OpenID & OAuth:
security considerations

Arjan Scherpenisse, Mediamatic Lab
arjan@mediamatic.nl

February 2009

Agenda

• OpenID
  • Protocol overview
  • Security issues
• OAuth
  • Protocol overview
  • Security issues
• Concluding remarks

OpenID

• Single-signon (SSO) solution
• Consumers and providers
• Consumer (Relying partiy) displays logon box ("login with your OpenID")
• Providers (Identity Provider) provides identity verification
• Identity host provides identity information (http://arjan.scherpenisse.name)

Protocol flow

Security: OpenID URL sanity check

• Trick the server into downloading stuff
• Access "private" urls
• Non-http protocols
• Blacklist of known spammers / anonymous providers

Security issues: Crypto

• Crypto: Diffie-Helman is used, but is prone to man-in-the-middle attacks
• Spec advises using HTTPS for every step of the logon flow
• Why is DH then still used?

Security: RP to IdP redirect

• Redirect is performed by the Relying Party
• Phishing!
• One of the issues not yet solved in OpenID

Security: Identity provider trust

• Its all about trust: Your Identity Provider knows which sites you log in to

Security: IdP to RP redirect

• Prone to replay attacks
• "nonce"s provide some kind of solution, but is not perfect

Security: misc

• The "remember me" and "trust forever" options of the IdP have issues
• Can cause cross-site forgery requests
• (e.g., a malicious RP can guess which other sites you have an openid on, and can "under the hood" log you in to those sites)

OAuth

• Let applications do stuff on your behalf
• Dont share your password with 3rd parties
• Designed to work over non-secure connections (http)
• Based on shared secrets and data integrity

OAuth security considerations

• ckey / csec are assigned outside the protocol
• Once shared secrets are established, requests can be considered secure
• nonce is the only weakness: does not protect agains "active" hackers
• Request body is not signed (for non-application/x-www-form-urlencoded)

Concluding remarks

• OpenID is not so bad as it seems
• You have only one gate to secure
• If you're using HTTPS, you have to use it all the time (sniffing / cookie stealing)
• OAuth is the de-facto standard for auth delegation, and secure