This document discusses cloud computing and single sign-on authentication. It provides an overview of cloud service models including software as a service, platform as a service, and infrastructure as a service. It then describes how single sign-on systems work with an identity provider and relying parties, and the benefits of single sign-on in reducing password overhead. However, it also discusses the security risk of assertion consumer service spoofing attacks on single sign-on implementations. Potential mitigations like whitelisting and signing authentication requests are presented.
2. ๏ก What is Cloud Computing ?
๏ก Service Models
๏ก Single Sign-On
๏ก ACS Spoofing
๏ก Countermeasures
๏ก References
2
3. ๏ก Cloud Computing is the practice of using a network of remote
servers hosted on the Internet to store, manage, and process
data, rather than a local server or a personal computer.
๏ก Advantages of Cloud Computing:
๏ง Pay as you go
๏ง Cost effective
๏ง Location independent
3
7. ๏ก Platform as a Service (PaaS)
๏ง Provides development environment
๏ง Examples: Microsoft Azure, Google AppEngine
๏ก Infrastructure as a Service (IaaS)
๏ง Provides virtual machines, storages
๏ง Examples: AmazonWeb Services
7
12. ๏ก Single sign-on (SSO) property allows a user logs in once and gains access
to all systems without being prompted to log in again at each of them.
๏ก SSO works among three parties:
๏ง User (represented as browser)
๏ง Identity Provider (IdP) e.g. Facebook, Gmail
๏ง Relying Party or Service Provider
๏ก No trust relationship between IdP and relying party or service provider.
๏ก Famous Single Sign-On Systems:
๏ง Facebook Connect
๏ง OpenIDConnect
๏ง OAuth
12
14. ๏ก Benefits
๏ง Reducing time spent re-entering passwords for the same identity
๏ง Reducing overhead to maintain different passwords for different
services
14
15. ๏ก Identity Provider (IdP) is used to provide identifiers for users
looking to interact with a system.
๏ก Security Assertion Markup Language(SAML) is used to exchange
authentication and authorization data between Identity Provider
and Service Provider.
15
16. ๏ก SAML statements are contained in security tokens called assertions.
๏ก SAML consist of three building blocks:
๏ง Protocols: defines how assertions are exchanged between actors.
๏ง Bindings: specify how to embed assertions into transport protocols (e.g., HTTP or
SOAP)
๏ง Profiles: define the interplay of assertions, protocols, and bindings that are necessary
for the needs of a specific use case to be met.
16
18. ๏ก The optional AssertionConsumerServiceURL (ACSURL) attribute
specifies the endpoint URL to which the IdP must deliver the issued
assertion.
๏ก The authentication request may be protected by a digital signature
(<Signature>)
๏ก The <Issuer> element specifies the SAML authority (the IdP) that
certifies the claim(s).
18
20. ๏ก Adversary is a client in an SSO and attempts to convince the RP
that his browser represents Legitimate user, assuming that he
knows legitimate userโs username through a prior communication.
2020
Legitimate User
Adversary (Malicious User)
IdP (e.g. Gmail) Relying Party
21. ๏ก Adversary leaves malicious web content in userโs browser during
her visiting of his website, which can perform SSO operations
through sending requests to the IdP and the RP.
21
Legitimate User
Adversary (Malicious User)
IdP (e.g. Gmail) Relying Party
22. ๏ก When Legitimate user visits adversary's website, adversary acts as
an RP to the IdP, in an attempt to get userโs credential for the
target RP.
2222
Legitimate User
Adversary (Malicious User)
IdP (e.g. Gmail) Relying Party
23. ๏ก ACS (Assertion Consumer Service) Spoofing allows the adversary
to redirect the security token issued by the IdP to himself, and thus
to impersonate the victim to every federated SP.
๏ก The only prerequisite for this attack is that the victim has to visit a
webpage controlled by the adversary.
๏ก ACS Scanner
๏ง An automated penetration test tool developed to scan ACS vulnerability
๏ง Platform Independent
23
24. 24
IdP
http://IdP.com
U --->UA A
http://ssoattack.org
SP
http://sp.com
1. HTTPGET URL
2. HTTPGET URLsp
3. HTTP 302 IdP,
(<AuthRequest(ID,SP,ACSurl)>, URLsp)
No security context.
