基于数字证书与OAuth2.0的IDP改进模型

随着云计算技术的快速发展和各种云端应用的开展,云环境中用户身份认证和授权管理成为云安全的关键问题之一。OAuth 2.0规范草案较好解决了云环境下的用户授权问题,提出了四种授权类型。本文在OAuth 2.0规范基础上,针对应用比较广泛的Authorization Code模式提出了基于数字证书的IDP改进模型。论文最后讨论了改进模型的优势。     

基于OAuth2.0 的认证授权技术

开放平台的核心问题是用户验证和授权问题,OAuth是目前国际通用的授权方式,它的特点是不需要用户在第三方应用输入用户名及密码,就可以申请访问该用户的受保护资源。OAuth最新版本是OAuth2.0,其认证与授权的流程更简单、更安全。研究了OAuth2.0的工作原理,分析了刷新访问令牌的工作流程,并给出了OAuth2.0服务器端的设计方案和具体的应用实例。     

Machine learning approach to vulnerability detection in OAuth 2.0 authentication and authorization flow

Technologies for integrating enterprise web applications have improved rapidly over the years. The OAuth framework provides authentication and authorization using the users’ profile and credentials in an existing identity provider. This makes it possible for attackers to exploit any vulnerability arising from exchange of data with the provider. Vulnerability in OAuth authorization flow allows an attacker to alter the normal flow sequence of the OAuth protocol. In this paper, a machine learning-based approach was applied in the detection of potential vulnerability in the OAuth authentication and authorization flow by analyzing the relationship between changes in the OAuth parameters and the final output. This research models the OAuth protocol as a supervised learning problem where seven classification models were developed, tuned and evaluated. Exploratory Data Analytics (EDA) techniques were applied in the extraction and analysis of specific OAuth features so that each output class could be evaluated to determine the effect of the identified OAuth features. The models developed in this research were trained, tuned and tested. A performance accuracy above 90% was attained for detection of vulnerabilities in the OAuth authentication and authorization flow. Comparison with known vulnerability resulted in a 54% match.

     

Integration of the OAuth and Web Service family security standards

There are more and more scenarios requiring the transparent integration of heterogeneous security services in order to facilitate application development, simplify deployment and provide a seamless user experience. One of the most common use cases occurs when resources make use of OAuth to provide a simple and flexible way to authorize clients in order to access protected resources. But different OAuth implementations normally use distinct types of authorization grant and access tokens. This heterogeneity can be tackled by leveraging on WS-Trust, which is especially intended to offer integration mechanisms among services that implement WS-^∗ specifications. By integrating these mechanisms it is possible to reduce the complexity supported by the OAuth Authorization Server (AS), so easing the interoperability through the delegation of the issuance and validation processes. This work also proposes a solution to cover the needs of WS-Trust clients which intend to use OAuth resources.     

基于OAuth2.0的资源共享机制RSBO

共享资源重要的问题就是安全,本文针对目前主流的资源共享机制存的安全问题,如身份认证授权安全问题、用户信息泄露等问题,同时当资源在不同用户不同平台间进行共享时,用户需对资源进行分散重复存储等,造成冗余存储及空间浪费.本文针这些问题,提出了一种基于OAuth2.0协议的资源共享机制RSBO(Resource Sharing based OAuth2.0)并对其进行阐述,RSBO利用OAuth2.0协议认证授权的访问令牌原理,为共享资源创建资源令牌,该机制解决了用户信息泄露及冗余存储等问题,一次授权,实现多用户跨平台的资源共享.     

