nasa nex & openid -- observations -- andreas matheus secure dimensions
TRANSCRIPT
- Slide 1
- NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions
- Slide 2
- Does NASA accept OpenID login? Does NASA accept OpenID login and rely on the level of user identity assurance level 0? NO! But what do they do? For the NEX NASA EARTH EXCHANGE they do the following... 2012 (c) Secure Dimensions2NASA NEX & OpenID
- Slide 3
- Go to the NEX homepage If you go https://c3.nasa.gov they require you to login via HTTP BASIC AUTH, using your NEX accounthttps://c3.nasa.gov => No username/password = no login If you go https://c3.nasa.gov/nex then you can choose a login methodhttps://c3.nasa.gov/nex E.g. OpenID as I do not have an account 2012 (c) Secure Dimensions3NASA NEX & OpenID
- Slide 4
- NEX Login No dont have one Yes do have one 2012 (c) Secure Dimensions4NASA NEX & OpenID
- Slide 5
- Sign In with your OpenID 2012 (c) Secure Dimensions5NASA NEX & OpenID
- Slide 6
- After Login... Your Browser gets redirected back to ?NASA? Looks like a perfect Phishing Attack to me! 2012 (c) Secure Dimensions6NASA NEX & OpenID
- Slide 7
- After accepting the redirect back to NASA Surprise You arrive a the Create New OpenID User page 2012 (c) Secure Dimensions7NASA NEX & OpenID
- Slide 8
- What happens next? You need to fill out the form You will receive an email to confirm Your account creation with NASA is then pending... 2012 (c) Secure Dimensions8NASA NEX & OpenID
- Slide 9
- Conclusions from Observation NASA NEX does not allow straight OpenID login! NASA NEX is accepting OpenID login, but only if your identity was checked by NASA before So essentially, NASA has applied their on extra security to lift OpenID identity assurance level 0 to their own level Problem: You will end up in one NEX account for each of your OpenID accounts Not interoperable if each federation service provider uses on selection of OpenID providers 2012 (c) Secure Dimensions9NASA NEX & OpenID
- Slide 10
- This fits the SAML2 / OpenID proposal SAML 2 as the standard for exchanging user assertions and establishing identity assurance throught trusted Identity Providers Users from trusted IdPs are directly accepted Users from OpenId IdPs require extra checking Advantage of SAML2 base vs. NASA approach Not each Service Provider must create accounts themselves trusted Identity Providers would do that Guarantee to the user that once accredited at the SAML2 / OpenID IdP, the account would work with all Service Providers and not only NEX from NASA 2012 (c) Secure Dimensions10NASA NEX & OpenID