1 / 15

Security Analysis of Web-based Identity Federation

Security Analysis of Web-based Identity Federation. Apurva Kumar IBM Research – India. Context. Challenges. Two contrasting styles . Motivation for Hybrid Approach. Overview of Hybrid Approach. Overview of Hybrid Approach. Forward chaining using BAN logic. Idealization.

efia
Télécharger la présentation

Security Analysis of Web-based Identity Federation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India

  2. Context

  3. Challenges

  4. Two contrasting styles

  5. Motivation for Hybrid Approach

  6. Overview of Hybrid Approach

  7. Overview of Hybrid Approach Forward chaining using BAN logic. Idealization BAN fomulae Protocol Spec Correspondence about session and token parameters. Retain only those messages that require possession of keys that are not public. Ignore terms that represent neither secrets nor nonces. Simplified Spec General Protocol Model in Alloy Alloy model incorporating results of BAN analysis. Alloy Analyzer Counter Example Goal Spec

  8. Inference Rules: BAN Operators Believes |, Sees , |~ Says, |=> Controls Message Origin Nonce Verification Jurisdiction Rule 8

  9. New Inference Rules • Rules to associate actions with users. 9

  10. Goals for Web Protocols

  11. Alloy Based Web Protocol Model A B

  12. The Single Sign-On Workflow

  13. The Account Linking Workflow

  14. Attack on Account Linking Workflow

  15. Conclusions

More Related