Konferenzbeitrag
On the security of Hölder-of-key single sign-on
Lade...
Volltext URI
Dokumententyp
Text/Conference Paper
Dateien
Zusatzinformation
Datum
2014
Autor:innen
Zeitschriftentitel
ISSN der Zeitschrift
Bandtitel
Verlag
Gesellschaft für Informatik e.V.
Zusammenfassung
Web Single Sign-On (SSO) is a valuable point of attack because it provides
access to multiple resources once a user has initially authenticated. Therefore, the
security of Web SSO is crucial. In this context, the SAML-based Holder-of-Key (HoK)
SSO Profile is a cryptographically strong authentication protocol that is used in highly
critical scenarios. We show that HoK is susceptible to a previously published attack by
Armando et al. [ACC+11] that combines logical flaws with cross-site scripting. To fix
this vulnerability, we propose to enhance HoK and call our novel approach HoK+. We
have implemented HoK+ in the popular open source framework SimpleSAMLphp.