Extending OpenID Connect Towards Mission Critical Applications

Abstract Single Sign-On (SSO) decreases the complexity and eases the burden of managing many accounts with a single authentication mechanism. Mission critical application such as banking demands highly trusted identity provider to authenticate its users. The existing SSO protocol such as OpenID Connect protocol provides secure SSO but it is applicable only in the consumer-to-social-network scenarios. Owing to stringent security requirements, the SSO for banking service necessitates a highly trusted identity provider and a secured private channel for user access. The banking system depends on a dedicated central banking authority which controls the monetary policy and it must assume the role of the identity provider. This paper proposes an extension of OpenID Connect protocol that establishes a central identity provider for bank users, which facilitates the users to access different accounts using single login information. The proposed Enhanced OpenID Connect (EOIDC) modifies the authorization code flow of OpenID Connect to build a secure channel from a single trusted identity provider that supports multiple banking services. Moreover, the EOIDC tightens the security mechanism with the help of SAT to avoid impersonation attack using replay and redirect. The formal security analysis and validation demonstrate the strength of the EOIDC against possible attacks such as impersonation, eavesdropping, and a brute force login. The experimental results reveal that the proposed EOIDC system is efficient in providing secured SSO protocol for banking services.

[1]  E. Felten,et al.  Cross-Site Request Forgeries : Exploitation and Prevention , 2008 .

[2]  M. Alamgir Hossain,et al.  Location-Based Kerberos Authentication Protocol , 2010, 2010 IEEE Second International Conference on Social Computing.

[3]  Chris J. Mitchell,et al.  Mitigating CSRF attacks on OAuth 2.0 and OpenID Connect , 2018, ArXiv.

[4]  Pinar Sarisaray Boluk,et al.  A multi-layered approach to securing enterprise applications by using TLS, two-factor authentication and single sign-on , 2018, 2018 26th Signal Processing and Communications Applications Conference (SIU).

[5]  Chris J. Mitchell,et al.  Security Issues in OAuth 2.0 SSO Implementations , 2014, ISC.

[6]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[7]  Marong Phadoongsidhi,et al.  FAULT-TOLERANT WEB SERVICES VIA SOAP EXTENSION , 2006 .

[8]  Kirstie Hawkey,et al.  Systematically breaking and fixing OpenID security: Formal analysis, semi-automated empirical evaluation, and practical countermeasures , 2012, Computers & security.

[9]  Junwei Zou,et al.  A New Secure OpenID Authentication Mechanism Using One-Time Password (OTP) , 2011, 2011 7th International Conference on Wireless Communications, Networking and Mobile Computing.

[10]  Thomas Groß,et al.  Security analysis of the SAML single sign-on browser/artifact profile , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[11]  Cássio V. S. Prazeres,et al.  MultiAuth-WoT: a Multimodal Service for Web of Things Athentication and Identification , 2015, WebMedia.

[12]  Ralf Küsters,et al.  The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).