Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.5.941

Measurement of Remediation for Compromised User Account of Web Single Sign-On (SSO)  

Nam, Ji-Hyun (Sungkyunkwan University)
Choi, Hyoung-Kee (Sungkyunkwan University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.5, 2021 , pp. 941-950 More about this Journal
Abstract
Single Sign-On (SSO) service manages user's account passwords from multiple websites so that security in a high level is required. Users who use the SSO service are authenticated through the Identity Provider (IdP) when logging into the website. We present the security requirements that IdP can take in order to minimize the user's risk whose IdP account is compromised. We describe the security threats that arise when the security requirements are not satisfied. Through evaluation, we prove that the attacker's session cannot be canceled even if the user recognizes the attack if the IdP does not satisfy the security requirements.
Keywords
SSO(Single Sign-On); Session Remediation; User Account Protection; Web Security; IdP(Identity Provider);
Citations & Related Records
연도 인용수 순위
  • Reference
1 C. Yue, "The devil is phishing: rethinking web single sign-on systems security," Proceedings of 6th USENIX Workshop on Large-Scale Exploits and Emergent Threats, Aug. 2013.
2 D. Hardt, "The OAuth 2.0 authorization framework," RFC 6749, Oct. 2012.
3 OpenID.net, "OpenID connect core 1.0 incorporating errata set 1," https://openid.net/specs/openid-connect-core-1_0.html, Sep. 2021.
4 OASIS, "Assertions and protocols for the OASIS security assertion markup language (SAML) V2.0," http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf, Sep. 2021.
5 S.T. Sun and K. Beznosov, "The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems," Proceedings of 2012 ACM Conference on Computer and Communications Security, pp. 378-390, Oct. 2012.
6 OpenID.net, "OpenID connect back-channel logout 1.0 - draft 06," https://openid.net/specs/openid-connect-backchannel-1_0.html, Sep. 2021.
7 M. Ghasemisharif, A. Ramesh, S. Checkoway, C. Kanich, and J. Polakis, "O single sign-off, where art thou? An empirical analysis of single sign-on account hijacking and session management on the web," Proceedings of 27th USENIX Security Symposium, pp. 1475-1492, Aug. 2018.
8 Github, "Puppeteer," https://github.com/puppeteer/puppeteer, Sep. 2021.
9 R. Yang, G. Li, W.C. Lau, K. Zhang, and P. Hu, "Model-based security testing: an empirical study on OAuth 2.0 implementations," Proceedings of 11th ACM on Asia Conference on Computer and Communications Security, pp. 651-662, May 2016.
10 J.D. Clercq, "Single sign-on architectures," Proceedings of International Conference on Infrastructure Security, LNCS 2437, pp. 40-58, Oct. 2002.