Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
Big Data Prophylactics Kapitel lesen Erstes Kapitel lesen

2016 | OriginalPaper | Buchkapitel

A Survey of Security Analysis in Federated Identity Management

verfasst von : Sean Simpson, Thomas Groß

Erschienen in: Privacy and Identity Management. Facing up to Next Steps

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

We conduct a systematic survey of security analysis in Federated Identity Management (FIM). We use a categorisation system based off the Malicious and Accidental Fault Tolerance framework (MAFTIA) to categorise security incidents in FIM. When security incidents are categorised, we can paint a picture of the landscape of problems that have been studied in FIM. We outline the security incidents that are happening across FIM protocols and present solutions to those security incidents as proposed by others.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Implicit Bias in Predictive Data Profiling Within Recruitments
Nächstes Kapitel Evaluating Users’ Affect States: Towards a Study on Privacy Concerns
Literatur
1.
Avizienis, A., Laprie, J.-C., Randell, B., et al.: Fundamental concepts of dependability. Computing Science, University of Newcastle upon Tyne (2001)
2.
Ghazizadeh, E., Zamani, M., Pashang, A., et al.: A survey on security issues of federated identity in the cloud computing. In: 2012 IEEE 4th International Conference on Cloud Computing technology and Science (CloudCom 2012), pp. 532–565. IEEE (2012)
3.
Powell, D., Stroud, R., et al.: Conceptual model and architecture of maftia. Technical report Series, University of Newcastle Upon Tyne Computing Science (2003)
4.
Kitchenham, B.: Procedures for performing systematic reviews. Keele University (2004)
5.
6.
Pfitzmann, B., Waidner, M.: Federated identity-management protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 153–174. Springer, Heidelberg (2005). doi:10.​1007/​11542322_​20 CrossRef
7.
Kormann, D.P., Rubin, A.D.: Risks of the passport single signon protocol. Comput. Netw. 33, 51–58 (2000). ElsevierCrossRef
8.
Oppliger, R.: Microsoft.net passport and identity management. Inf. Secur. Tech. Rep. 9, 26–34 (2004). ElsevierCrossRef
9.
Alrodhan, W., Mitchell, C.: Improving the security of cardspace. EURASIP J. Inf. Secur. 1 (2009). Springer
10.
Gajek, S., Schwenk, J., Steiner, M., Xuan, C.: Risks of the CardSpace protocol. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 278–293. Springer, Heidelberg (2009). doi:10.​1007/​978-3-642-04474-8_​23 CrossRef
11.
Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390. Springer (2012)
12.
Alotaibi, A., Mahmmod, A.: Enhancing OAuth services security by an authentication service with face recognition. In: Systems, Applications and Technology Conference (LISAT), pp. 1–6. IEEE (2015)
13.
Ferry, E., Raw, J.O., Curran, K.: Security evaluation of the OAuth 2.0 framework. Inf. Comput. Secur. 23, 73–101 (2015). Emerald Group Publishing LimitedCrossRef
14.
Li, W., Mitchell, C.J.: Security issues in OAuth 2.0 SSO implementations. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 529–541. Springer, Cham (2014). doi:10.​1007/​978-3-319-13257-0_​34
15.
Shernan, E., Carter, H., Tian, D., Traynor, P., Butler, K.: More guidelines than rules: CSRF vulnerabilities from noncompliant OAuth 2.0 implementations. In: Almgren, M., Gulisano, V., Maggi, F. (eds.) DIMVA 2015. LNCS, vol. 9148, pp. 239–260. Springer, Cham (2015). doi:10.​1007/​978-3-319-20550-2_​13 CrossRef
16.
Yang, R., Li, G., Lau, W., et al.: Model-based security testing: an empirical study on OAuth 2.0 implementations. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 651–662. ACM (2016)
17.
Grzonkowski, S., Corcoran, P.M., Coughlin, T.: Security analysis of authentication protocols for next-generation mobile and CE cloud services. In: 2011 IEEE International Conference on Consumer Electronics-Berlin (ICCE-Berlin), pp. 83–87. IEEE (2011)
18.