SPP: An anti-phishing single password protocol

Most users have multiple accounts on the Internet where each account is protected by a password. To avoid the headache in remembering and managing a long list of different and unrelated passwords, most users simply use the same password for multiple accounts. Unfortunately, the predominant HTTP basic authentication protocol (even over SSL) makes this common practice remarkably dangerous: an attacker can effectively steal users’ passwords for high-security servers (such as an online banking website) by setting up a malicious server or breaking into a low-security server (such as a high-school alumni website). Furthermore, the HTTP basic authentication protocol is vulnerable to phishing attacks because a client needs to reveal his password to the server that the client wants to login.In this paper, we propose a protocol that allows a client to securely use a single password across multiple servers, and also prevents phishing attacks. Our protocol achieves client authentication without the client revealing his password to the server at any point. Therefore, a compromised server cannot steal a client’s password and replay it to another server.Our protocol is simple, secure, efficient and user-friendly. In terms of simplicity, it only involves three messages. In terms of security, the protocol is secure against the attacks that have been discovered so far including the ones that are difficult to defend, such as the malicious server attacks described above and the recent phishing attacks. Essentially our protocol is an anti-phishing password protocol. In terms of efficiency, each run of our protocol only involves a total of four computations of a one-way hash function. In terms of usability, the protocol requires a user to remember only one password consisting of eight (or more) random characters, and this password can be used for all of his accounts.     

Phishing in an academic community: A study of user susceptibility and behavior

Abstract

We present an observational study on the relationship between demographic factors and phishing susceptibility at the University of Maryland, Baltimore County (UMBC). In spring 2018, we delivered phishing attacks to 450 randomly selected students on three different days (1,350 students total) to examine user click rates and demographics among UMBC’s undergraduates. Participants were initially unaware of the study. We deployed the billing problem, contest winner, and expiration date phishing tactics. Experiment 1 impersonated banking authorities; Experiment 2 enticed users with monetary rewards; and Experiment 3 threatened users with account cancelation. We found correlations resulting in lowered susceptibility based on college affiliation, academic year progression, cyber training, involvement in cyber clubs or cyber scholarship programs, time spent on the computer, and age demographics. We found no significant correlation between gender and susceptibility. Contrary to our expectations, we observed a reverse correlation between phishing awareness and student resistance to clicking. Students who identified themselves as understanding the definition of phishing had a higher susceptibility rate than did their peers who were merely aware of phishing attacks, with both groups having a higher susceptibility rate than those with no knowledge whatsoever. Approximately 70% of survey respondents who opened a phishing email clicked on it, with 60% of student having clicked overall.     

基于令牌认证方案的改进研究与实践

就前后端分离的软件开发模式而言,保护后端数据接口不被非法调用是十分重要的。令牌作为获取保护资源的凭证,需要提供过期时间,否则认证功能就失去了意义。针对活跃用户,需要在有效时间内提供自动登录功能,可以提升使用体验。本文研究了OAuth(Open Authorization,一种开放的授权标准)的认证机制,并在ASP.NET Web API框架基础上,实现身份认证方案,当访问令牌过期后,增加令牌刷新机制,既能够改善用户体验,也能够有效保护数据接口。该方案具有通用性,适用于前后端分离的软件开发。通过测试,表明了该方案具有有效性和可行性。     

Single password authentication

Users frequently reuse their passwords when authenticating to various online services. Combined with the use of weak passwords or honeypot/phishing attacks, this brings high risks to the security of the user’s account information. In this paper, we propose several protocols that can allow a user to use a single password to authenticate to multiple services securely. All our constructions provably protect the user from dictionary attacks on the password, and cross-site impersonation or honeypot attacks by the online service providers.     

Phish Block: A Blockchain Framework for Phish Detection in Cloud

The data in the cloud is protected by various mechanisms to ensure security aspects and user’s privacy. But, deceptive attacks like phishing might obtain the user’s data and use it for malicious purposes. In Spite of much technological advancement, phishing acts as the first step in a series of attacks. With technological advancements, availability and access to the phishing kits has improved drastically, thus making it an ideal tool for the hackers to execute the attacks. The phishing cases indicate use of foreign characters to disguise the original Uniform Resource Locator (URL), typosquatting the popular domain names, using reserved characters for re directions and multi-chain phishing. Such phishing URLs can be stored as a part of the document and uploaded in the cloud, providing a nudge to hackers in cloud storage. The cloud servers are becoming the trusted tool for executing these attacks. The prevailing software for blacklisting phishing URLs lacks the security for multi-level phishing and expects security from the client’s end (browser). At the same time, the avalanche effect and immutability of block-chain proves to be a strong source of security. Considering these trends in technology, a block-chain based filtering implementation for preserving the integrity of user data stored in the cloud is proposed. The proposed Phish Block detects the homographic phishing URLs with accuracy of 91% which assures the security in cloud storage.     

