Presentation sso design_security
9,652 views
23 slides
Apr 15, 2012
Slide 1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
About This Presentation
OWASP Appsec ASIA, 2011 presentation
Slide Content
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Architectural Design Patterns
for SSO (Single Sign On) Design
and Use Cases for Financial
Web Applications
Wei Zhang & Marco Morana
OWASP Cincinnati, U.S.A.
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Architectural Design Patterns
for SSO (Single Sign On) Design
and Use Cases for Financial
Web Applications
Wei Zhang & Marco Morana
OWASP Cincinnati, U.S.A.
OWASP 2
Presentation outline
Description of the challenges for securing SSO architectures in
financial web applications
Multiple systems require integration.
Each system supports stand alone sign on and multiple business units
SSO and federation use cases
Security and functional requirements for SSO
Secure architecture principles
Architectural diagrams
Data flow diagrams
Sequence diagrams
Threat models of SSO architectures
Attack trees and misuse cases
Security risk framework for secure design of SSO architectures
Presentation outline
Description of the challenges for securing SSO architectures in
financial web applications
Multiple systems require integration.
Each system supports stand alone sign on and multiple business units
SSO and federation use cases
Security and functional requirements for SSO
Secure architecture principles
Architectural diagrams
Data flow diagrams
Sequence diagrams
Threat models of SSO architectures
Attack trees and misuse cases
Security risk framework for secure design of SSO architectures
OWASP 3
SSO need for financial web system
Different systems serving different functions
ATM cash withdraw
Branch deposit
Monthly statements
Make a payment with a check
Wire transfer
Different systems have different user information
Personal information
Transaction journal
Statements
Different systems have different products
Saving/checking accounts
Credit card accounts
Mortgage applications or loans
Cash rewards
Mileage rewards
SSO need for financial web system
Different systems serving different functions
ATM cash withdraw
Branch deposit
Monthly statements
Make a payment with a check
Wire transfer
Different systems have different user information
Personal information
Transaction journal
Statements
Different systems have different products
Saving/checking accounts
Credit card accounts
Mortgage applications or loans
Cash rewards
Mileage rewards
OWASP 4
Business value
User friendly is the key
Single view is the goal
Eliminate additional sign on is the approach
Security is the fundation
Business value
User friendly is the key
Single view is the goal
Eliminate additional sign on is the approach
Security is the fundation
OWASP 5
Business use case
User can sign on site A to do function B about
product C
User can sign on site X to do function Y about
product Z.
User should be able to sign on from Site A to
access function B and function Y without
additional authentication.
Site X will not be sunset
Business use case
User can sign on site A to do function B about
product C
User can sign on site X to do function Y about
product Z.
User should be able to sign on from Site A to
access function B and function Y without
additional authentication.
Site X will not be sunset
OWASP 6
Design options
Duplicate function Y on site A and access information on site X
Pros:
Make it possible to sunset site X
Cons:
Introduce duplicated function on two sites
Needs to maintain the function and processing rules on two sites.
Build SSO for user to access function Y on site X
Pros:
No need to maintain two sets of function and processing rules on two sites
Enable the possibility to fully leverage functions on site X
Cons:
Make site A depends on site X
Introduce security complexity:
–Authentication
–Authorization
–Session coordination
–UI
Design options
Duplicate function Y on site A and access information on site X
Pros:
Make it possible to sunset site X
Cons:
Introduce duplicated function on two sites
Needs to maintain the function and processing rules on two sites.
Build SSO for user to access function Y on site X
Pros:
No need to maintain two sets of function and processing rules on two sites
Enable the possibility to fully leverage functions on site X
Cons:
Make site A depends on site X
Introduce security complexity:
–Authentication
–Authorization
–Session coordination
–UI
OWASP 7
SSO – Secure token: use symmetric and public key cryptography
to encrypt the application data, or payload for SSO.
Pros:
Easy to set up and
implement
Supports PKI and
SAML
No dependency on
other system.
Cons:
Not a unified solution
Each federated site
has to manage
cryptographic key
SSO – Secure token: use symmetric and public key cryptography
to encrypt the application data, or payload for SSO.
Pros:
Easy to set up and
implement
Supports PKI and
SAML
No dependency on
other system.
