This thesis is based on five previous scientific papers that were published in international security conferences. An overview of these publications is given below.
The first main contribution presented in this thesis, the generic web model, was introduced in the first publication [FKS14] and extended throughout the subsequent publications. In the thesis at hand, we provide a new in-depth explanation of the web model. The second main contribution, the case studies on OAuth 2.0 and OpenID Connect, was developed in the last two publications [FKS16; FKS17]. The case studies on BrowserID and SPRESSO (see below) are not part of this thesis.
This thesis improves on these publications in two aspects: First, we extend the Web Infra- structure Model by adding models for WebRTC and WebSockets. Second, we show how code injection can be used in the AS Mix-Up Attack to break authorization in the OAuth authoriza- tion code grant even if client secrets are used. Additionally, the Across-AS State Reuse Attack is now featured as a separate attack, and the terminology throughout the thesis was adapted to follow the official terminologies in the OAuth and OpenID Connect specifications more closely.
An Expressive Model for the Web Infrastructure: Definition and Application to the BrowserID SSO System [FKS14]
In this paper, we presented the first version of our formal web model. We employed the model to study the security of the single sign-on system Mozilla BrowserID (also known as Mozilla Persona) which was the first web SSO to claim a certain kind of privacy property: IdPs do not learn at which RPs their users log in.5
During our security analysis of the secondary IdP mode of BrowserID, we discovered a number of severe attacks on BrowserID. For example, we found attacks that allowed an attacker to authenticate as any Google Mail or Yahoo user. We notified Mozilla of our findings and were awarded a Mozilla Security Bug Bounty.
5
Since the secondary IdP mode of BrowserID, by design, does not provide privacy, we did not study the privacy properties of BrowserID in this paper.
With defenses against these attacks in place, we were able to prove that BrowserID provides authentication and session integrity for authentication. This marks the first time that these properties were proven for an SSO system of the complexity of BrowserID in a comprehensive web model.
Analyzing the BrowserID SSO System with Primary Identity Providers Using an Expressive Model of the Web [FKS15a]
In the second publication, we complemented our prior analysis of BrowserID by studying the security of the primary IdP mode and we analyzed the privacy properties of Brow- serID.
Using our model, we found a new attack on session integrity and developed a fix against this attack. We were then able to show authentication and session integrity properties for the fixed protocol. For the analysis, we extended the formal web model by adding the sessionStorage API and user identities (see Section2.10).
Regarding privacy, we found a set of attacks that break the privacy promise of BrowserID completely. We were able to trace the roots of the problem to an oversight by the developers: The mere presence of a certain iframe enabled us to detect whether a user is logged in at a specific RP or not. Since there was no way to fix the problem without a major redesign of the whole system, we decided to address this in our next publication.
SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web
[FKS15b]
To demonstrate that the privacy property of BrowserID can actually be fulfilled, we designed SPRESSO as a decentralized and federated SSO system where identity providers cannot learn at which web sites their users log in. Using our model, we first completed the design of SPRESSO on paper and proved its privacy, authentication, and session integrity properties before actually implementing the system.
For the privacy analysis, we had to modify parts of our formal model in order to be able to show indistinguishability properties between traces. In particular, we removed instances of nondeterminism in certain places, e.g., regarding the order of handling of network messages. For an accurate privacy analysis, we added the Referer header to the browser model.
A Comprehensive Formal Security Analysis of OAuth 2.0 [FKS16]
In the next step, we studied the security of OAuth 2.0. This is the first paper in which we not only analyzed authentication properties, but also authorization properties (both including session integrity).
Although OAuth 2.0 had been analyzed numerous times before (see Section 1.4), we found new attacks on OAuth, as described above. The OAuth Working Group acknowledged the
attacks and we are actively involved in standardization efforts for respective mitigations (see Chapter 5for details).
In order to prove the effectiveness of our mitigations against the leakage of sensitive tokens, we added Referrer Policies to the model (see Section 3.3.3for details).
The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines [FKS17]
After our successful analysis of OAuth 2.0, we turned our attention to OpenID Connect. As outlined above, OpenID Connect is based on OAuth 2.0, but introduces a well-defined scheme for authentication and new features like discovery and registration.
We demonstrated that the attacks found in the previous publication also apply to OpenID Connect. With fixes against these attacks in place, we were able to prove authentication, authorization, and session integrity properties for OpenID Connect.
We also introduced generic models for HTTPS web servers which helped to keep the models for OpenID Connect simpler and clearer.