Auflistung nach Autor:in "Mladenov, Vladislav"
1 - 5 von 5
Treffer pro Seite
Sortieroptionen
- KonferenzbeitragAutomatic recognition, processing and attacking of single sign-on protocols with burp suite(Open Identity Summit 2015, 2015) Mainka, Christian; Mladenov, Vladislav; Guenther, Tim; Schwenk, JörgSAML, Mozilla BrowserID, OpenID, OpenID Connect, Facebook Connect, Microsoft Account, OAuth - today's web applications are supporting a large set of Single Sign-On (SSO) solutions. Some of them have common properties and behavior, others are completely different. This paper will give an overview of modern SSO protocols. We classify them into two groups and show how to distinguish them from each other. We provide EsPReSSO, an open source Burpsuite plugin that identifies SSO protocols automatically in a browser's HTTP traffic and helps penetration testers and security auditors to manipulate SSO flows easily.
- KonferenzbeitragFuturetrust - future trust services for trustworthy global transactions(2016) Hühnlein, Detlef; Frosch, Tilman; Schwenk, Joerg; Piswanger, Carl-Markus; Sel, Marc; Hühnlein, Tina; Wich, Tobias; Nemmert, Daniel; Lottes, René; Somorovsky, Juraj; Mladenov, Vladislav; Condovici, Cristina; Leitold, Herbert; Stalla-Bourdillon, Sophie; Tsakalakis, Niko; Eichholz, Jan; Kamm, Frank-Michael; Kühne, Andreas; Wabisch, Damian; Dean, Roger; Shamah, Jon; Kapanadze, Mikheil; Ponte, Nuno; Martins, Jose; Portela, Renato; Karabat, Çağatay; Stojičić, Snežana; Nedeljkovic, Slobodan; Bouckaert, Vincent; Defays, Alexandre; Anderson, Bruce; Jonas, Michael; Hermanns, Christina; Schubert, Thomas; Wegener, Dirk; Sazonov, AlexanderAgainst the background of the regulation 2014/910/EU [EU1] on electronic identification (eID) and trusted services for electronic transactions in the internal market (eIDAS), the FutureTrust project, which is funded within the EU Framework Programme for Research and Innovation (Horizon 2020) under Grant Agreement No. 700542, aims at supporting the practical implementation of the regulation in Europe and beyond. For this purpose, the FutureTrust project will address the need for globally interoperable solutions through basic research with respect to the foundations of trust and trustworthiness, actively support the standardisation process in relevant areas, and provide Open Source software components and trustworthy services which will ease the use of eID and electronic signature technology in real world applications. The FutureTrust project will extend the existing European Trust Service Status List (TSL) infrastructure towards a “Global Trust List”, develop a comprehensive Open Source Validation Service as well as a scalable Preservation Service for electronic signatures and seals. Furthermore it will provide components for the eID-based application for qualified certificates across borders, and for the trustworthy creation of remote signatures and seals in a mobile environment. The present contribution provides an overview of the FutureTrust project and invites further stakeholders to actively participate as associated partners and contribute to the development of future trust services for trustworthy global transactions.
- KonferenzbeitragOn the security of Hölder-of-key single sign-on(Sicherheit 2014 – Sicherheit, Schutz und Zuverlässigkeit, 2014) Mayer, Andreas; Mladenov, Vladislav; Schwenk, JörgWeb Single Sign-On (SSO) is a valuable point of attack because it provides access to multiple resources once a user has initially authenticated. Therefore, the security of Web SSO is crucial. In this context, the SAML-based Holder-of-Key (HoK) SSO Profile is a cryptographically strong authentication protocol that is used in highly critical scenarios. We show that HoK is susceptible to a previously published attack by Armando et al. [ACC+11] that combines logical flaws with cross-site scripting. To fix this vulnerability, we propose to enhance HoK and call our novel approach HoK+. We have implemented HoK+ in the popular open source framework SimpleSAMLphp.
- TextdokumentSecurity Analysis of XAdES Validation in the CEF Digital Signature Services (DSS)(Open Identity Summit 2019, 2019) Engelbertz, Nils; Mladenov, Vladislav; Somorovsky, Juraj; Herring, David; Erinola, Nurullah; Schwenk, JörgWithin the European Union (EU), the eIDAS regulation sets legal boundaries for crossborder acceptance of Trust Services (TSs) such as Electronic Signatures. To facilitate compliant implementations, an open source software library to create and validate signed documents is provided by the eSignature building block of the Connecting Europe Facility (CEF). We systematically evaluated the validation logic of this library with regards to XML-based attacks. The discovered vulnerabilities allowed us to read server files and bypass XML Advanced Electronic Signature (XAdES) protections. The seriousness of the vulnerabilities shows that there is an urgent need for security best-practice documents and automatic security evaluation tools to support the development of security-relevant implementations.
- KonferenzbeitragStrengthening Web Authentication through TLS - Beyond TLS Client Certificates(Open Identity Summit 2014, 2014) Mayer, Andreas; Mladenov, Vladislav; Schwenk, Jörg; Feldmann, Florian; Meyer, ChristopherEven though novel identification techniques like Single Sign-On (SSO) are on the rise, stealing the credentials used for the authentication is still possible. This situation can only be changed if we make novel use of the single cryptographic functionality a web browser offers, namely TLS. Although the use of client certificates for initial login has a long history, only two approaches to integrate TLS in the session cookie mechanism have been proposed so far: Origin Bound Client Certificates in [DCBW12], and the Strong Locked Same Origin Policy (SLSOP) in [KSTW07]. In this paper, we propose a third method based on the TLS-unique API proposed in RFC 5929 [AWZ10]: A single TLS session is uniquely identified through each of the two Finished messages exchanged during the TLS handshake, and RFC 5929 proposes to make the first Finished message available to higher layer protocols through a novel browser API. We show how this API can be used to strengthen all commonly used types of authentication, ranging from simple password based authentication and SSO to session cookie binding.