Analysing the security of Google's implementation of OpenID Connect. / Li, Wanpeng; Mitchell, Christopher J.

Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebastián, Spain, July 7-8, 2016, Proceedings. ed. / Juan Caballero; Urko Zurutuza; Ricardo J Rodriguez. Springer-Verlag, 2016. p. 357-376 (Lecture Notes in Computer Science; Vol. 9721).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

E-pub ahead of print

Standard

Analysing the security of Google's implementation of OpenID Connect. / Li, Wanpeng; Mitchell, Christopher J.

Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebastián, Spain, July 7-8, 2016, Proceedings. ed. / Juan Caballero; Urko Zurutuza; Ricardo J Rodriguez. Springer-Verlag, 2016. p. 357-376 (Lecture Notes in Computer Science; Vol. 9721).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Harvard

Li, W & Mitchell, CJ 2016, Analysing the security of Google's implementation of OpenID Connect. in J Caballero, U Zurutuza & RJ Rodriguez (eds), Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebastián, Spain, July 7-8, 2016, Proceedings. Lecture Notes in Computer Science, vol. 9721, Springer-Verlag, pp. 357-376. https://doi.org/10.1007/978-3-319-40667-1_18

APA

Li, W., & Mitchell, C. J. (2016). Analysing the security of Google's implementation of OpenID Connect. In J. Caballero, U. Zurutuza, & R. J. Rodriguez (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebastián, Spain, July 7-8, 2016, Proceedings (pp. 357-376). (Lecture Notes in Computer Science; Vol. 9721). Springer-Verlag. https://doi.org/10.1007/978-3-319-40667-1_18

Vancouver

Li W, Mitchell CJ. Analysing the security of Google's implementation of OpenID Connect. In Caballero J, Zurutuza U, Rodriguez RJ, editors, Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebastián, Spain, July 7-8, 2016, Proceedings. Springer-Verlag. 2016. p. 357-376. (Lecture Notes in Computer Science). https://doi.org/10.1007/978-3-319-40667-1_18

Author

Li, Wanpeng ; Mitchell, Christopher J. / Analysing the security of Google's implementation of OpenID Connect. Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebastián, Spain, July 7-8, 2016, Proceedings. editor / Juan Caballero ; Urko Zurutuza ; Ricardo J Rodriguez. Springer-Verlag, 2016. pp. 357-376 (Lecture Notes in Computer Science).

BibTeX

@inproceedings{8c1c08eb4a5840508ce1e53e43999637,
title = "Analysing the security of Google's implementation of OpenID Connect",
abstract = "Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.",
author = "Wanpeng Li and Mitchell, {Christopher J}",
year = "2016",
month = "6",
day = "12",
doi = "10.1007/978-3-319-40667-1_18",
language = "English",
isbn = "978-3-319-40666-4",
series = "Lecture Notes in Computer Science",
publisher = "Springer-Verlag",
pages = "357--376",
editor = "Juan Caballero and Urko Zurutuza and Rodriguez, {Ricardo J}",
booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebasti{\'a}n, Spain, July 7-8, 2016, Proceedings",

}

RIS

TY - GEN

T1 - Analysing the security of Google's implementation of OpenID Connect

AU - Li, Wanpeng

AU - Mitchell, Christopher J

PY - 2016/6/12

Y1 - 2016/6/12

N2 - Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.

AB - Many millions of users routinely use their Google accounts to log in to relying party (RP) websites supporting the Google OpenID Connect service. OpenID Connect, a newly standardised single-sign-on protocol, builds an identity layer on top of the OAuth 2.0 protocol, which has itself been widely adopted to support identity management services. It adds identity management functionality to the OAuth 2.0 system and allows an RP to obtain assurances regarding the authenticity of an end user. A number of authors have analysed the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in practice remains an open question. We report on a large-scale practical study of Google's implementation of OpenID Connect, involving forensic examination of 103 RP websites which support its use for sign-in. Our study reveals serious vulnerabilities of a number of types, all of which allow an attacker to log in to an RP website as a victim user. Further examination suggests that these vulnerabilities are caused by a combination of Google's design of its OpenID Connect service and RP developers making design decisions which sacrifice security for simplicity of implementation. We also give practical recommendations for both RPs and OPs to help improve the security of real world OpenID Connect systems.

U2 - 10.1007/978-3-319-40667-1_18

DO - 10.1007/978-3-319-40667-1_18

M3 - Conference contribution

SN - 978-3-319-40666-4

T3 - Lecture Notes in Computer Science

SP - 357

EP - 376

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 13th International Conference, DIMVA 2016, Donostia-San Sebastián, Spain, July 7-8, 2016, Proceedings

A2 - Caballero, Juan

A2 - Zurutuza, Urko

A2 - Rodriguez, Ricardo J

PB - Springer-Verlag

ER -