000000290 001__ 290
000000290 005__ 20131121123419.0
000000290 037__ $$aLERSSE-THESIS-2013-001
000000290 100__ $$aSan-Tsai Sun
000000290 245__ $$aTowards Improving the Usability and Security of Web Single Sign-On Systems
000000290 260__ $$c2013-11-20
000000290 300__ $$a216
000000290 520__ $$aOpenID and OAuth are open and lightweight web single sign-on (SSO) protocols that have been adopted by high-profile identity providers (IdPs), such as Facebook, Google, Microsoft, and Yahoo, and millions of relying party (RP) websites. However, the average users' perceptions of web SSO and the systems' security guarantees are still poorly understood. Aimed at filling these knowledge gaps, we conducted several studies to further the understanding and improvements of the usability and security of these two mainstream web SSO solutions. First, through several in-lab user studies, we investigated users' perceptions and concerns when using web SSO for authentication. We found that our participants had several misconceptions and concerns that impeded their adoption. This ranged from their inadequate mental models of web SSO, to their concerns about personal data exposure, and a reduction in their perceived web SSO value due to the employment of password management practices. Informed by our findings, we offered a web SSO technology acceptance model, and suggested design improvements. Second, we performed a systematic analysis of the OpenID 2.0 protocol using both formal model checking and an empirical evaluation of 132 popular RP websites. The formal analysis identified three weaknesses in the protocol, and based on the attack traces from the model checking engine, six exploits and a semiautomated vulnerability assessment tool were designed to evaluate how prevalent those weaknesses are in the real-world implementations. Two practical countermeasures were proposed and evaluated to strengthen the uncovered weaknesses in the protocol. Third, we examined the OAuth 2.0 implementations of three major IdPs and 96 popular  RP websites. By analyzing browser-relayed messages during SSO, our study uncovered several vulnerabilities that allow an attacker to gain unauthorized access to the victim user's profile and social graph on IdPs, and impersonate the victim on RP websites. We investigated the fundamental causes of these vulnerabilities, and proposed several simple and practical design improvements that can be adopted gradually by individual sites. In addition, we proposed and evaluated an approach for websites to prevent SQL injection attacks, and a user-centric access-control scheme that leverages the OpenID and OAuth protocols.
000000290 6531_ $$aissnet
000000290 6531_ $$aWeb Single Sign-On
000000290 6531_ $$aOpenID
000000290 6531_ $$aOAuth
000000290 6531_ $$aUsable Security 
000000290 6531_ $$aAuthentication 
000000290 6531_ $$aSecurity Analysis
000000290 8560_ $$fsantsais@ece.ubc.ca
000000290 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/290/files/ubc_2014_spring_sun_santsai.pdf
000000290 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/290/files/ubc_2014_spring_sun_santsai.pdf?subformat=pdfa$$xpdfa
000000290 909C4 $$pSan-Tsai Sun, "Towards Improving the Usability and Security of Web Single Sign-On Systems," PhD dissertation, Department of Electrical and Computer Engineering, THE UNIVERSITY OF BRITISH COLUMBIA, November, 2013, pp.216
000000290 980__ $$aTHESIS