Abstract
The concept of federated identity management is increasingly coming to use in order to bring Service Providers closer to customers. Users are being provided an enriched experience while carrying out business on the Web at reduced overhead and improved customer service. The idea of maintaining a single profile and gaining access to multiple services has been accepted well by the customers. However, the benefits of breaking through just one set of credentials to gain access to multiple services has made the concept of Federated Identity Management of high interest to malicious users. In this paper, we analyze the structure of a generic Federated Identity Management System and explore the .NET Passport framework in depth. We explore the current security mechanisms adopted by the .NET Passport and identify potential security weaknesses. We then propose our new approaches to enhance the security services in .NET Passport by using Secure Cookies. Our approaches are transparent to and compatible with the current .NET Passport server. Finally, we prove the feasibility by implementing our ideas in a real system.
Chapter PDF
Similar content being viewed by others
References
American Association of Motor Vehicle Administrators (AAMVA). Identification Security, http://www.aamva.org/IDSecurity/
Clarke, R.: Human Identification in Information Systems: Management Challenges and Public Policy Issues. Information Technology and People 7(4), 6–37 (1994)
Sullivan, E.: Are Web-based cookies a treat or a recipe for trouble?, June 26. PC Week (1996)
Greenwood, D., Combs, D., et al.: Identity Management: A White Paper. In: National Electronic Commerce Coordinating Council, Lexington, KY, vol. 68 (2002)
Liberty Alliance Project. Introduction to the Liberty Alliance Identity Architecture. Identity Architecture Whitepaper (March 2003), http://www.projectliberty.org/resources/whitepapers/LAP
Liberty Alliance Project. Identity Systems and Liberty Specification Version 1.1 Interoperability and 3rd PartyIdentitySystemsWhitePaper.pdf. February 14 (2003), https://www.projectliberty.org/resources/whitepapers/Liberty
Klein, A.: Hacking Web Applications Using Cookie Poisoning Sanctum Inc., http://www.cgisecurity.com/lib/CookiePoisoningByline.pdf
Kristol, D., Montulli, L.: RFC 2965, HTTP State Management Mechanism. Network Working Group (October 2000)
Kang, M.H., Park, J.S., Froscher, J.N.: Access Control Mechanisms for Inter-Organization Workflow. In: Proceedings of the 6th ACM Symposium on Access Control Model and Technologies (SACMAT), Chantilly, Virginia, May 3-4 (2001)
Microsoft.NET Passport. Review Guide (January 2004), http://www.microsoft.com/net/services/passport/review_guide.asp
Computer Science and Telecommunications Board, N. R. C. IDs - Not That Easy: Questions about Nationwide Identity Systems. Washington, DC, National Academy of Sciences (2002)
Park, J.S., Costello, K.P., Neven, T.M., Diosomito, J.A.: A Composite RBAC Approach for Large, Complex Organizations. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies (SACMAT), Yorktown Heights, New York, June 2-4 (2004)
Park, J.S., Chandramohan, P., Zak, A., Giordano, J.: Fine-Grained, Scalable, and Secure Key Management Scheme for Trusted Military Message Systems. In: Proceedings of The Military Communications Conference (MILCOM), Monterey, CA, October 31-November 3 (2004)
Park, J.S., Kang, M.H., Froscher, J.N.: A Secure Workflow System for Dynamic Cooperation. In: Proceedings of the 16th International Conference on Information Security (IFIP/SEC 2001), Paris, France, June 11-13 (2001)
.NET Passport, http://www.passport.NET
Park, J.S., Sandhu, R.: Secure Cookies on the Web. IEEE Internet Computing 4(4) (July-August 2000)
Park, J.S., Sandhu, R., Ahn, G.-J.: Role-Based Access Control on the Web. ACM Transactions on Information and System Security (TISSEC) 4(1) (February 2001)
Park, J.S., Sandhu, R., Ghanta, S.: RBAC on the Web by Secure Cookies. In: Proceedings of the 13th IFIP WG 11.3 Working Conference on Database Security, Seattle, Washington, July 26-28 (1999)
Sandhu, R., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role Based Access Control Models. IEEE Computer 29(2) (February 1996)
Simple Object Access protocol. Version 1.2 Specification (June 24, 2003), http://www.w3.org/TR/soap/
Wagner, D., Schneier, B.: Analysis of the SSL 3.0 Protocol. In: Proc. Second Usenix Workshop on Electronic Commerce, November 1996, pp. 29–40. Usenix Press, Berkeley (1996)
Extensible Markup Language, http://www.w3.org/XML/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 IFIP International Federation for Information Processing
About this paper
Cite this paper
Park, J.S., Krishnan, H.S. (2005). Trusted Identity and Session Management Using Secure Cookies. In: Jajodia, S., Wijesekera, D. (eds) Data and Applications Security XIX. DBSec 2005. Lecture Notes in Computer Science, vol 3654. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11535706_23
Download citation
DOI: https://doi.org/10.1007/11535706_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-28138-2
Online ISBN: 978-3-540-31937-5
eBook Packages: Computer ScienceComputer Science (R0)