运用SPIN对开放授权协议OAuth 2.0的分析与验证

OAuth 2.0协议是一种开放授权协议,主要用于解决用户账号关联与资源共享问题。但是,其弱安全性导致各网络公司海量用户信息泄露,且OAuth 2.0传输数据采用的https通道效率低下,成为黑客攻击对象。提出采用http通道传输OAuth 2.0协议数据,基于Promale语言及Dolev-Yao攻击者模型对OAuth 2.0协议建模,运用SPIN进行模型检测。形式化分析结果表明,采用公钥加密体系对OAuth 2.0协议进行加密不安全。上述建模方法对类似的授权协议形式化分析有重要借鉴意义。     

Why Johnny can't surf (safely)? Attacks and defenses for web users

In their seminal article “Why Johnny Can't Encrypt” [Whitten A, Tygar JD. Why Johnny can't encrypt: a usability case study of PGP 5.0. In: Proceedings of the eighth USENIX security symposium; August 1999.], Whitten and Tygar showed that usability weaknesses of encryption software may result in failure to protect users, in spite of good cryptography. A similar situation happens, on a huge scale, on the Web: the widely deployed SSL/TLS protocols provide good cryptography, yet there is a growing amount of successful attacks on web users, causing massive damages. In this article, we focus on password theft via fake websites, to which we refer as phishing. We believe that phishing is currently the most severe threat facing web users.We begin with a brief review of SSL/TLS. Many sensitive sites do not use SSL/TLS, or use it incorrectly (e.g. to encrypt password, filled into an unprotected login form); we explain why.Even if sites use SSL/TLS (correctly), this may not be enough to prevent phishing – at least, using the basic security and identification indicators of most browsers (URL, padlock and HTTPS). We discuss basic and advanced indicators, and their usability problems. We review recent usability studies, whose results are rather alarming, and put in question the ability of users to avoid phishing sites based on security and identification indicators.     

An authorization system for digital libraries

Digital Libraries (DLs) introduce several challenging requirements with respect to the formulation, specification, and enforcement of adequate data protection policies. Unlike conventional database environments, a DL environment typically is characterized by a dynamic subject population, often making accesses from remote locations, and by an extraordinarily large amount of multimedia information, stored in a variety of formats. Moreover, in a DL environment, access policies are often specified based on subject qualifications and characteristics, rather than subject identity. Traditional authorization models are not adequate to meet access control requirements of DLs. In this paper, we present a Digital Library Authorization System (DLAS). DLAS employs a content-based authorization model, called a Digital Library Authorization Model (DLAM) which was proposed in previous work [1]. Edited by Y. Yesha. Received: 21 December 2000 / Accepted: 6 March 2002 Published online: 14 May 2002     

A game design framework for avoiding phishing attacks

Game based education is becoming more and more popular. This is because game based education provides an opportunity for learning in a natural environment. Phishing is an online identity theft, which attempts to steal sensitive information such as username, password, and online banking details from its victims. To prevent this, phishing awareness needs to be considered. This research aims to develop a game design framework, which enhances user avoidance behaviour through motivation to protect users from phishing attacks. In order to do this, a theoretical model derived from Technology Thread Avoidance Theory (TTAT) was developed and used in the game design framework (Liang & Xue, 2010). A survey study was undertaken with 150 regular computer users to elicit feedback through a questionnaire. The study findings revealed that perceived threat, safeguard effectiveness, safeguard cost, self-efficacy, perceived severity, and perceived susceptibility elements should be addressed in the game design framework for computer users to avoid phishing attacks. Furthermore, we argue that this game design framework can be used not only for preventing phishing attacks but also for preventing other malicious IT attacks such as viruses, malware, botnets and spyware.     

