Papers
Topics
Authors
Recent
Search
2000 character limit reached

Towards automated formal security analysis of SAML V2.0 Web Browser SSO standard -- the POST/Artifact use case

Published 18 Mar 2024 in cs.CR | (2403.11859v1)

Abstract: Single Sign-On (SSO) protocols streamline user authentication with a unified login for multiple online services, improving usability and security. One of the most common SSO protocol frameworks - the Security Assertion Markup Language V2.0 (SAML) Web SSO Profile - has been in use for more than two decades, primarily in government, education and enterprise environments. Despite its mission-critical nature, only certain deployments and configurations of the Web SSO Profile have been formally analyzed. This paper attempts to bridge this gap by performing a comprehensive formal security analysis of the SAML V2.0 SP-initiated SSO with POST/Artifact Bindings use case. Rather than focusing on a specific deployment and configuration, we closely follow the specification with the goal of capturing many different deployments allowed by the standard. Modeling and analysis is performed using Tamarin prover - state-of-the-art tool for automated verification of security protocols in the symbolic model of cryptography. Technically, we build a meta-model of the use case that we instantiate to eight different protocol variants. Using the Tamarin prover, we formally verify a number of critical security properties for those protocol variants, while identifying certain drawbacks and potential vulnerabilities.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (35)
  1. K. Thomas, J. Pullman, K. Yeo, A. Raghunathan, P. G. Kelley, L. Invernizzi, B. Benko, T. Pietraszek, S. Patel, D. Boneh, and E. Bursztein, “Protecting accounts from credential stuffing with password breach alerting,” in 28th USENIX Security Symposium (USENIX Security 19).   Santa Clara, CA: USENIX Association, Aug. 2019, pp. 1556–1571. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19/presentation/thomas
  2. B. Pal, T. Daniel, R. Chatterjee, and T. Ristenpart, “Beyond credential stuffing: Password similarity models using neural networks,” in 2019 IEEE Symposium on Security and Privacy (SP), 2019, pp. 417–434.
  3. FireEye. (2020) Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. FireEye, Inc. [Online]. Available: https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
  4. J. Lambert. (2020) Important steps for customers to protect themselves from recent nation-state cyberattacks. Microsoft, Corp. [Online]. Available: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
  5. R. Yang, G. Li, W. C. Lau, K. Zhang, and P. Hu, “Model-Based Security Testing: An Empirical Study on OAuth 2.0 Implementations,” in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ser. ASIA CCS ’16.   New York, NY, USA: Association for Computing Machinery, 2016, p. 651–662. [Online]. Available: https://doi.org/10.1145/2897845.2897874
  6. R. Wang, Y. Zhou, S. Chen, S. Qadeer, D. Evans, and Y. Gurevich, “Explicating SDKs: Uncovering assumptions underlying secure authentication and authorization,” in Proceedings of the 22nd USENIX Security Symposium, 2013, pp. 399–414.
  7. S.-T. Sun and K. Beznosov, “The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, ser. CCS ’12.   New York, NY, USA: Association for Computing Machinery, 2012, p. 378–390. [Online]. Available: https://doi.org/10.1145/2382196.2382238
  8. M. Shehab and F. Mohsen, “Towards Enhancing the Security of OAuth Implementations in Smart Phones,” in 2014 IEEE International Conference on Mobile Services, June 2014, pp. 39–46.
  9. H. Wang, Y. Zhang, J. Li, H. Liu, W. Yang, B. Li, and D. Gu, “Vulnerability Assessment of OAuth Implementations in Android Applications,” in Proceedings of the 31st Annual Computer Security Applications Conference, ser. ACSAC ’15.   New York, NY, USA: Association for Computing Machinery, 2015, p. 61–70. [Online]. Available: https://doi.org/10.1145/2818000.2818024
  10. E. Y. Chen, Y. Pei, S. Chen, Y. Tian, R. Kotcher, and P. Tague, “OAuth Demystified for Mobile Application Developers,” in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ser. CCS ’14.   New York, NY, USA: Association for Computing Machinery, 2014, p. 892–903. [Online]. Available: https://doi.org/10.1145/2660267.2660323
  11. V. Mladenov, C. Mainka, and J. Schwenk, “On the security of modern single sign-on protocols: Second-order vulnerabilities in openid connect,” 2015. [Online]. Available: https://arxiv.org/abs/1508.04324
  12. C. Mainka, V. Mladenov, J. Schwenk, and T. Wich, “SoK: Single Sign-On Security — An Evaluation of OpenID Connect,” in 2017 IEEE European Symposium on Security and Privacy (EuroS&P), April 2017, pp. 251–266.
  13. J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen, “On breaking SAML: Be whoever you want to be,” in 21st USENIX Security Symposium (USENIX Security 12).   Bellevue, WA: USENIX Association, Aug. 2012, pp. 397–412. [Online]. Available: https://www.usenix.org/conference/usenixsecurity12/technical-sessions/presentation/somorovsky