User not identifiable
4. HTTP 302 IdP,
<AuthRequest(ID,SP,Badurl)>
,URLsp)
5. HTTP GET IdP,
(<AuthRequest(ID,SP,Badurl)>
,URLsp)
6. User authentication
7. HTTP 200
Form(<Response(AA)>,URLsp,
Badurl)
8. HTTP POST
Badurl,(<Response(AA)>,URLsp)
9. HTTP POST
ACSurl,(<Response(AA)>,URLsp)
Verify and evaluate
assertion
10. HTTP 302 URLsp
Generate
Assertion:
AA=(ID,IdP,SP,U)
25. SSO System Website Affected SPs ACS Spoofing Common
Vulnerability
Exposure (CVE)
One Login www.onelogin.com 3600+ Yes CVE-2012-
4962
WSO2 Stratos www.wso2.org 3000+ Yes CVE-2012-
4961
SSOCircle www.ssocircle.com 2600+ Yes CVE-2013-0115
Bitium www.bitium.com 1750+ Yes Direct comm.
25
26. ๏ก Whitelisting. One way to mitigate ACS Spoofing is to use a
whitelist of allowed ACSURL values for each and every SP, stored
at IdP.This may induce a significant management overhead for
large IdPs.
๏ก Signing Authentication Request: In theory, signing authentication
requests would make the injection of a malicious ACSURL
impossible.
26
27. ๏ก Preferred mitigation is cookie binding combining the ease of SSO with a
cryptographically strengthened client authentication.
๏ก Solution provided by Andreas Mayer hardens both the SSO protocol and
the session cookies by establishing mutually authenticated channels
between the browser and the other participating entities (i.e. IdP and
SP).
๏ก This builds a holistic authentication layer that prevents a wide range of
attacks, including MITM,ACS Spoofing, and XSS/UI redressing
vulnerabilities.
27
28. ๏ก Rui Wang, Shuo Chen, and XiaoFeng Wang. 2012. Signing Me ontoYour Accounts through
Facebook and Google: ATraffic-Guided Security Study of Commercially Deployed Single-
Sign-On Web Services. In Proceedings of the 2012 IEEE Symposium on Security and
Privacy (SP '12). IEEE Computer Society, Washington, DC, USA, 365-379.
DOI=10.1109/SP.2012.30 http://dx.doi.org/10.1109/SP.2012.30
๏ก Andreas Mayer, Marcus Niemietz,Vladislav Mladenov, and Jรถrg Schwenk. 2014. Guardians
of the Clouds: When Identity Providers Fail. In Proceedings of the 6th edition of the ACM
Workshop on Cloud Computing Security (CCSW '14). ACM, NewYork, NY, USA, 105-116.
DOI=10.1145/2664168.2664171 http://doi.acm.org/10.1145/2664168.2664171
๏ก A. Armando, R. Carbone, L. Compagna, J. Cuellar, G. Pellegrino, and A. Sorniotti. From
Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure? In SEC,
volume 354 of IFIP Advances in Information and Communication Technology, pages 68{79.
Springer, 2011.
28
29. ๏ก Yuen-Yan Chan. 2006. Weakest link attack on single sign-on and its case in SAML v2.0 web
SSO. In Proceedings of the 2006 international conference on Computational Science and Its
Applications -Volume Part III (ICCSA'06), Marina Gavrilova, Osvaldo Gervasi, Vipin Kumar, C.
Kenneth Tan, and David Taniar (Eds.), Vol. Part III. Springer-Verlag, Berlin, Heidelberg, 507-
516. DOI=10.1007/11751595_54 http://dx.doi.org/10.1007/11751595_54
๏ก Hsin-Yi Tsai; Siebenhaar, M.; Miede, A.;Yu-Lun Huang; Steinmetz, R., "Threat as a Service?:
Virtualization's Impact on Cloud Security," IT Professional , vol.14, no.1, pp.32,37, Jan.-Feb.
2012
doi: 10.1109/MITP.2011.117
29