Cons:
Not a unified solution
Each federated site
has to manage
cryptographic key
OWASP 8
SSO – Secure token: use symmetric and public key cryptography
to encrypt the application data, or payload for SSO.
Application
Server
Key store
Internet
Site A
Application
Server
Site X
SSO with
encrypted token
Citi
Customer
`
Key store
credential
store
User
information
S
e
c
u
r
e
t
o
k
e
n
f
o
r
S
S
O
S
ig
n
o
n
Decrypt token
and authenticate
SSO – Secure token: use symmetric and public key cryptography
to encrypt the application data, or payload for SSO.
Application
Server
Key store
Internet
Site A
Application
Server
Site X
SSO with
encrypted token
Citi
Customer
`
Key store
credential
store
User
information
S
e
c
u
r
e
t
o
k
e
n
f
o
r
S
S
O
S
ig
n
o
n
Decrypt token
and authenticate
OWASP 9
SSO STS: Central Security Token Service to respond with SAML token to
federated sites upon request.
Pros:
Drives to unified
solution for both
internal and external
communication.
Centralized
cryptographic key
management
approach.
Supports SAML and
SOAP
Cons:
Introduces dependences
on STS for federated
sites
Introduces additional
internet hop for
communication
SSO STS: Central Security Token Service to respond with SAML token to
federated sites upon request.
Pros:
Drives to unified
solution for both
internal and external
communication.
Centralized
cryptographic key
management
approach.
Supports SAML and
SOAP
Cons:
Introduces dependences
on STS for federated
sites
Introduces additional
internet hop for
communication
OWASP 10
SSO STS: Central Security Token Service to respond with SAML token to
federated sites upon request.
Application
Server
Key store
Internet
Site A
Application
Server
Site X
SSO with
SAML token
Citi
Customer
`
Key store
credential
store
User
information
S
A
M
L
t
o
k
e
n
f
o
r
S
S
O
S
ig
n
o
n
STS
Key store
SAML token
Varify SAML
token/authenticate
SSO STS: Central Security Token Service to respond with SAML token to
federated sites upon request.
Application
Server
Key store
Internet
Site A
Application
Server
Site X
SSO with
SAML token
Citi
Customer
`
Key store
credential
store
User
information
S
A
M
L
t
o
k
e
n
f
o
r
S
S
O
S
ig
n
o
n
STS
Key store
SAML token
Varify SAML
token/authenticate
OWASP 11
Design and security consideration
Authentication and authorization
Secure token
STS
Session management: one dies, both die
Session initiation
Session termination
Session recovery
Keep alive
Branding: look and feel of the site
iFrame
Wrapped
Design and security consideration
Authentication and authorization
Secure token
STS
Session management: one dies, both die
Session initiation
Session termination
Session recovery
Keep alive
Branding: look and feel of the site
iFrame
Wrapped
OWASP 12
Potential Security Issues with SSO Design
In-Secure Session Management:
Sessions are not sync: one dies, one left open
Session Replay
Session Riding (CSRF)
Session hijacking
Sessions un-protected iand n clear, cached, logged
Malicious Data Injections:
XSS, SQL Injection
Elevation of Privileges, Bypass of Authentication
Bypass authorizations
Forceful browsing
Potential Security Issues with SSO Design
In-Secure Session Management:
Sessions are not sync: one dies, one left open
Session Replay
Session Riding (CSRF)
Session hijacking
Sessions un-protected iand n clear, cached, logged
Malicious Data Injections:
XSS, SQL Injection
Elevation of Privileges, Bypass of Authentication
Bypass authorizations
Forceful browsing
OWASP
Secure Architecture Design
General Security Design Principles
1.Implement Authentication With Adequate Strength
2.Enforce Least Privilege
3.Protect Data In Storage, Transit And Display
4.Enforce Minimal Trust
5.Trace and Log User Actions And Security Events
6.Fail Securely And Gracefully
7.Apply Defense in Depth
