The Security of Single Sign-On (SSO) in the Norwegian Public Sector
MetadataShow full item record
An isolated Identity Management System (IMS) requires a separate unique identifier for eachspecific Service Provider (SP). This model occurs to be problematic for users as there are a hugenumber of digital services utilize it, and the tendency is that people reuse passwords to copewith the overload of different login systems. This problem can be more or less solved in SingleSign-On (SSO) identity models, where the IMS provides SSO capability to its users. At thesame time, the SSO introduce new security risks that are important to have knowledge aboutin order to perform correct mitigating measures. This thesis uses ID-porten as a reference toa practical Identity Management System (IMS) which is similar to the generic centralized SSOidentity model. The focus of the semi-structured interview with one of the SPs utilizing ID-porten for authenticationwas general information security in their use of ID-porten. The SSO introduce new securityrisks, and the concern for identity theft was revealed in the interview. The thesis performs aliterature review on the potential risk of identity theft in centralized and federated SSO identitymodels. The findings from the literature review are that there exists a risk of identity theftthrough unauthorized access to a user account due to the domino effect, weakest link, singlelayer of authentication, central point of attack, disseminated identity information, dependabilityto trust, and naive user trust in the SSO identity model. Further, a more detailed interviewwas performed with The Agency for Public Management and eGovernment (Difi) with the focuson the risk of identity theft in ID-porten. Altogether, several of the security issues regardingidentity theft in SSO identity models where found to have mitigation measures in ID-porten.The thesis compares the SSO identity model with the isolated IMS, and the problem with thedomino effect, weakest link, and naive user trust are present in the isolated IMS as well. Further, the interview with the SP it was explained that integrity and mutual trust constitutetwo of the security priorities in ID-porten. Generally, these properties are important prerequisitesfor a secure SSO identity model and prevent against potential unauthorized access to one of theuser accounts. In ID-porten these properties are obtained through signed data, where SHA-1 isused in digital signatures for message security between the SP and ID-porten. In this thesis, thesecurity of SHA-1 in digital signatures is investigated. SHA-1 was deprecated by NIST in 2011and exposed to a practical collision attack in 2017. The use of SHA-1 for digital signature inSSO identity model is not considered to be secure. Furthermore, in the semi-structured interviewperformed with Difi, the focus was also to see how the hash function is used in their system,in addition, to gain knowledge about eventual further security mechanisms used to obtain thesecurity priorities integrity and mutual trust. Difi explains that further security mechanisms forproviding integrity and mutual trust are performed in order to mitigate the risk of using SHA-1. The messages using SHA-1 has a short lifetime, in addition to that the messages are protectedagainst replay attack with session IDs and using updated transport security. The thesis performs a workshop with the SP to study the data flow propagating between the enduser, Identity Provider (IdP), and SP. The result of this are diagrams showing what messagesare sent, and how they are sent between the entities during authentication, authorization, SSO,and Single Log-Out (SLO). These diagrams were further used when studying the use of SHA-1in ID-porten.