Abstract
SAML plays an import role in authentication and authorization scenarios. People have paid much attention to its security, and find that major SAML applications have critical vulnerabilities, including XML signature wrapping (XSW) vulnerabilities and SAML assertion eavesdropping vulnerabilities. The countermeasures now available cannot address these two types of problems simultaneously, and always require a large change of the server modules.
In this paper, we propose to break this stalemate by presenting a fresh approach to SAML. A key cause of XSW and SAML assertion eavesdropping is that SAML assertions can be verified independently of the environment related to them. So we present an improved version of SAML (environment-bound SAML) that provides SAML assertions with the ability to defeat XSW and SAML assertion eavesdropping by binding SAML assertions to environment, and keeps tiny deployment overhead. To ensure the integrity of the binding relationship, we present the Master-Slave signature (MSS) scheme to replace the original signature scheme. We implement our scheme in OpenSAML, and provide a performance evaluation of this implementation.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Cahill, C.P., Hughes, J., Lockhart, H., et al.: Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005)
Somorovsky, J., Mayer, A., Schwenk, J., Kampmann, M., Jensen, M.: On breaking SAML: be whoever you want to be. In: Proceedings of the 21st USENIX Security Symposium, Bellevue, WA, USA, August 2012, pp. 397–412 (2012)
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS’12), Raleigh, NC, USA, October 2012, pp. 378–390 (2012)
Mcintosh, M., Austel, P.: XML signature element wrapping attacks and countermeasures. In: Proceedings of the 2005 Workshop on Secure Web Services (SWS’05), Alexandria, VA, USA, November 2005, pp. 20–27. ACM press (2005)
Jensen, M., Liao, L., Schwenk, J.: The curse of namespaces in the domain of xml signature. In: Damiani, E., Proctor, S., Singhal, A. (eds.) Proceedings of the 2009 Workshop on Secure Web Services (SWS’09), Hyatt Regency, Chicago, USA, November 2009, pp. 29–36. ACM Press (2009)
Campbell, B., Mortimore, C., Jones, M.B.: SAML 2.0 profile for OAuth 2.0 client authentication and authorization grants (draft-ietf-oauth-saml2-bearer-16), March 2013
Hardt, D.: The OAuth 2.0 authorization framework, October 2012
Chia, P.H., Yamamoto, Y., Asokan, N.: Is this app safe? a large scale study on application permissions and risk signals. In: Proceedings of the 21st International Conference on World Wide Web (WWW’12), Lyon, France, April 2012, pp. 311–320 (2012)
Bandhakavi, S., King, S.T., Madhusudan, P., Winslett, M.: VEX: vetting browser extensions for security vulnerabilities. In: Proceedings of the 19th USENIX Security Symposium, Washington, DC, USA, August 2010, pp. 339–354 (2010)
Mushtag, A.: Man in the Browser: Inside the Zeus Trojan, February 2010
Duong, T., Rizzo, J.: Beast, September 2011
Cahill, C.P., Hughes, J., Metz, R., et al.: Profile for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005)
Cahill, C.P., Hughes, J., Beach, M., et al.: Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0 (2005)
Neven, G.: Efficient sequential aggregate signed data. IEEE Trans. Inf. Theor. 57(3), 1803–1815 (2011)
Reagle: Schema for XML signatures (2001)
Josefsson, S.: The Base16, Base32, and Base64 Data Encodings, October 2006
Acknowledgements
This work was partially supported by a National Key Basic Research Project of China (2011CB302400), the “Strategic Priority Research Program” of the Chinese Academy of Sciences, Grant No. XDA06010701, and No. XX17201200048 of State Grid Corporation of China. We would like to thank all anonymous reviewers for helping us make this paper better.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Chen, K., Lin, D., Yan, L., Sun, X. (2014). Environment-Bound SAML Assertions: A Fresh Approach to Enhance the Security of SAML Assertions. In: Lin, D., Xu, S., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2013. Lecture Notes in Computer Science(), vol 8567. Springer, Cham. https://doi.org/10.1007/978-3-319-12087-4_23
Download citation
DOI: https://doi.org/10.1007/978-3-319-12087-4_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12086-7
Online ISBN: 978-3-319-12087-4
eBook Packages: Computer ScienceComputer Science (R0)