8.Apply Security By Default
9.Design For Simplicity, KISS Principle
10.Secure By Design, Development and Deployment
11.Secure As The Weakest Link
12.Avoid Security By Obscurity
13
Secure Architecture Design
General Security Design Principles
1.Implement Authentication With Adequate Strength
2.Enforce Least Privilege
3.Protect Data In Storage, Transit And Display
4.Enforce Minimal Trust
5.Trace and Log User Actions And Security Events
6.Fail Securely And Gracefully
7.Apply Defense in Depth
8.Apply Security By Default
9.Design For Simplicity, KISS Principle
10.Secure By Design, Development and Deployment
11.Secure As The Weakest Link
12.Avoid Security By Obscurity
13
OWASP 14
Security Controls Design Guidelines: Authentication
and Authorization
Authentication, What, Where and How
Mandatory to restrict access to validated users
Strength depends on application risk/data classification
Compliant with regulations/standards
Provide for secure password and account management
Mitigates brute forcing and credentials harvesting
Mitigates Man In The Middle Attacks (MiTM)
Provides for user and host to host authentication
Authorization Most Common Flaws
Flaws in Role Base Access Controls (RBAC)
Flaws allow for horizontal and vertical privilege escalation
and forceful browsing
Security Controls Design Guidelines: Authentication
and Authorization
Authentication, What, Where and How
Mandatory to restrict access to validated users
Strength depends on application risk/data classification
Compliant with regulations/standards
Provide for secure password and account management
Mitigates brute forcing and credentials harvesting
Mitigates Man In The Middle Attacks (MiTM)
Provides for user and host to host authentication
Authorization Most Common Flaws
Flaws in Role Base Access Controls (RBAC)
Flaws allow for horizontal and vertical privilege escalation
and forceful browsing
OWASP 15
Security Controls Design Guidelines: Session
Management
Avoid common session management flaws:
Session cookies and authentication tokens
unprotected (e.g. clear text) between client and server
Missing session invalidation at idle-time out and user
logout
Missing re-issuance of new session token to prevent re-
use for authentication
Un-secure storage in a session store in clear text
Lack of strong random generation of session
cookies/identifiers (e.g. >128 bit)
Lack of coordinated session between application tiers
Security Controls Design Guidelines: Session
Management
Avoid common session management flaws:
Session cookies and authentication tokens
unprotected (e.g. clear text) between client and server
Missing session invalidation at idle-time out and user
logout
Missing re-issuance of new session token to prevent re-
use for authentication
Un-secure storage in a session store in clear text
Lack of strong random generation of session
cookies/identifiers (e.g. >128 bit)
Lack of coordinated session between application tiers
OWASP 16
Security Controls Design Guidelines: Input
Validation
What and where to validate
Type, format, range and length of input data
Wherever data crosses system or trust boundaries
Input and output
Wherever data crosses system or trust boundarie
Client validation vs. server validation
How to validate
Constraint, Reject, Sanitize
Canonical Validation
Encoding
Integrity Checks
Security Controls Design Guidelines: Input
Validation
What and where to validate
Type, format, range and length of input data
Wherever data crosses system or trust boundaries
Input and output
Wherever data crosses system or trust boundarie
Client validation vs. server validation
How to validate
Constraint, Reject, Sanitize
Canonical Validation
Encoding
Integrity Checks
OWASP
Architectural Diagram Of Web Applications
17
Architectural Diagram Of Web Applications
