Once usability becomes secure: German researcher optimizes 'Single Sign-On'

Sep 20, 2012 by Jens Wylkop

Risk increases with comfort: "Single Sign-On" permits users to access all their protected Web resources, replacing repeated sign-ins with passwords. However, attackers also know about the advantages such a single point of attack offers to them. Andreas Mayer, who is writing his PhD thesis as an external doctoral candidate at the Chair for Network and Data Security (Prof. Dr. Jörg Schwenk) at Ruhr-Universität Bochum, has now been able to significantly increase the security of this central interface for the simpleSAMLphp framework.

In the past, no protection against targeted Web attacks

The "Single sign-on" system, in short SSO, seems to be a wonderful solution for any user: "Once authenticated, the information and services are immediately available,without repeated inconvenient password input", says Mayer. However, this concept significantly increases the possible damage, which could harm the user through a "single point of attack". The researchers in Bochum recently showed that the single sign-on is not as safe as assumed: They broke 12 of 14 SSO systems that had critical . "In the near future, we expect an increasing number of attacks on browser based SSO solutions such as Facebook Connect, SAML, OpenID and Microsoft Cardspace", explains Mayer. "It is very alarming that none of the currently used SSO protocols, developed during the last twelve years, provides effective protection against targeted attacks".

Highly efficient open source SSO solution

In the past, the many threatening scenarios, such as phishing, man-in-the-middle attacks, cross site scripting or Web , did not negatively affect the increasing popularity of SSO offerings. The "single sign-on, access everywhere" model is too comfortable and the users are too unsuspecting. Andreas Mayer addresses this risk with his own results: He implemented the OASIS-standardized "SAML Holder-of-Key Web Browser SSO Profile" in the popular framework "SimpleSAMLphp". "This profile binds the critical authentication and authorization information – the so-called tokens – cryptographically to the browser of the legitimate user", explains Mayer. "The result is a highly effective, open source solution that is supported by all established browsers".

Andreas Mayer works at Adolf Würth GmbH & Co. KG and works in his free time at his doctoral thesis at the Chair for Network and of the RUB.

Explore further: First steps towards "Experimental Literature 2.0"

More information: SimpleSAMLphp-Framework for download: www.simplesamlphp.org

add to favorites email to friend print save as pdf

Related Stories

Cloud computing: Gaps in the 'cloud'

Oct 24, 2011

Researchers from Ruhr-University Bochum have found a massive security gap at Amazon Cloud Services. Using different methods of attack (signature wrapping and cross site scripting) they tested the system which was deemed "safe". ...

German watchdog warns of Internet Explorer breach

Sep 18, 2012

(AP)—The German government agency overseeing IT safety is warning of a security breach in Microsoft's Internet Explorer and recommending people use other browsers until the problem is fixed. ...

The safe way to use one Internet password

Feb 25, 2010

(PhysOrg.com) -- A little-used Internet authentication system from the 1980s could provide the answer for enabling web users to securely log in only once per Internet session, a Queensland University of Technology researcher ...

Researchers find way to measure effect of Wi-Fi attacks

Sep 12, 2011

Researchers from North Carolina State University have developed a way to measure how badly a Wi-Fi network would be disrupted by different types of attacks – a valuable tool for developing new security technologies.

Recommended for you

First steps towards "Experimental Literature 2.0"

3 minutes ago

As part of a student's thesis, the Laboratory of Digital Humanities at EPFL has developed an application that aims at rearranging literary works by changing their chapter order. "The human simulation" a saga ...

User comments : 0

More news stories

TCS, Mitsubishi to create new Japan IT services firm

India's biggest outsourcing firm Tata Consultancy Services (TCS) and Japan's Mitsubishi Corp said Monday they are teaming up to create a Japanese software services provider with annual revenues of $600 million.

Finnish inventor rethinks design of the axe

(Phys.org) —Finnish inventor Heikki Kärnä is the man behind the Vipukirves Leveraxe, which is a precision tool for splitting firewood. He designed the tool to make the job easier and more efficient, with ...

Atom probe assisted dating of oldest piece of earth

(Phys.org) —It's a scientific axiom: big claims require extra-solid evidence. So there were skeptics in 2001 when University of Wisconsin-Madison geoscience professor John Valley dated an ancient crystal ...