Be whoever you want to be: Single sign-on systems can be improved

Aug 15, 2012

Web shops, Cloud Computing, Online CRM systems: Each day many IT systems require the user to identify himself. Single Sign-On (SSO) systems were introduced to circumvent this problem, and to establish structured Identity Management (IDM) systems in industry: Here the user only has to identify once, all subsequent authentications are done automatically. However, SSO systems based on the industry standard SAML have huge vulnerabilities: Roughly 80 percent of these systems could be broken by the researchers from Ruhr-Universität Bochum.

Single Sign-On (SSO) can be compared to a well guarded door, which protects sensitive company data: Once you have passed this door, you can access all data. Many industry SSO systems are built on the basis of the Assertion Markup Language (SAML). Identity information is stored in a SAML message, protected by a digital signature. Researchers from Bochum were able to circumvent this protection completely in 12 out of 14 SAML systems.

"With novel XML Signature Wrapping techniques we were able to circumvent these digital signatures completely", says Prof. Jörg Schwenk from Ruhr-Universität. "Thus we could impersonate any user, even system administrators." Amongst the 12 affected systems were the SaaS Cloud provider Salesforce, the IBM Datapower security gateway, Onelogin (could e.g. be used as an optional module in Joomla, Wordpress, SugarCRM, or Drupal) and OpenSAML (used e.g. in Shibboleth, and SuisseID, and OpenSAML).

"After we found the attacks, we immediately informed the affected companies, and proposed ways to mitigate the attacks", states security expert and external PhD student Andreas Mayer (Adolf Würth GmbH & Co. KG). "Through the close cooperation with the responsible security teams, the vulnerabilities are now fixed", Juraj Somorovsky adds.

Explore further: Modeling the ripples of health care information

More information: On August 10th, 2012 Juraj Somorovsky presented the results at the 21st USENIX Security Symposium in Bellevue, Washington. www.nds.rub.de/research/publications/BreakingSAML

add to favorites email to friend print save as pdf

Related Stories

Cloud computing: Gaps in the 'cloud'

Oct 24, 2011

Researchers from Ruhr-University Bochum have found a massive security gap at Amazon Cloud Services. Using different methods of attack (signature wrapping and cross site scripting) they tested the system which was deemed "safe". ...

German researchers break W3C XML encryption standard

Oct 19, 2011

Standards are supposed to guarantee security, especially in the WWW. The World Wide Web Consortium (W3C) is the main force behind standards like HTML, XML, and XML Encryption. But implementing a W3C standard does not mean ...

The Web: Tools that manage app access

Sep 21, 2005

Oracle Corp. last week debuted new software that can be used to help grant -- or deny -- users access to information on PCs, and industry insiders told UPI's The Web the company's moves could provide momentum for a promising ...

Security gurus see even harsher browser attacks for '07

Jan 31, 2007

Another year, another round of sneaky online attacks. IBM security experts anticipate 2007 will see more sophisticated profit-motivated cyber attacks, including more focus on Web browsers as well as advances in image-based ...

Recommended for you

Forging a photo is easy, but how do you spot a fake?

Nov 21, 2014

Faking photographs is not a new phenomenon. The Cottingley Fairies seemed convincing to some in 1917, just as the images recently broadcast on Russian television, purporting to be satellite images showin ...

Algorithm, not live committee, performs author ranking

Nov 21, 2014

Thousands of authors' works enter the public domain each year, but only a small number of them end up being widely available. So how to choose the ones taking center-stage? And how well can a machine-learning ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.