Abstract
In many of the single sign-on (SSO) specifications that support multitiered authentication, it is not mandatory to include the authentication context in a signed response. This can be exploited by the adversaries to launch a new kind of attack specific to SSO systems. In this paper, we propose the Weakest Link Attack, which is a kind of parallel session attack feasible in the above settings. Our attack enables adversaries to succeed at all levels of authentication associate to the victim user by breaking only at the weakest one. We present a detailed case study of our attack on web SSO as specified in Security Assertions Markup Language (SAML) V2.0, an OASIS standard released in March, 2005. We also suggest the corresponding repair at the end of the paper.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Groß, T.: Security analysis of the saml single sign-on browser/artifact profile. In: Proceedings of the 19th Annual Computer Security Applications Conference (December 2003)
OASIS SSTC. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) (November 2002)
OASIS SSTC. Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005)
OASIS SSTC. Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005)
OASIS SSTC. Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005)
OASIS SSTC. Security and Privacy Considerations for the OASIS Security Assertion Markup Language (SAML) V2.0 (March 2005)
OASIS SSTC. SSTC Response to Scurity Analysis of the SAML Single Sign-on Browser/Artifact Profile (July 2005)
Pfitzmann, B., Waidner, M.: Analysis of liberty single-signon with enabled clients. IEEE Internet Computing 7(6), 38–44 (2003)
Skriver, J., Hansen, S.M., Nielson, H.R.: Using static analysis to validate the saml single sign-on protocol. In: Proceedings of the 2005 Workshop on Issues in the Theory of Security, January 2005, pp. 27–40 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chan, YY. (2006). Weakest Link Attack on Single Sign-On and Its Case in SAML V2.0 Web SSO. In: Gavrilova, M., et al. Computational Science and Its Applications - ICCSA 2006. ICCSA 2006. Lecture Notes in Computer Science, vol 3982. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11751595_54
Download citation
DOI: https://doi.org/10.1007/11751595_54
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34075-1
Online ISBN: 978-3-540-34076-8
eBook Packages: Computer ScienceComputer Science (R0)