International Research Journal of Engineering and Technology (IRJET)
e-ISSN: 2395-0056
Volume: 11 Issue: 03 | Mar 2024
p-ISSN: 2395-0072
www.irjet.net
Improved the authentication technology on Single Sign-On Protocol “OpenIDConnect” to avoid session hijacking attacks Ibrahim Alahmad 1, Mouhamad Ayman Naal 2, Mahmoud Shaar 3 1First Graduate student (PhD), Department of Computer Engineering, College of Electrical Engineering And
electronic, Aleppo University, Syria
2Professor in the Department of Computer Engineering, Faculty of Electrical and Electronic Engineering,
University of Aleppo, Syria 3Lecturer in the Department of Computer Engineering, Faculty of Electrical and Electronic Engineering, University of Aleppo, Syria ---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - Millions of users routinely use Google or
presented a method to protect the protocol. From session attack by using OTP where done.
Facebook to log in to websites that support the OpenID Connect single sign-on protocol. So the security of this protocol is therefore of critical importance. As revealed in previous studies, systems using OpenID Connect are vulnerable to attack as the users of these systems are typically unaware of these issues and are therefore at risk of attacks that may lead to unauthorized access to user accounts.
3. OPENID CONNECT The OpenID Connect protocol was built based on OAuth to enable user authentication. It also includes a new feature in it, which is the stage of dynamic registration, discovery, and automatic trust achievement between the service provider (RP) and the identity provider (Idp), through which the service provider can automatically discover the identity provider (IDP) responsible for Giving identity. The following figure (1) shows the general working principle of OIDC [3].
In this paper, a large-scale practical study of the Single SignOn Protocol "OpenID Connect" was carried out by analyzing the stages of the protocol's work. A group of attacks that were developed in order to penetrate the protocol were also defined, and the session attack was applied to the protocol, and then a new method was proposed to prevent the session attack in the first stage of the protocol by making two-factor authentication method by using the One Time Password to protect session tokens. Key Words: Single Sign-On, One Time Password, One Time Pad, OpenID Connect, identity provider.
1.INTRODUCTION Single sign-on is a method of access control that requires the user to log in once and allows him to access multiple resources and services after successfully logging in without requiring him to log in again. Thus, the SSO approach allows users to authenticate only once and then enjoy easy access to other applications securely [1]. The OpenID Connect protocol is the latest version of single sign-on protocols. This protocol was released in 2014 and has been supported by many large companies [2].
Figure (1) The general principle of OpenID Connect Where the user begins by requesting the service from the service provider (RP)(A), then the service provider retrieves (obtains) some information (URLs), and this is called the discovery phase (B). Then he registers with the identity provider (IDP) (C), and then the user goes For the identity provider to authenticate itself (D), after which the identity provider issues an Id_token to the service provider, which verifies it to provide the service to the user (E).
2. RESEARCH OBJECTIVES This research aims to provide a comprehensive and detailed analytical study of the OpenID Connect single sign-on protocol and the stages of its work in detail, in addition to studying the malicious attacks that have been developed in order to uncover security vulnerabilities in this protocol. Session attacks will also be applied to the protocol and the results of the attack will be observed. The research has
© 2024, IRJET
|
Impact Factor value: 8.226
The OpenID Connect protocol allows users to authenticate to service providers using existing accounts at the identity provider. OIDC was designed based on the OAuth protocol to enable user authentication. It also includes a new feature in it, which is the stage of dynamic registration, discovery, and
|
ISO 9001:2008 Certified Journal
|
Page 112