17
OWASP
Data flow diagram-Online Banking Application
18
User/
Browser
HTTPs
Request
HTTPs
Responses
D
M
Z
(
U
s
e
r
/W
e
b
S
e
r
v
e
r
B
o
u
n
d
a
r
y
)
Message
XML/JMS
Web Server
Application
Server
Application
Calls (.do)
Messaging
Bus
Authentication
Credential
Store
R
e
s
t
r
i
c
t
e
d
N
e
t
w
o
r
k
(
A
p
p
&
D
B
S
e
r
v
e
r
/
F
in
a
n
c
ia
l
S
e
r
v
e
r
B
o
u
n
d
a
r
y
)
Application
Responses
Auth Data
Service
Message
Response
SQL Query Call/
JDBC
I
n
t
e
r
n
a
l
(
W
e
b
S
e
r
v
e
r
/
A
p
p
&
D
B
S
e
r
v
e
r
B
o
u
n
d
a
r
y
)
Financial
Transaction
Processing
MainFrame
Financial
Transactions (ACH, wires
external transfer)
MFA RBA/
Fraud
Detection
XML/HTTPS
XML/HTTPS
Data flow diagram-Online Banking Application
18
User/
Browser
HTTPs
Request
HTTPs
Responses
D
M
Z
(
U
s
e
r
/W
e
b
S
e
r
v
e
r
B
o
u
n
d
a
r
y
)
Message
XML/JMS
Web Server
Application
Server
Application
Calls (.do)
Messaging
Bus
Authentication
Credential
Store
R
e
s
t
r
i
c
t
e
d
N
e
t
w
o
r
k
(
A
p
p
&
D
B
S
e
r
v
e
r
/
F
in
a
n
c
ia
l
S
e
r
v
e
r
B
o
u
n
d
a
r
y
)
Application
Responses
Auth Data
Service
Message
Response
SQL Query Call/
JDBC
I
n
t
e
r
n
a
l
(
W
e
b
S
e
r
v
e
r
/
A
p
p
&
D
B
S
e
r
v
e
r
B
o
u
n
d
a
r
y
)
Financial
Transaction
Processing
MainFrame
Financial
Transactions (ACH, wires
external transfer)
MFA RBA/
Fraud
Detection
XML/HTTPS
XML/HTTPS
OWASP
Sequence diagram of SAML SSO
19
Sequence diagram of SAML SSO
19
OWASP
Threat Modeling Web Applications
20
From Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx
Threat Modeling Web Applications
20
From Improving Web Application Security: Threats and Countermeasures http://msdn.microsoft.com/en-us/library/ms994921.aspx
OWASP
Attack Trees-Online Banking Applications
21Analyzing the Security of Internet Banking Authentication Mechanisms :
http://www.itgi.org/Template.cfm?Section=Home&CONTENTID=35743&TEMPLATE=/ContentManagement/ContentDisplay.cfm
Attack Trees-Online Banking Applications
21Analyzing the Security of Internet Banking Authentication Mechanisms :
http://www.itgi.org/Template.cfm?Section=Home&CONTENTID=35743&TEMPLATE=/ContentManagement/ContentDisplay.cfm
OWASP
Use and Misuse Case of Authentication
22
User
Hacker/Malicious User
Brure Force
Authentication
Enter Username and
password
Validate Password
Minimum Length and
Complexity
Application/Server
Includes
Mitigates
User Authentication
Includes
Includes
Includes
Mitigates
Threatens
Show Generic Error
Message
Includes
Includes
Lock Account After N.
Failed Login Attempts
Harverst (e.g. guess)
Valid User Accounts
Dictionary Attack
Mitigates
Mitigates
From OWASP Security Testing Guide
https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation
Use and Misuse Case of Authentication
22
User
Hacker/Malicious User
Brure Force
Authentication
Enter Username and
password
Validate Password
Minimum Length and
Complexity
Application/Server
Includes
Mitigates
User Authentication
Includes
Includes
Includes
Mitigates
Threatens
Show Generic Error
Message
Includes
Includes
Lock Account After N.
Failed Login Attempts
Harverst (e.g. guess)
Valid User Accounts
Dictionary Attack
Mitigates
Mitigates
From OWASP Security Testing Guide
https://www.owasp.org/index.php/Testing_Guide_Introduction#Security_Requirements_Test_Derivation
OWASP
Security risk framework for secure design of
SSO architectures
23
Threat
Agents
Misuses and
Attack Vectors
Security
Weaknesses
Security Controls/
Countermeasures
Technical
Impacts
Business
Impacts
Users,
Customers/
Employees
User logs out from one
application and forget to
log out to another
application that SSOs
into it
Inherent weaknesses in
synchronizing sessions
among applications
Single Logout Among
Applications, Keep-Alives
Loss of
sensitive/confident
ial data
Reputation loss.
