| Presentation | 2024-01-25 [Encouragement Talk] Access Control Method to Prevent Session Token Abuse on OpenID Connect Junki Yuasa, Taisho Sasada, Yuzo Taenaka, Youki Kadobayashi, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | In recent years, the adoption of Single Sign-On (SSO) has been increasing in web services to reduce the burden of user account management. In web services that use OpenID Connect, a primary SSO protocol, users are authenticated using ID tokens issued by Identity Providers (IdPs), and session tokens are often used for authorizing requests post-authentication to identify sessions. However, attackers obtaining session tokens can conduct impersonation attacks, compromising the authenticity of users. This study proposes an access control mechanism to address the issue of impersonation using session tokens. The proposed mechanism monitors and verifies requests using session tokens on the server side of web services, ensuring appropriate access control based on the results of authenticity verification even after authentication. Specifically, upon completion of authentication, a temporary private key is generated to prove the user's identity. For post-authentication requests, the user sends messages signed with this private key, enabling the server to confirm that the requests are coming from the correct user. To address the issue of attackers creating valid signatures using stolen private keys when user devices are compromised, the mechanism employs password-less authentication technology, such as FIDO, for high-confidentiality operations post-authentication. This involves requesting gestures like fingerprint authentication to verify the identity of the correct user. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Access Control / User Authenticity / Single Sign-On / OpenID Connect / FIDO / Session Hijacking |
| Paper # | NS2023-162 |
| Date of Issue | 2024-01-18 (NS) |
| Conference Information | |
| Committee | NS |
|---|---|
| Conference Date | 2024/1/25(2days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | Higashisenda Campus, HiroshimaUniversity + Online |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | Network software (Software architecture, Middleware), Network application, SOA/SDP, NGN/IMS/API, Distributed control/Dynamic routing, Grid, NFV, IoT, Network/System reliability, Network/System evaluation, etc. |
| Chair | Tetsuya Oishi(NTT) |
| Vice Chair | Takumi Miyoshi(Shibaura Inst. of Tech.) |
| Secretary | Takumi Miyoshi(NTT) |
| Assistant | Hiroshi Yamamoto(NTT) |
| Paper Information | |
| Registration To | Technical Committee on Network Systems |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | [Encouragement Talk] Access Control Method to Prevent Session Token Abuse on OpenID Connect |
| Sub Title (in English) | |
| Keyword(1) | Access Control |
| Keyword(2) | User Authenticity |
| Keyword(3) | Single Sign-On |
| Keyword(4) | OpenID Connect |
| Keyword(5) | FIDO |
| Keyword(6) | Session Hijacking |
| 1st Author's Name | Junki Yuasa |
| 1st Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
| 2nd Author's Name | Taisho Sasada |
| 2nd Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
| 3rd Author's Name | Yuzo Taenaka |
| 3rd Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
| 4th Author's Name | Youki Kadobayashi |
| 4th Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
| Date | 2024-01-25 |
| Paper # | NS2023-162 |
| Volume (vol) | vol.123 |
| Number (no) | NS-367 |
| Page | pp.pp.19-24(NS), |
| #Pages | 6 |
| Date of Issue | 2024-01-18 (NS) |