Using Externals IdPs on OpenStack: A Security Analysis of OpenID Connect, Facebook Connect, and OpenStack Authentication

The installation and configuration of cloud environments has increasingly become automated and therefore simple. For instance, solutions such as RedHat RDO and Mirantis Fuel facilitate the deployment of popular computational clouds like OpenStack. Despite the advances in usability, effort is still required to create and manage multiple users. This is of particular relevance when dealing with sensitive information, a somewhat common case for private clouds. To alleviate this burden, many clouds have adopted federated Single Sign-On (SSO) mechanisms for authenticating their users in a more transparent manner. In this work we analyze the practical security of an OpenStack IaaS cloud when combined with either OpenID Connect (using Google as IdP) or Facebook Connect (using Facebook as IdP). The criteria used in the analysis comprise the ability to provide data encryption, the risks involved in the use of an external IdP, and improper access control. We identify potential issues regarding these solutions and we propose approaches to fix them.

[1]  David Larrabeiti,et al.  Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites , 2012, Multimedia Tools and Applications.

[2]  Anderson Santana de Oliveira,et al.  Platform-level Support for Authorization in Cloud Services with OAuth 2 , 2014, 2014 IEEE International Conference on Cloud Engineering.

[3]  Michelle S. Wangham,et al.  Identity management in e-Health: A case study of web of things application using OpenID connect , 2014, 2014 IEEE 16th International Conference on e-Health Networking, Applications and Services (Healthcom).

[4]  Jukka Ylitalo,et al.  OpenID authentication as a service in OpenStack , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[5]  Caterina Urban,et al.  Formal analysis of Facebook Connect Single Sign-On authentication protocol , 2010 .

[6]  David W. Chadwick,et al.  Leveraging social networks to gain access to organisational resources , 2011, DIM '11.

[7]  Glauber Cassiano Batista,et al.  Security analysis of the OpenID Connect protocol integration with an OpenStack cloud using an external IdP , 2016, 2016 XLII Latin American Computing Conference (CLEI).

[8]  Zeljko Obrenovic,et al.  Integrating User Customization and Authentication: The Identity Crisis , 2012, IEEE Security & Privacy.

[9]  Lucy Lynch Inside the Identity Management Game , 2011, IEEE Internet Computing.

[10]  David W. Chadwick,et al.  Adding Federated Identity Management to OpenStack , 2013, Journal of Grid Computing.

[11]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[12]  Chris J. Mitchell,et al.  Analysing the Security of Google's Implementation of OpenID Connect , 2015, DIMVA.

[13]  Serge Egelman My profile is my password, verify me!: the privacy/convenience tradeoff of facebook connect , 2013, CHI.

[14]  Michael B. Jones,et al.  The OAuth 2.0 Authorization Framework: Bearer Token Usage , 2012, RFC.

[15]  Feng Yang,et al.  A security analysis of the OAuth protocol , 2013, 2013 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM).

[16]  Ravi S. Sandhu,et al.  Social-Networks Connect Services , 2010, Computer.

[17]  John Brennan,et al.  Using OpenStack to improve student experience in an H.E. environment , 2013, 2013 Science and Information Conference.

[18]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[19]  Abhilasha Bhargav-Spantzel,et al.  User centricity: a taxonomy and open issues , 2006, DIM '06.

[20]  Bart van Delft,et al.  A Security Analysis of OpenID , 2010, IDMAN.

[21]  Hajar Mousannif,et al.  MarUnivCloud: Towards a Moroccan inter-University Cloud , 2014, 2014 Second World Conference on Complex Systems (WCCS).

[22]  Ioram Schechtman Sette,et al.  Integrating Cloud Platforms to Identity Federations , 2014, 2014 Brazilian Symposium on Computer Networks and Distributed Systems.

[23]  Duncan Temple Lang,et al.  Authentication for Web Services via OAuth , 2014 .