  14. C. Mainka, V. Mladenov, F. Feldmann, J. Krautwald, and J. Schwenk, “Your Software at My Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud,” in Proceedings of the 6th Edition of the ACM Workshop on Cloud Computing Security, ser. CCSW ’14.   New York, NY, USA: Association for Computing Machinery, 2014, p. 93–104. [Online]. Available: https://doi.org/10.1145/2664168.2664172
  15. N. Engelbertz, N. Erinola, D. Herring, J. Somorovsky, V. Mladenov, and J. Schwenk, “Security analysis of eIDAS – the Cross-Country authentication scheme in Europe,” in 12th USENIX Workshop on Offensive Technologies (WOOT 18).   Baltimore, MD: USENIX Association, Aug. 2018. [Online]. Available: https://www.usenix.org/conference/woot18/presentation/engelbertz
  16. A. Armando, R. Carbone, L. Compagna, J. Cuellar, and L. Tobarra, “Formal analysis of SAML 2.0 web browser single sign-on: Breaking the SAML-based single sign-on for google apps,” in Proceedings of the ACM Conference on Computer and Communications Security, 2008, pp. 1–9.
  17. A. Armando, R. Carbone, L. Compagna, J. Cuéllar, G. Pellegrino, and A. Sorniotti, “An authentication flaw in browser-based Single Sign-On protocols: Impact and remediations,” Computers and Security, vol. 33, pp. 41–58, 2013.
  18. A. Armando, R. Carbone, L. Compagna, J. Cuellar, G. Pellegrino, and A. Sorniotti, “From multiple credentials to browser-based single sign-on: Are we more secure?” in Future Challenges in Security and Privacy for Academia and Industry, J. Camenisch, S. Fischer-Hübner, Y. Murayama, A. Portmann, and C. Rieder, Eds.   Berlin, Heidelberg: Springer Berlin Heidelberg, 2011, pp. 68–79.
  19. TUBITAK, MULTICERT, A-SIT, and PSDA, “Overview of eID Services,” European Commission, August 2017.
  20. S. Meier, B. Schmidt, C. Cremers, and D. A. Basin, “The TAMARIN Prover for the Symbolic Analysis of Security Protocols,” in Computer Aided Verification - 25th International Conference, CAV 2013, Saint Petersburg, Russia, July 13-19, 2013. Proceedings, ser. Lecture Notes in Computer Science, vol. 8044.   Springer, 2013, pp. 696–701. [Online]. Available: https://doi.org/10.1007/978-3-642-39799-8_48
  21. B. Schmidt, “Formal analysis of key exchange protocols and physical protocols,” Ph.D. dissertation, ETH Zürich, 2012.
  22. S. Meier, “Advancing automated security protocol verification,” Ph.D. dissertation, ETH Zürich, 2013.
  23. C. Cremers, M. Horvat, J. Hoyland, S. Scott, and T. Van Der Merwe, “A comprehensive symbolic analysis of tls 1.3,” in Proceedings of the ACM Conference on Computer and Communications Security, 2017, pp. 1773–1788.
  24. D. Basin, S. Radomirovic, J. Dreier, R. Sasse, L. Hirschi, and V. Stettler, “A formal analysis of 5g authentication,” in Proceedings of the ACM Conference on Computer and Communications Security, 2018, pp. 1383–1396.
  25. C. Cremers, B. Kiesl, and N. Medinger, “A formal analysis of ieee 802.11’s wpa2: Countering the kracks caused by cracking the counters,” in Proceedings of the 29th USENIX Security Symposium, 2020, pp. 1–17.
  26. (2024) SAML V2.0 Web Browser SSO Tamarin models.
  27. SHIBBOLETH. Shibboleth Project. [Online]. Available: https://shibboleth.atlassian.net/wiki/spaces/
  28. T. T. Team. (2022) Tamarin-Prover Manual: Security Protocol Analysis in the Symbolic Model.
  29. S. Dünki, “Modelling and Analysis of Web Applications in Tamarin,” Master’s thesis, ETH Zürich, 2019.
  30. G. Lowe, “A hierarchy of authentication specifications,” in Proceedings 10th Computer Security Foundations Workshop, 1997, pp. 31–43.
  31. X. Hofmeier, “Formal Analysis of Web Single-Sign On Protocols using Tamarin,” Bachelor’s Thesis, ETH Zürich, 2019.
  32. A. Armando and L. Compagna, “SATMC: A SAT-based Model Checker for security protocols,” in Lecture Notes in Artificial Intelligence (Subseries of Lecture Notes in Computer Science), vol. 3229, 2004, pp. 730–733.
  33. M. S. Ferdous and R. Poet, “Formalising identity management protocols,” in 2016 14th Annual Conference on Privacy, Security and Trust (PST), 2016, pp. 137–146.
  34. D. Fett, R. Küsters, and G. Schmitz, “A comprehensive formal security analysis of OAuth 2.0,” in Proceedings of the ACM Conference on Computer and Communications Security, vol. 24-28-October-2016, 2016, pp. 1204–1215.
  35. D. Fett, R. Küsters, and G. Schmitz, “The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines,” in 2017 IEEE 30th Computer Security Foundations Symposium (CSF), 2017, pp. 189–202.

Summary

No one has generated a summary of this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Summarize

Paper to Video (Beta)

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Sign Up to Generate

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now

Authors (2)

  1. Zvonimir Hartl 
  2. Ante Đerek 

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up