Name Thomas Gross
Topic of his/her doctorate. Browser-based Identity Federation
Category applications
Keywords identification protocols
Ph.D. Supervisor(s) Birgit Pfitzmann, Ahmad-Reza Sadeghi
Year of completion 2009

Given the increasing popularity of Web 2.0 applications, web-based three-party authentication gets more and more important. Identity federation fulfills this requirement through standardized protocols that authenticate Web users across trust domains.

This thesis considers the problem of secure authentication by browser-based identity federation. This special class of identity federation only uses a standard web browser as client and therefore provides a zero-footprint authentication. Instead of a traditional key exchange and subsequent channel establishment, browser-based identity federation bootstraps a server-authenticated secure channel with a third-party credential to obtain mutual authentication. Thanks to this deviation from prevalent security research, it represents an interesting research area. We will discuss the most important archetypes and standards of browser-based identity federation. The results of our careful investigation include vulnerabilities as well as novel security mechanisms, which have improved major standards. We will present the first formal model for browser-based protocols built upon the Reactive Simulatability framework, and establish channel authenticity as new security goal for this area. Through our formal model of the standardized WS-Federation Passive Requestor Profile, we achieve the first rigorous security proof for browser-based identity federation.