Oh, H.-K., Jin, S.-H.: The security limitations of sso in openid. In: Advanced Communication Technology, pp. 1608–1611. IEEE (2008)
19.
Sovis, P., Kohlar, F., Schwenk, J.: Security analysis of OpenID, pp. 329–340. Sicherheit (2010)
20.
Feld, S., Pohlmann, N.: Security analysis of OpenID, followed by a reference implementation of an nPA-based OpenID provider. In: Pohlmann, N., Reimer, H., Schneider, W. (eds.) ISSE 2010 Securing Electronic Business Processes, pp. 13–25. Springer, Heidelberg (2011)
21.
Sun, S.-T., Hawkey, K., Beznosov, K.: Systematically breaking and fixing OpenID security: formal analysis, semi-automated empirical evaluation, and practical countermeasures. Comput. Secur. 31, 465–483 (2012). ElsevierCrossRef
22.
Abbas, H., Qaemi, M.M., Kahn, F.A., et al.: Systematically breaking and fixing OpenID security: formal analysis, semi-automated empirical evaluation, and practical countermeasures. Secur. Commun. Netw. (2014). Wiley Online Library
23.
Hsu, F., Chen, H., Machiraju, S.: WebCallerID: leveraging cellular networks for web authentication. J. Comput. Secur. 19, 869–893 (2011). IOS PressCrossRef
24.
Krolo, J., Marin, Š., Siniša, S.: Security of web level user identity management. In: 32nd International Convention MIPRO 2009 (2009)
25.
Li, W., Mitchell, C.J.: Analysing the security of Google’s implementation of OpenID connect. arXiv preprint arXiv:​1508.​01707 (2015)
26.
Mainka, C., Mladenov, V., Schwenk, J.: Do not trust me: using malicious IdPs for analyzing and attacking single sign-on. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 321–336. IEEE (2016)
27.
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps. In: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, pp. 1–10. ACM (2008)
28.
Groß, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: Computer Security Applications Conference, pp. 298–307. IEEE (2003)
29.
Kumar, A.: A lightweight formal approach for analyzing security of web protocols. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 192–211. Springer, Cham (2014). doi:10.​1007/​978-3-319-11379-1_​10
30.
Mayer, A., Niemietz, M., Mladenov, V., et al.: Guardians of the clouds: when identity providers fail. In: Proceedings of the 6th edition of the ACM Workshop on Cloud Computing Security, pp. 105–116. ACM (2014)
31.
Mainka, C., Mladenov, V., Feldmann, F., et al.: Your software at my service: security analysis of saas single sign-on solutions in the cloud. In: Proceedings of the 6th Edition of the ACM Workshop on Cloud Computing Security, pp. 93–104. ACM (2014)
32.
Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. In: IEEE Internet Computing, pp. 38–44. IEEE (2003)
33.
Ahmad, Z., Ab Manan, J.-L., Sulaiman, S.: Trusted computing based open environment user authentication model. In: 2010 3rd International Conference on Advanced Computer Theory and Engineering (ICACTE), pp. V6–487. IEEE (2010)
34.
Groß, T., Pfitzmann, B., Sadeghi, A.-R.: Browser model for security analysis of browser-based protocols. In: Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 489–508. Springer, Heidelberg (2005). doi:10.​1007/​11555827_​28 CrossRef
35.
Miculan, M., Caterina, U.: Formal analysis of Facebook Connect single sign-on authentication protocol. In: SOFSEM, pp. 22–28 (2009)
36.
Urueña, M., Muñoz, A., Larrabeiti, D.: Formal analysis of Facebook Connect single sign-on authentication protocol. In: Multimedia Tools and Applications, pp. 159–176. Springer (2014)
37.
Wang, R., Chen, S., Wang, X.F.: Signing me onto your accounts through facebook and google: a traffic-guided security study of commercially deployed single-sign-on web services. In: 2012 IEEE Symposium on Security and Privacy, pp. 365–379 (2012)
38.
Metadaten
Titel
A Survey of Security Analysis in Federated Identity Management
verfasst von
Sean Simpson
Thomas Groß
Copyright-Jahr
2016
Buch
Privacy and Identity Management. Facing up to Next Steps

Print ISBN: 978-3-319-55782-3

Electronic ISBN: 978-3-319-55783-0

Copyright-Jahr: 2016

DOI
https://doi.org/10.1007/978-3-319-55783-0_16