Vis enkel innførsel

dc.contributor.advisorBartnes, Maria
dc.contributor.authorAaby, Kristin
dc.date.accessioned2019-09-11T11:49:43Z
dc.date.created2018-06-13
dc.date.issued2018
dc.identifierntnudaim:18895
dc.identifier.urihttp://hdl.handle.net/11250/2616188
dc.description.abstractAn isolated Identity Management System (IMS) requires a separate unique identifier for each specific Service Provider (SP). This model occurs to be problematic for users as there are a huge number of digital services utilize it, and the tendency is that people reuse passwords to cope with the overload of different login systems. This problem can be more or less solved in Single Sign-On (SSO) identity models, where the IMS provides SSO capability to its users. At the same time, the SSO introduce new security risks that are important to have knowledge about in order to perform correct mitigating measures. This thesis uses ID-porten as a reference to a practical Identity Management System (IMS) which is similar to the generic centralized SSO identity model. The focus of the semi-structured interview with one of the SPs utilizing ID-porten for authentication was general information security in their use of ID-porten. The SSO introduce new security risks, and the concern for identity theft was revealed in the interview. The thesis performs a literature review on the potential risk of identity theft in centralized and federated SSO identity models. The findings from the literature review are that there exists a risk of identity theft through unauthorized access to a user account due to the domino effect, weakest link, single layer of authentication, central point of attack, disseminated identity information, dependability to trust, and naive user trust in the SSO identity model. Further, a more detailed interview was performed with The Agency for Public Management and eGovernment (Difi) with the focus on the risk of identity theft in ID-porten. Altogether, several of the security issues regarding identity theft in SSO identity models where found to have mitigation measures in ID-porten. The thesis compares the SSO identity model with the isolated IMS, and the problem with the domino effect, weakest link, and naive user trust are present in the isolated IMS as well. Further, the interview with the SP it was explained that integrity and mutual trust constitute two of the security priorities in ID-porten. Generally, these properties are important prerequisites for a secure SSO identity model and prevent against potential unauthorized access to one of the user accounts. In ID-porten these properties are obtained through signed data, where SHA-1 is used in digital signatures for message security between the SP and ID-porten. In this thesis, the security of SHA-1 in digital signatures is investigated. SHA-1 was deprecated by NIST in 2011 and exposed to a practical collision attack in 2017. The use of SHA-1 for digital signature in SSO identity model is not considered to be secure. Furthermore, in the semi-structured interview performed with Difi, the focus was also to see how the hash function is used in their system, in addition, to gain knowledge about eventual further security mechanisms used to obtain the security priorities integrity and mutual trust. Difi explains that further security mechanisms for providing integrity and mutual trust are performed in order to mitigate the risk of using SHA- 1. The messages using SHA-1 has a short lifetime, in addition to that the messages are protected against replay attack with session IDs and using updated transport security. The thesis performs a workshop with the SP to study the data flow propagating between the end user, Identity Provider (IdP), and SP. The result of this are diagrams showing what messages are sent, and how they are sent between the entities during authentication, authorization, SSO, and Single Log-Out (SLO). These diagrams were further used when studying the use of SHA-1 in ID-porten.en
dc.languageeng
dc.publisherNTNU
dc.subjectKommunikasjonsteknologi, Informasjonssikkerheten
dc.titleThe Security of Single Sign-On (SSO) in the Norwegian Public Sectoren
dc.typeMaster thesisen
dc.source.pagenumber87
dc.contributor.departmentNorges teknisk-naturvitenskapelige universitet, Fakultet for informasjonsteknologi og elektroteknikk,Institutt for informasjonssikkerhet og kommunikasjonsteknologinb_NO
dc.date.embargoenddate10000-01-01


Tilhørende fil(er)

Thumbnail
Thumbnail

Denne innførselen finnes i følgende samling(er)

Vis enkel innførsel