IMPERSONATION METHOD ON AUTHORIZATION SERVER USING CLIENT-INITIATED BACK-CHANNEL AUTHENTICATION PROTOCOL

Rizky Januar Akbar, Nurul Fajrin Ariyani, Adistya Azhar, Andika Andra

Abstract


There is an impersonation (login as) feature in several applications that can be used by system administrators who have special privileges. This feature can be utilized by development and maintenance teams that have administrator rights to reproduce errors or bugs, to check specific features in applications according to the specific users’ login sessions. Beside its benefits, there is a security vulnerability that allows administrators to abuse the rights. They can access users’ private data or execute some activities inside the system without account or resource owners’ consents.

This research proposes an impersonation method on authorization server using Client-Initiated Back-channel Authentication (CIBA) protocol. This method prevents impersonation without account or resource owners’ consent. The application will ask users’ authentication and permission via authentication device possessed by resource owners before the administrator performs impersonation. By utilizing authentication device, the impersonation feature should be preceded by users’ consent and there is no direct interaction needed between the administrator and resource owners to prove the users’ identities. The result shows that the implementation of CIBA protocol can be used to complement the impersonation method and can also run on the authorization server that uses OAuth 2.0 and OpenID Connect 1.0 protocols. The system testing is done by adopting FAPI CIBA conformance testing.


Full Text:

PDF

References


Pili Hu, Ronghai Yang, Yue Li, and Wing Cheong Lau. 2014. Application impersonation: problems of OAuth and API design in online social networks. Dipresentasikan di Proceedings of the second ACM conference on Online social net-works (COSN '14). Association for Computing Machinery, New York, NY, USA, 271–278.

Ometov A, Bezzateev S, Mäkitalo N, Andreev S, Mikkonen T, Koucheryavy Y. Multi-Factor Authentication: A Survey. Cryptography. 2018.

D. Tonge, Moneyhub, J. Heenan, Authlete, T. Lodderstedt, Yes, B. Campbell and Ping Identity, "Financial-grade API: Client Initiated Backchannel Authentication Profile," 15 Agustus 2019. [Online]. Tersedia di https://openid.net/specs/openid-financial-api-ciba.html. [Diakses pada 10 Oktober 2020].

S.-T. Sun and K. Beznosov, "The devil is in the (implementation) details: an empirical analysis of oauth sso systems," Dipresentasikan di Proceedings of the 2012 ACM conference on Computer and communications security, hal. 378-390, ACM, 2012.

F. Yang and S. Manoharan, "A security analysis of the OAuth protocol," 2013 IEEE Pacific Rim Conference on Com-munications, Computers and Signal Processing (PACRIM), Victoria, BC, 2013, hal. 271-276,

Wanpeng Li, Chris J. Mitchell, and Thomas Chen. 2019. OAuthGuard: Protecting User Security and Privacy with OAuth 2.0 and OpenID Connect. Dipresentasikan di Proceedings of the 5th ACM Workshop on Security Standardisation Re-search Workshop (SSR'19). Association for Computing Machinery, New York, NY, USA, hal. 35–44.

Ben-Ghorbel-Talbi, Meriam, et al. "A delegation model for extended RBAC." International journal of information secu-rity 9.3 (2010): 209-236.

Zhang, X., Oh, S., & Sandhu, R. (2003, June). PBDM: a flexible delegation model in RBAC. Dipresentasikan di Proceed-ings of the eighth ACM symposium on Access control models and technologies (hal. 149-157).

Li, M., & Wang, H. (2008, July). ABDM: An extended flexible delegation model in RBAC. Dipresentasikan di 2008 8th IEEE International Conference on Computer and Information Technology (hal. 390-395)

Hasebe, K., Mabuchi, M., & Matsushita, A. (2010, June). Capability-based delegation model in RBAC. Dipresentasikan di Proceedings of the 15th ACM symposium on Access control models and technologies (hal. 109-118).

Tools.ietf.org. 2021. RFC 6749 - The OAuth 2.0 Authorization Framework. [online] Tersedia di: [Diakses pada 10 Oktober 2020].

R.H. Khan, J. Ylitalo, and A.B. Ahmed, "OpenID authentication as a service in OpenStack ". In: 2011 7th International Conference on Information Assurance and Security (IAS). IEEE, hal. 372-377. 2011.

N. Sakimura, N. J. Bradley, P. Identity, M. Jones, M. B. d. Medeiros, G. C. Mortimore and S. , "OpenID Connect Core 1.0," OpenID Connect, 2014. [Online]. Available: https://openid.net/specs/openid-connect-core-1_0.html. [Diakses pa-da 10 Oktober 2020].

M.H. Almeshekah, M.J. Atallah, and E.H. Spafford, "Back Channels Can Be Useful! – Layering Authentication Chan-nels to Provide Covert Communication ", Security Protocols XXI, Vol. 8263, hal. 189-195, 2013.

W.P. Payack JR., "Back Channel Authentication Using Smartphones ". U.S. Patent Application No 15/383,952, 2017.

D. Tonge, Moneyhub, J. Heenan, Authlete, T. Lodderstedt, Yes, B. Campbell and Ping Identity, "Financial-grade API: Client Initiated Backchannel Authentication Profile," 15 Agustus 2019. [Online]. Tersedia di: https://openid.net/specs/openid-financial-api-ciba-ID1.html. [Diakses pada 10 Oktober 2020].

CHU, Ronald King-Hang, et al. "Methods and systems for secure user authentication ". U.S. Patent No 9,768,963, 2017.

https://bshaffer.github.io/oauth2-server-php-docs/ . [Accessed 10 October 2020].

https://openid.net/certification/fapi_op_testing/ . [Accessed 10 October 2020].




DOI: http://dx.doi.org/10.12962/j24068535.v19i1.a1022

Refbacks

  • There are currently no refbacks.