Based on the proven expertise in the areas of Single Sign-On and OpenID Connect, our team has been selected to perform an open penetration test of the DENIC ID - an implementation of ID4me.
The scope of the penetration test was to evaluate typical Single Sign-On weaknesses and the impact of novel features implemented in DENIC ID on the security of this login system.
DENIC ID is the first widely-deployed implementation of ID4me (https://id4me.org/documents/) - a novel protocol for federated identity management. It is based on well-established standards such as OpenID Connect and Domain Name System (DNS). In contrast to other Single Sign-On schemes, ID4me divides the duties of the identity provider into two separated entities: an identity agent and an identity authority. The identity agent provides registration services and manages user data. The identity authority is responsible for user authentication and authorization.
(Picture taken from the official ID4me technical overview)
In the scope of our penetration test was the ID4me login process, which works as follows:
- The user starts the login process with the relying party by providing his ID4me identifier.
- The relying party queries the DNS for the user's identifier to acquire the responsible identity agent and identity authority.
- The relying party redirects the user to the identity authority.
- After successful user authentication, the relying party is provided with an access token.
- The access token can be used to receive additional user information from the identity agent.
- If the access token is valid, the relying party receives all claims which it is authorized to access.
During our penetration test, we identified one weakness classified as High and five weaknesses classified as Medium. Of course, the most interesting finding was the highest-ranked weakness which targeted the identity agent and its access token handling. This access token is a JSON Web Token (JWT) issued and validly signed by the identity authority. The identity agent verifies the signature of the JWT.
However, we uncovered that the identity agent is vulnerable to so-called signature exclusion attacks as it processed requests with missing JWT signatures. This could allow an attacker to access arbitrary user information, by manipulating JWT-based access tokens. We verified that the identity agent accepted manipulated JWTs and delivered information about the user specified by the JWT.
The full report can be found here: DENIC ID Penetration Test Report
More Security Transparency with Open Penetration Tests
We want to thank the DENIC - and especially the DENIC ID lead Marcos Sanz - for the excellent cooperation during the whole penetration test. We highlight the fast and transparent handling of the detected security vulnerabilities, and the openness to implementing all the proposed security recommendations.