Once usability becomes secure: German researcher optimizes 'Single Sign-On'

Sep 20, 2012 by Jens Wylkop

Risk increases with comfort: "Single Sign-On" permits users to access all their protected Web resources, replacing repeated sign-ins with passwords. However, attackers also know about the advantages such a single point of attack offers to them. Andreas Mayer, who is writing his PhD thesis as an external doctoral candidate at the Chair for Network and Data Security (Prof. Dr. Jörg Schwenk) at Ruhr-Universität Bochum, has now been able to significantly increase the security of this central interface for the simpleSAMLphp framework.

In the past, no protection against targeted Web attacks

The "Single sign-on" system, in short SSO, seems to be a wonderful solution for any user: "Once authenticated, the information and services are immediately available,without repeated inconvenient password input", says Mayer. However, this concept significantly increases the possible damage, which could harm the user through a "single point of attack". The researchers in Bochum recently showed that the single sign-on is not as safe as assumed: They broke 12 of 14 SSO systems that had critical . "In the near future, we expect an increasing number of attacks on browser based SSO solutions such as Facebook Connect, SAML, OpenID and Microsoft Cardspace", explains Mayer. "It is very alarming that none of the currently used SSO protocols, developed during the last twelve years, provides effective protection against targeted attacks".

Highly efficient open source SSO solution

In the past, the many threatening scenarios, such as phishing, man-in-the-middle attacks, cross site scripting or Web , did not negatively affect the increasing popularity of SSO offerings. The "single sign-on, access everywhere" model is too comfortable and the users are too unsuspecting. Andreas Mayer addresses this risk with his own results: He implemented the OASIS-standardized "SAML Holder-of-Key Web Browser SSO Profile" in the popular framework "SimpleSAMLphp". "This profile binds the critical authentication and authorization information – the so-called tokens – cryptographically to the browser of the legitimate user", explains Mayer. "The result is a highly effective, open source solution that is supported by all established browsers".

Andreas Mayer works at Adolf Würth GmbH & Co. KG and works in his free time at his doctoral thesis at the Chair for Network and of the RUB.

Explore further: Innovative new supercomputers increase nation's computational capacity and capability

More information: SimpleSAMLphp-Framework for download: www.simplesamlphp.org

add to favorites email to friend print save as pdf

Related Stories

Cloud computing: Gaps in the 'cloud'

Oct 24, 2011

Researchers from Ruhr-University Bochum have found a massive security gap at Amazon Cloud Services. Using different methods of attack (signature wrapping and cross site scripting) they tested the system which was deemed "safe". ...

German watchdog warns of Internet Explorer breach

Sep 18, 2012

(AP)—The German government agency overseeing IT safety is warning of a security breach in Microsoft's Internet Explorer and recommending people use other browsers until the problem is fixed. ...

The safe way to use one Internet password

Feb 25, 2010

(PhysOrg.com) -- A little-used Internet authentication system from the 1980s could provide the answer for enabling web users to securely log in only once per Internet session, a Queensland University of Technology researcher ...

Researchers find way to measure effect of Wi-Fi attacks

Sep 12, 2011

Researchers from North Carolina State University have developed a way to measure how badly a Wi-Fi network would be disrupted by different types of attacks – a valuable tool for developing new security technologies.

Recommended for you

Forging a photo is easy, but how do you spot a fake?

Nov 21, 2014

Faking photographs is not a new phenomenon. The Cottingley Fairies seemed convincing to some in 1917, just as the images recently broadcast on Russian television, purporting to be satellite images showin ...

Algorithm, not live committee, performs author ranking

Nov 21, 2014

Thousands of authors' works enter the public domain each year, but only a small number of them end up being widely available. So how to choose the ones taking center-stage? And how well can a machine-learning ...

Professor proposes alternative to 'Turing Test'

Nov 19, 2014

(Phys.org) —A Georgia Tech professor is offering an alternative to the celebrated "Turing Test" to determine whether a machine or computer program exhibits human-level intelligence. The Turing Test - originally ...

Image descriptions from computers show gains

Nov 18, 2014

"Man in black shirt is playing guitar." "Man in blue wetsuit is surfing on wave." "Black and white dog jumps over bar." The picture captions were not written by humans but through software capable of accurately ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.