mediated by a web-browser, SSL/TLS is used to achieve   their   security   goals.   Like traditional security protocols, web-based security   protocols are difficult to get right and are therefore a natural target for formal method techniques. We analyzed a number of Web-based security protocols: e.g., SAML 2.0 Web Browser SSO Profile for Web-based SSO, OAuth, a protocol for the exchange of authorization information between web-based applications, and Strong authentication protocols.

Some Results:

  • Flaw detected in Google's SAML-based SSO for Google Apps.
  • Authentication flaw in the most common use-case scenario of SAML 2.0 SSO Profile (Errata by OASIS Security Services Technical Committee).
  • Cross-Site Scripting (XSS) vulnerabilities detected in SAML-based SSO for Google Apps and Novell Access Manager v3.1. [1].
  • Serious vulnerabilities in protocols for two-factor and two-channel authentication for web applications [2].

Selected publications:

[1] A. Armando, R. Carbone, L. Compagna, J. Cuéllar, G. Pellegrino, A. Sorniotti. An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations. In Computers & Security, Volume 33, pages 41-58, 2013.

[2] A. Armando, R. Carbone, L. Zanetti. Formal Modeling and Automatic Security Analysis of Two-Factor and Two-Channel Authentication Protocols. In the Proceedings of the 7th International Conference on Network and System Security (NSS 2013), Madrid, Spain, June 3 - 4, 2013.

[3] A. Armando, R. Carbone, A. Merlo. Formal Analysis of a Privacy-Preserving Billing Protocol. In the Proceedings of the 1st EIT ICT Labs Workshop on Smart Grid Security (SmartGridSec 2012), Berlin, Germany, December 3, 2012.