Download - Smartphone-based authorization system
Smartphone-based authorization system
Advisor: Dr. Wenjun Zeng - Professor
Presenter:Yilihamujiang, Ailiyasijiang
Zhou, Guanlong
Al-Sinani, H. S. (2011). Integrating OAuth with Information Card Systems. In Proceedings of IAS '11: 7th International Conference on Information Assurance and Security, Malacca, Malaysia, 5-8 December 2011. IEEE.
Abstract
The scheme using between the OAuth and Information Card System(CardSpace) (The Scheme in Mid-Term)
The drawbacks of OAuth/OpenID and Information Card System
The scheme in Smartphone-based authorization system
The implementation - http://sng.mizzou1.com
The Snap & Go App on Android System
Red words are our contribution
In the Mid-term presentation:
A scheme using between the OAuth and Information Card System(CardSpace) was presented.
Why dose the paper try to use this scheme? To mitigate identity-oriented attacks, a number of identity
systems (e.g. CardSpace, OAuth, OpenID, etc.) have been proposed .
An identity provider in such systems supplies a user agent with a security token that can be consumed by a relying party.
Whilst one RP might support an Information Card system, another might only sup- port OAuth .
To make these systems available to the largest possible group of users, interoperability between such systems is needed.
How CardSpace w/ OAuth works
Policy
2.
“I would like a SAML 1.1 token, containing First Name, Surname, issued by *any*”
3. UI filters cards that can satisfy policy
4. User picks a card
5. Token is requested
1. Access resource
6. Token is created
7. Token is presented
Relying Party
Identity Provider
OAuthCard
copied
check
hold & modified
The drawbacks of OAuth/Open-ID and Information Card System 1.The Information Card System requires different
extensions installed on the different browsers.
The drawbacks of OAuth/Open-ID and Information Card System 2.The Information Card System has been
abandoned.
Microsoft announced that Windows CardSpace 2.0 will not be shipped.
The drawbacks of OAuth/Open-ID and Information Card System 3. Users still need to enter username and
password when logging using OAuth / Open-ID(On the public computers or they didn’t
login)
NOT CONVENIENTNOT SAFE
Our scheme: Snap & Go
User has some cards in their smart-phone. (the real information behind the cards is saved on the Identity Provider Server) User logs in the “Snap & Go” app on his smart-phone. User uses the app to shoot at the QR-code on the
website. User logged in successfully into his account.
How “Snap & Go” works?
Policy
“I would like some information, containing First Name, Surname, issued by snap&go”
4. Scan the QR code on the page
5. User picks a card 1. Access resource
Relying Party
Identity Provider
2.2. Login Snap&Go using any android device
2.c 2.c
2.
2.c
2. Token is requested
3. Access token is presented
6. Information presented
What’s on where?
In the App( On Smart-phone)All the cards that contain user’s
information
What’s on where?
On Identity Provider Server
• Users Accounts Information(Username & Password)
• All the cards that contain user’s information• APIs(Relying Parties Information and keys)• The relation between one authorized card and
one relying party.
What’s on where?
On Relying Party Server
• API key to connect to Identity Provider Server(IPS)
• QR-code generator• The token got from the IPS• The users information got from the IPS
How to use “Snap & Go”?
Download the Snap n Go app from our website: sng.mizzou1.com
Install the app
How to use “Snap & Go”?
Register in the App
Login
The Account Username and Password will be saved on the Identity Provider Server.
How to use “Snap & Go”?
Choose Enter Passcode(Create New Card)
How to use “Snap & Go”?
Enter the information and save as a card
The information card will be saved on the server as well as in the phone.
How to use “Snap & Go”?
We can see, edit or create cards under my account
How to use “Snap & Go”?Open a relying party website that needed to login.For example: http://sng.mizzou1.com/
How to use “Snap & Go”?
Choose Scan QRcode button
How to use “Snap & Go”?
Use the camera on the phone to scan the QRcode on the computer screen
How to use “Snap & Go”?
Choose one card that you want to use
How to use “Snap & Go”?
Login Succeed
How to use “Snap & Go”?
Card Information Received by the Relying Party Server.
Thank You!Smartphone-based author izat ion system
Zhou, Guan long– Web & Database DeveloperYi l ihamuj iang, A i l iyas i j iang – App Developer