Unlawful
compliance fines
Malicious
Users,
Fraudsters
Victim is targeted by
phishing, download of
malware
Social Engineering, Web
Application Vulnerabilities,
XSS
Consumer Education, Data
Filtering, escape all un-
trusted data based on HTML
content
Execute JS on
client, install
malware
Fraud, financial
losses,
reputation
loss/defacements
Malicious
Users,
Fraudsters
Attacker sends malicious
data to the application
Input Validation
Vulnerabilities: XSS, SQL
Injection
Filtering, parameterized API,
ESAPI filtering APIs, white-list
validations
Loss of data, data
alteration, denial
of service/access
Public disclosure
of vulnerability
Reputation
damage
Malicious
Users,
Fraudsters
Attacker target design
flaws in the
SSO/authentication or
session management
functions
Weak Auth and Session
Mgmt Vulnerabilities
Follow Security Requirements
For Secure Password Policies,
Implement Account Locking,
Disable “Auto-logons”
Unauthorized
access to data,
functions
Loss of CIA, legal
and financial
implications
FraudstersAttacker creates forged
HTTP requests and tricks
a victim into submitting
them
Cross Site Request Forgery
Vulnerabilities
Include the unique token in a
hidden field.
Can change data
and functions on
behalf of the user
Loss of CIA,
fraud, denial of
access
Automated
Scripts/
Spam Bots
Attacker uses a bot/script
to attack the application
for denial of service and
harvesting
Insufficient Anti-
Automation protection
Include CAPTCHA, ESAPI
intrusion detection APIs
Can overflow/deny
service to process
spam data,
harvest accounts./
data
Business
Disruptions/losse
s, reputational
damage
Security risk framework for secure design of
SSO architectures
23
Threat
Agents
Misuses and
Attack Vectors
Security
Weaknesses
Security Controls/
Countermeasures
Technical
Impacts
Business
Impacts
Users,
Customers/
Employees
User logs out from one
application and forget to
log out to another
application that SSOs
into it
Inherent weaknesses in
synchronizing sessions
among applications
Single Logout Among
Applications, Keep-Alives
Loss of
sensitive/confident
ial data
Reputation loss.
Unlawful
compliance fines
Malicious
Users,
Fraudsters
Victim is targeted by
phishing, download of
malware
Social Engineering, Web
Application Vulnerabilities,
XSS
Consumer Education, Data
Filtering, escape all un-
trusted data based on HTML
content
Execute JS on
client, install
malware
Fraud, financial
losses,
reputation
loss/defacements
Malicious
Users,
Fraudsters
Attacker sends malicious
data to the application
Input Validation
Vulnerabilities: XSS, SQL
Injection
Filtering, parameterized API,
ESAPI filtering APIs, white-list
validations
Loss of data, data
alteration, denial
of service/access
Public disclosure
of vulnerability
Reputation
damage
Malicious
Users,
Fraudsters
Attacker target design
flaws in the
SSO/authentication or
session management
functions
Weak Auth and Session
Mgmt Vulnerabilities
Follow Security Requirements
For Secure Password Policies,
Implement Account Locking,
Disable “Auto-logons”
Unauthorized
access to data,
functions
Loss of CIA, legal
and financial
implications
FraudstersAttacker creates forged
HTTP requests and tricks
a victim into submitting
them
Cross Site Request Forgery
Vulnerabilities
Include the unique token in a
hidden field.
Can change data
and functions on
behalf of the user
Loss of CIA,
fraud, denial of
access
Automated
Scripts/
Spam Bots
Attacker uses a bot/script
to attack the application
for denial of service and
harvesting
Insufficient Anti-
Automation protection
Include CAPTCHA, ESAPI
intrusion detection APIs
Can overflow/deny
service to process
spam data,
harvest accounts./
data
Business
Disruptions/losse
s, reputational
damage
Categories
DesignDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 9,652
- Slides 23
- Favorites 8
- Age 4979 days
Related Slideshows
1
MGV Residential Design projects for different clients, including a New Mexico Adobe project-1-.pdf
mannyvesa
26 views
16
EUNITED_Advocacy and Public Engagement through Visual Media
GeorgeDiamandis11
31 views
31
DESIGN THINKINGGG PPT 2 TOPIC IDEATION.pptx
HibaZaidi2
24 views
36
DESIGN THINKING CHAPTER 1 PPTT PPT 1.pptx
HibaZaidi2
28 views
112
Hinduism and Its History - PowerPoint Slides.pptx
ConorMcCormack10
24 views
20
Service Attributes of Manufactured Parts.pptx
MustafaEnesKrmac
24 views