Based on the proven expertise in the areas of single sign-on and OpenID Connect, our team has been selected to perform an open penetration test of the DENIC ID - an implementation of ID4me.
The scope of the penetration test was to evaluate typical single sign-on weaknesses and the impact of novel features implemented in DENIC ID on the security of this login system.

DENIC ID

DENIC ID is the first widely-deployed implementation of ID4me (https://id4me.org/documents/) - a novel protocol for federated identity management. It is based on well-established standards such as OpenID Connect and Domain Name System (DNS). In contrast to other single sign-on schemes, ID4me divides the duties of the identity provider into two separated entities: an identity agent and an identity authority. The identity agent provides registration services and manages user data. The identity authority is responsible for user authentication and authorization.

2019 08 05 id4me login

(Picture taken from the official ID4me technical overview)

In the scope of our penetration test was the ID4me login process, which works as follows:

  • The user starts the login process with the relying party by providing his ID4me identifier.
  • The relying party queries the DNS for the user's identifier to acquire the responsible identity agent and identity authority.
  • The relying party redirects the user to the identity authority.
  • After successful user authentication, the relying party is provided with an access token.
  • The access token can be used to receive additional user information from the identity agent.
  • If the access token is valid, the relying party receives all claims which it is authorized to access.

Identified Weaknesses

During our penetration test, we identified one weakness classified as High and five weaknesses classified as Medium. Of course, the most interesting finding was the highest-ranked weakness which targeted the identity agent and its access token handling. This access token is a JSON Web Token (JWT) issued and validly signed by the identity authority. The identity agent verifies the signature of the JWT.

However, we uncovered that the identity agent is vulnerable to so-called signature exclusion attacks as it processed requests with missing JWT signatures. This could allow an attacker to access arbitrary user information, by manipulating JWT-based access tokens. We verified that the identity agent accepted manipulated JWTs and delivered information about the user specified by the JWT.

The full report can be found here: DENIC ID Penetration Test Report

2020 05 DENIC ID report
It contains all the detected vulnerabilities, our recommendations, and further security evaluations we performed during our penetration test.

More Security Transparency with Open Penetration Tests

We want to thank the DENIC - and especially the DENIC ID lead Marcos Sanz - for the excellent cooperation during the whole penetration test. We highlight the fast and transparent handling of the detected security vulnerabilities, and the openness to implementing all the proposed security recommendations.

Further Information

Do you think the penetration test described above sounds interesting and would you like to conduct penetration tests yourself? Please take a look at our career page and see if there is an interesting job offer for you.

 


 

Our Experts Develop the Optimal Solution for You

Single Sign-On – OpenID Connect – OAuth

Are you faced with the decision of how to best protect your single sign-on and IAM systems? Or are you already using OpenID Connect and wondering if your implementation is secure?

We will be glad to advise you; contact us for a no-obligation initial consultation. Thus, we are at your side with the following services and solutions:

IT Security Consulting  |  Training   |  Penetration Tests

Don't hesitate and find your way to secure single sign-on with us. We look forward to supporting you with your projects.

 

Dr. Christian Mainka

Your Contact for Authentication and Single Sign-On

Dr. Christian Mainka
christian.mainka@hackmanit.de