Featured Research

from universities, journals, and other organizations

Single sign-on for Internet use had major vulnerabilites: Many now fixed

Date:
August 15, 2012
Source:
Ruhr-Universitaet-Bochum
Summary:
Online shopping, cloud computing, online CRM systems: Each day many IT systems require the user to identify himself/herself. Single Sign-On (SSO) systems were introduced to circumvent this problem, and to establish structured Identity Management (IDM) systems in industry: Here the user only has to identify once, all subsequent authentications are done automatically. However, SSO systems based on the industry standard SAML have huge vulnerabilities: Roughly 80 percent of these systems could be broken by the researchers.

Single-sign-on.
Credit: Image courtesy of Ruhr-Universitaet-Bochum

Online shopping, cloud computing, online CRM systems: Each day many IT systems require the user to identify himself/herself. Single Sign-On (SSO) systems were introduced to circumvent this problem, and to establish structured Identity Management (IDM) systems in industry: Here the user only has to identify once, all subsequent authentications are done automatically. However, SSO systems based on the industry standard SAML have huge vulnerabilities: Roughly 80 percent of these systems could be broken by the researchers from Ruhr-Universität Bochum.

Related Articles


Protection through digital signatures

Single Sign-On (SSO) can be compared to a well guarded door, which protects sensitive company data: Once you have passed this door, you can access all data. Many industry SSO systems are built on the basis of the Security Assertion Markup Language (SAML). Identity information is stored in a SAML message, protected by a digital signature. Researchers from Bochum were able to circumvent this protection completely in 12 out of 14 SAML systems.

Security functions circumvented

"With novel XML Signature Wrapping techniques we were able to circumvent these digital signatures completely," says Prof. Jörg Schwenk from Ruhr-Universität. "Thus we could impersonate any user, even system administrators." Amongst the 12 affected systems were the SaaS Cloud provider Salesforce, the IBM Datapower security gateway, Onelogin (could e.g. be used as an optional module in Joomla, Wordpress, SugarCRM, or Drupal) and OpenSAML (used e.g. in Shibboleth, and SuisseID, and OpenSAML).

"After we found the attacks, we immediately informed the affected companies, and proposed ways to mitigate the attacks," states security expert and external PhD student Andreas Mayer (Adolf Würth GmbH & Co. KG). "Through the close cooperation with the responsible security teams, the vulnerabilities are now fixed," Juraj Somorovsky adds.


Story Source:

The above story is based on materials provided by Ruhr-Universitaet-Bochum. Note: Materials may be edited for content and length.


Cite This Page:

Ruhr-Universitaet-Bochum. "Single sign-on for Internet use had major vulnerabilites: Many now fixed." ScienceDaily. ScienceDaily, 15 August 2012. <www.sciencedaily.com/releases/2012/08/120815082713.htm>.
Ruhr-Universitaet-Bochum. (2012, August 15). Single sign-on for Internet use had major vulnerabilites: Many now fixed. ScienceDaily. Retrieved October 31, 2014 from www.sciencedaily.com/releases/2012/08/120815082713.htm
Ruhr-Universitaet-Bochum. "Single sign-on for Internet use had major vulnerabilites: Many now fixed." ScienceDaily. www.sciencedaily.com/releases/2012/08/120815082713.htm (accessed October 31, 2014).

Share This



More Matter & Energy News

Friday, October 31, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

EU, Russia, Ukraine Seal Breakthrough Gas Accord

EU, Russia, Ukraine Seal Breakthrough Gas Accord

AFP (Oct. 31, 2014) — Russia agrees to resume gas deliveries to war-torn Ukraine through the winter in an EU-brokered, multi-billion dollar deal signed by the three parties in Brussels. Duration: 01:10 Video provided by AFP
Powered by NewsLook.com
Relief After “gas War” Is Averted

Relief After “gas War” Is Averted

Reuters - Business Video Online (Oct. 31, 2014) — A gas war between Russia and Ukraine has been averted. But as Hayley Platt reports a deal was only reached after Kiev's western creditors agreed to partly funding the deal. Video provided by Reuters
Powered by NewsLook.com
Jaguar Land Rover Opens $800 Million Factory in Britain

Jaguar Land Rover Opens $800 Million Factory in Britain

AFP (Oct. 30, 2014) — British luxury car manufacturer Jaguar Land Rover opened a $800 million engine manufacturing centre in western England, creating 1,400 jobs. Duration: 00:45 Video provided by AFP
Powered by NewsLook.com
SkyCruiser Concept Claims to Solve Problem With Flying Cars

SkyCruiser Concept Claims to Solve Problem With Flying Cars

Buzz60 (Oct. 30, 2014) — A start-up company called Krossblade says its SkyCruiser concept flying car solves the problem with most flying car concepts. Mara Montalbano (@maramontalbano) explains. Video provided by Buzz60
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
 
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:  

Breaking News:

Strange & Offbeat Stories

 

Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:  

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile iPhone Android Web
Follow Facebook Twitter Google+
Subscribe RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins