RE: [id-cloud] Gap Analysis Use Case 21: Mobile Customers' Identity Authentication Using a Cloud Provider

["Nguyen, Dominique V" <dominique.v.nguyen@bankofamerica.com>]

This discussion thread is to start an on-list discussion on the Gap

 Analysis of individual use cases. Use case numbers refer to the use

 cases as described in the 'OASIS Identity in the Cloud TC Use Cases'

 Version 1.0, Working Draft 02, 15 December 2011, which is available at

 http://www.oasis-open.org/committees/document.php?document_id=44915&wg_abbrev=id-cloud

 

 

The information below describes the current state. You are invited to

 respond on-list to this thread with any comments, insights, additions, etc.

All input will be gathered from the list and consolidated into the

 next revision of the Gap Analysis document.

---

 

Use Case 21: Mobile Customers' Identity Authentication Using a Cloud Provider

 

Short description:

Feature the need to have a standard secure authentication in order to use Cloud service

to authenticate mobile users

 

Relevant applicable standards:

- SAML

- OAuth

- XSPA

- WS-Trust

- PMRM

 

OAuth v 1.0a Gap summary:

 

This standard provides no security mechanism to protect the confidentiality and integrity of the information passed between User to Service Provider

and Service Provider to Consumer.  Thus it exposes the id exchange information to eavesdrop and information theft by Man-in-the-Middle and Man-in-the

Browser attacks.  The protocol relies on SSL/TLS to provide security for information exchanged in motion.  However, if mutual authentication is not

enforced in the SSL/TLS handshake connection, SSL/TLS is also subject to eavesdrop and information theft by Man-in-the-Middle and Man-in-the

Browser attacks. 

.

Terms used in OAuth and detailed gaps:

 

* Service Provider: A web application that allows access via OAuth

* User: Individual who has account with Service Provider

* Consumer: A website or application that uses OAuth to access the Service Provider on behalf of the User

* Consumer Key: A value used by the Consumer to identify itself to the Service Provider

* Consumer Secret: A secret used b the Consumer to establish ownership of the Consumer Key

* Request Token: A value used by the Consumer to obtain authorization from the User, and exchanged for an Access Token

* Access Token: A value used by the Consumer to gain access to the Protected Resources on behalf of the User, instead of using the User’s Service Provider credential

* Token Secret: A secret used by the Consumer to establish ownership of a given Token

 

Standard / Protocol	Credentials & Token Exchange	Plaintext signature	Confidentiality of Requests	Spoofing by Counterfeit Servers	Plaintext Storage of Credentials	Secrecy of the Consumer Secret	Scoping of Access Requests	Cross-Site Request Forgery	Automatic Processing of Repeat Authorization
OAuth 1.0a	No mechanism to protect Tokens & secrets from eavesdroppers when transmitted from Service Provider to Customer	No attempt to protect User credentials from eavesdroppers or man-in-he-middle attacks.  This method is intended to be used in conjunction with a transport-layer security mechanism such as TLS or SSL	Only provides mechanism for verifying the integrity of requests, not confidentiality of the request, eavesdroppers will have full access to request content	No attempt to verify the authenticity of the Service Provider. 3rd party can intercept the Consumer’s request and returning misleading or incorrect responses	Consumer Secret and Token Secret are stored in plaintext form for Service Provider to compute the signatures used in the non-plaintext methods	This is a single factor secret and can be downloaded by attacker	By itself, OAuth does not provide any method for scoping the access rights granted to a Consumer would either has access to Protected Resources or it doesn’t.	CSRF  web-based attacks on OAuth approvals allow an attacker to obtain authorization to OAuth Protected Resources without the consent of the User	An attacker can use the stolen Consumer Key and Secret to redirect the User to the Service Provider with an authorization request.  The Service Provider will then grant access to the User’s data without the User’s explicit approval

 

Regards,

Dominique

---------------------------------------------------------------------

To unsubscribe, e-mail: id-cloud-unsubscribe@lists.oasis-open.org

For additional commands, e-mail: id-cloud-help@lists.oasis-open.org

 

---

This message w/attachments (message) is intended solely for the use of the intended recipient(s) and may contain information that is privileged, confidential or proprietary. If you are not an intended recipient, please notify the sender, and then please delete and destroy all copies and attachments, and be advised that any review or dissemination of, or the taking of any action in reliance on, the information contained in or attached to this message is prohibited.
Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Sender. Subject to applicable law, Sender may intercept, monitor, review and retain e-communications (EC) traveling through its networks/systems and may produce any such EC to regulators, law enforcement, in litigation and as required by law.
The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or free of errors or viruses.

References to "Sender" are references to any subsidiary of Bank of America Corporation. Securities and Insurance Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking Service or Activity * Are Not Insured by Any Federal Government Agency. Attachments that are part of this EC may have additional important disclosures and disclaimers, which you should read. This message is subject to terms available at the following link:
http://www.bankofamerica.com/emaildisclaimer. By messaging with Sender you consent to the foregoing.