Your SlideShare is downloading. ×
0
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
OpenID Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OpenID Security

5,002

Published on

Published in: Technology
1 Comment
3 Likes
Statistics
Notes
  • The corresponding whitepaper - http://www.scribd.com/doc/256482/OpenID-security
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
5,002
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
160
Comments
1
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Single Sign-On for the Internet: A Security Story [email_address] [email_address] BlackHat USA, Las Vegas 2007
  2. <ul><li>The Good, The Bad, The Ugly </li></ul>
  3. <ul><li>The Ugly </li></ul>
  4. How do you manage your 169 Web 2.0 accounts today?
  5. Does your “SSO” consist of A login (e.g. johndoe) + 2 passwords (one insecure for web 2.0 sites and one secure for banking sites) ?
  6. Attack #1 a. Fail a user’s login b. Observe the user try every single combination of their username and password, including the secure password..
  7. BlackHat Advice #1 Change your bank password (we man-in-the-middle’d your secure “SSO” last night)
  8. Observation #1 Complexity breeds insecurity
  9. One login to rule them all… … a story about reducing complexity
  10. <ul><li>Proves that a user owns a URL </li></ul>You get to choose who manages your identity e.g. http://john.doe.name/ or http://john.myopenid.com/
  11. Answers the who? question (authentication) are you john.doe.name? Does NOT answer the what? (authorization) is john.doe.name allowed to access this page?
  12. <ul><li>History </li></ul><ul><li>Specifications </li></ul><ul><li>Industry Support </li></ul>
  13. How? (demo)
  14. How? (man-in-the-middle secure demo)
  15.  
  16.  
  17.  
  18.  
  19. That was easy!
  20. Oh. Never mind.
  21. <ul><li>The Bad </li></ul>
  22. Let’s start at the beginning
  23.  
  24. Attack #2 – Which one are you? http://nsa.gov:1/, http://nsa.gov:2/, … https://192.168.1.15/internal/auth?ip=1.1.1.1 http://localhost:8080/ http://www.youtube.com/largemovie.flv http://www.tarpit.com/cgi-bin/hang.pl file:///dev/null
  25. Observation #2 Flexibility and security do not get along (or, why it’s important to be less flexible and more paranoid)
  26. Everybody loves crypto “ associate mode”
  27. Why is crypto required? to protect request & response URLs
  28. Shared symmetric key is generated using Diffie-Hellman
  29. Attack #3 - Diffie-Hellman is vulnerable to man-in-the-middle attacks! So what’s the point of using DH in the first place? The spec suggests running DH over https to improve protocol security
  30. Observation #3 Home brewed crypto is a no no (or, why you should stick to https)
  31. Where are you going?
  32. This way! No, that way! Location: http://www.myopenid.com/server? openid.assoc_handle =%7BHMAC-SHA1%7D%7B4..& openid.identity =http://eugene.tsyrklevich.name/& openid.mode =checkid_setup& openid.return_to =http://www.jyte.com/finish& openid.trust_root =http://www.jyte.com/
  33. Attack #4a Phishing with malicious RPs
  34. Attack #4b Phishing with malicious URL hosts
  35. Change your bank password BlackHat Advice #2 (we phish’ed your first attempt)
  36. Observation # 4 Phishers 1 – OpenID 0 (or, why Johnny will never learn to read URLs)
  37. Let me in!
  38. <ul><li>Once signed in, you will no longer need to re-enter your password for other OpenID enabled sites </li></ul>Convenient, eh?
  39. <ul><li>In other words… </li></ul><ul><li>your identity provider receives and processes ALL your login requests on your behalf </li></ul>… privacy, anyone?
  40. Observation #5 OpenID makes privacy difficult (or, why some paranoid users might want to use one OpenID login per site)
  41. Not another redirect!
  42. <ul><li>Location: http://www.BADsite.com/finish_auth.php? </li></ul><ul><li>openid.assoc_handle =%7BHMAC-HA1%7D%7B47bb..& </li></ul><ul><li>openid.identity =http://eugene.tsyrklevich.name/& </li></ul><ul><li>openid.mode =id_res& </li></ul><ul><li>openid.return_to =http://www.jyte.com/& </li></ul><ul><li>openid.sig =vbUyND6n39Ss8IkpKl19RT83O%2F4%3D& </li></ul><ul><li>openid.signed =mode%2Cidentity%2Creturn_to& </li></ul>Attack #6a – Phishing (again!)
  43. <ul><li>Location: http://www.somesite.com/finish_auth.php? </li></ul><ul><li>openid.assoc_handle =%7BHMAC-SHA1%7D%7B47b..& </li></ul><ul><li>openid.identity =http://eugene.tsyrklevich.name/& </li></ul><ul><li>openid.mode =id_res& </li></ul><ul><li>openid.return_to =http://www.jyte.com/& </li></ul><ul><li>openid.sig =vbUyND6n39Ss8IkpKl19RT83O%2F4%3D& </li></ul><ul><li>openid.signed =mode%2Cidentity%2Creturn_to& </li></ul>Attack #6b – Replay attack nonce=wVso75KH
  44. Problems with Nonces a. Not part of the OpenID spec (v1) b. Do not actually protect against active attackers!
  45. Observation #6 Nonces are nonsense (or, why you must be drinking absolut kool-aid if you believe nonces will protect you against an active attacker)
  46. I am secure once I am logged in though, right?
  47. Attack #7 Cross-site request forgery <html><body> <iframe id=&quot; login &quot; src=&quot; http://bank.com/login?openid_url=john.doe.name &quot; width=&quot; 0 &quot; height=&quot; 0 &quot; ></iframe> <iframe id=“ transfer &quot; src=&quot; http://bank.com/transfer_money?amount=100&to=attacker &quot; width=&quot; 0 &quot; height=&quot; 0 &quot; ></iframe> </body></html>
  48. Observation #7 OpenID robs you of control (or IdP, not RP, makes the security decisions)
  49. Change your bank password BlackHat Advice #3 Actually don’t bother… ...all your OpenID are belong to us.
  50. <ul><li>The Good </li></ul>
  51. Is it really all that bad?! <ul><li>No! </li></ul><ul><li>OpenID can make your logins far more secure than they are today! </li></ul>
  52. How?! <ul><li>Only one service to secure so we can afford to use </li></ul><ul><li>Client-side certificates </li></ul><ul><li>SecurID </li></ul><ul><li>Smartcards </li></ul>
  53.  
  54. Observation #8 <ul><li>There is only 1 front </li></ul><ul><li>door with OpenID </li></ul><ul><li>(or, how I got over my privacy </li></ul><ul><li>and learnt to love OpenID) </li></ul>
  55. Lessons Learnt <ul><li>Complexity breeds insecurity </li></ul><ul><li>Flexibility and security do not get along </li></ul><ul><li>Home brewed crypto is a no no </li></ul><ul><li>Phishers 1 – OpenID 0 </li></ul><ul><li>OpenID makes privacy difficult </li></ul><ul><li>Nonces are nonsense </li></ul><ul><li>OpenID robs you of control </li></ul><ul><li>There is only 1 front door with OpenID </li></ul>
  56. Is OpenID doomed? <ul><li>Absolutely not </li></ul><ul><li>It’s a great system </li></ul><ul><li>solving a very real problem </li></ul>But its security and privacy concerns need further thought
  57. Thanks! [email_address] [email_address] Try it today. http://www.openid.net/ http://www.freeyourid.com/

×