ISHO: improved spotted hyena optimization algorithm for phishing website detection

One of the major challenges in cyber space and Internet of things (IoT) environments is the existence of fake or phishing websites that steal users’ information. A website as a multimedia system provides access to different types of data such as text, image, video, audio. Each type of these data are prune to be used by fishers to perform a phishing attack. In phishing attacks, people are directed to fake pages and their important information is stolen by a thief or phisher. Machine learning and data mining algorithms are the widely used algorithms for classifying websites and detecting phishing attacks. Classification accuracy is highly dependent on the feature selection method employed to choose appropriate features for classification. In this research, an improved spotted hyena optimization algorithm (ISHO algorithm) is proposed to select proper features for classifying phishing websites through support vector machine. The proposed ISHO algorithm outperformed the standard spotted hyena optimization algorithm with better accuracy. In addition, the results indicate the superiority of ISHO algorithm to three other meta-heuristic algorithms including particle swarm optimization, firefly algorithm, and bat algorithm. The proposed algorithm is also compared with a number of classification algorithms proposed before on the same dataset.

     

一种云计算中的多重身份认证与授权方案

OpenID是一种广泛应用于云计算中的去中心化的身份认证技术。OpenID为用户以一个身份在多个云服务中通行提供了一种方式,也解决了因遗失在云提供商处注册的云身份凭证而不能登录的问题。但用户以OpenID身份登录云服务后,却不能访问该用户的云身份拥有的资源,且OpenID技术也没有对请求身份信息的云服务进行认证与细粒度授权。因此文章在OpenID技术和OAuth技术的基础上,设计了一种多重身份认证与授权方案来解决上述同一用户不同身份的资源不可访问问题,以及身份信息等资源访问流程中的细粒度授权问题。     

支持动态授权和文件评价的访问控制机制

针对传统的访问控制方法不支持动态授权和文件评价、且存在恶意再分享隐患,设计了一种支持动态授权和文件评价的访问控制机制(DAFE-AC)。DAFE-AC采用的动态授权机制能够对已授权用户进行实时监控,保证了用户之间的相互监督;采用的文件评价机制可以支持文件解锁阈值的动态更新。基于Hash/索引数据库,DAFE-AC确保了文件在系统中的唯一性。在DAFE-AC中,用户授权值会随着其他用户行为动态变化,且用户可以通过对文件进行评价以消除恶意再分享。     

基于新浪微博开放平台的iPhone地图应用与开发

微博开放平台可在对第三方进行验证与授权后为其提供服务,验证与授权过程是根据OAuth 2.0协议进行的.在使用新浪微博开放平台服务的基础上,结合Xcode开发平台中iPhone地图组件提供的功能,开发出一个展示微博用户活动的地图应用.该应用为分析微博用户所进行的活动提供了重要依据,对研究iPhone地图定位和开放平台有着重要作用.     

Five-tier barrier anti-phishing scheme using hybrid approach

ABSTRACT

Though hoaxing people to make financial benefits is an old idea, phishers have realized that social engineering tools for web attacks are relatively easy to execute and are highly profitable over the Internet. One of the threatening criminal activities is phishing, in which the phishers trap users into revealing their identities and financial information to a fraudulent website. Researchers have proposed a number of anti-phishing techniques based on blacklist, whitelist, and visual similarity, but the major disadvantage with such approaches is that they are slow techniques with high false positive rates. For robust detection of phishing attacks, this article uses fundamentals of heuristic factors and a whitelist. The article proposes a safeguard scheme referred as the five-tier barrier hybrid approach. Input to the five-tier barrier is a uniform resource locator (URL), and output of the application is a status of the page (“Secure Connection” representing a legitimate URL, “Phishing Alert” representing phishing URL, and “Query Page” representing that the webpage needs to be processed further/failure of JSoup connection). In comparison to a blacklist, the five-tier barrier is competent in detecting zero-hour phishing attacks, and it is much faster than visual similarity–based anti-phishing techniques.