Gesellschaft für Informatik e.V.

Lecture Notes in Informatics

Sicherheit 2014 -- Sicherheit, Schutz und Zuverlässigkeit P-228, 65-78 (2014).

Gesellschaft für Informatik, Bonn

Copyright © Gesellschaft für Informatik, Bonn


On the security of Hölder-of-key single sign-on

Andreas Mayer , Vladislav Mladenov and Jörg Schwenk


Web Single Sign-On (SSO) is a valuable point of attack because it provides access to multiple resources once a user has initially authenticated. Therefore, the security of Web SSO is crucial. In this context, the SAML-based Holder-of-Key (HoK) SSO Profile is a cryptographically strong authentication protocol that is used in highly critical scenarios. We show that HoK is susceptible to a previously published attack by Armando et al. [ACC+11] that combines logical flaws with cross-site scripting. To fix this vulnerability, we propose to enhance HoK and call our novel approach HoK+. We have implemented HoK+ in the popular open source framework SimpleSAMLphp.

Full Text: PDF

Gesellschaft für Informatik, Bonn
ISBN 978-3-88579-622-0

Last changed 15.04.2014 18:32:19