Abstract
The introduction of the Payment Service Directive (PSD2) has accelerated financial services and open banking growth. Deploying appropriate identity management solutions is crucial. This implies the adoption of secure protocols for authentication and authorization, such as OpenID Connect and OAuth 2.0. The PSD2 also requires the application of the General Data Protection Regulation (GDPR) when transactions involve personal data. In turn, the GDPR mandates a Data Protection Impact Assessment (DPIA) for assessing risks posed to data subjects’ rights and freedom. This is a time-consuming and challenging task requiring heterogeneous skills that include the knowledge of best practices for deploying protocols, security mechanisms adopted by available identity management providers, and the capability to perform careful what-if analysis of the possible alternatives. To assist users in this task, we propose a methodology based on the formalization of the what-if analysis as an optimization problem that available tools can solve. The formalization is derived from the OAuth 2.0 and OpenID connects standards, security best practices to mitigate threats, and thorough the evaluation of 19 identity management providers to check their supported features concerning the identified set of features for OAuth/OIDC solutions. We apply the methodology to assist controllers and identify the most appropriate security setup to drive the process of making financial services compliant with the PSD2.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
A locally unique and never reassigned identifier within the Issuer for the user, which is intended to be consumed by the Client.
References
Danezis, G., et al.: Privacy and data protection by design-from policy to engineering. arXiv preprint arXiv:1501.03726 (2015)
Dashti, S., Ranise, S.: A tool-assisted methodology for the data protection impact assessment. In: Proceedings of the International Conference on Security and Cryptography (2019)
Hansen, M., Jensen, M., Rost, M.: Protection goals for privacy engineering. In: IEEE SPW (2015)
Hardt, D.: The OAuth 2.0 authorization framework. IETF (2012)
Internet-Draft: International Government Assurance Profile (iGov) for OpenID Connect 1.0 (2018)
Jones, M., Bradley, J., Sakimura, N.: Json web token (JWT). IETF (2015)
Krebs, B.: Internet bank account takeover of +1m users without user interaction. https://mrbriankrebs.medium.com/internet-bank-account-takeover-of-1m-users-without-user-interaction-4fc9141740a3. Accessed 25 Mar 2021
Li, W., Mitchell, C.J.: User access privacy in OAuth 2.0 and OpenID connect. In: EuroS&PW. IEEE (2020)
Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 Security Best Current Practice (draft-ietf-oauth-security-topics-16). IETF (2020)
Lodderstedt, T., McGloin, M., Hunt, P.: RFC 6819: OAuth 2.0 threat model and security considerations. IETF (2013)
OpenID Foundation: Financial-grade API - part 1: Baseline security profile. https://openid.net/certification/. Accessed 23 Nov 2020
Richer, J., Johansson, L.: Vector of trust (RFC 8485). IETF (2018)
Rost, M., Bock, K.: Privacy by design and the new protection goals. In: DuD, vol. 2009 (2011)
Rost, M., Pfitzmann, A.: Datenschutz-schutzziele–revisited. Datenschutz und Datensicherheit-DuD 33(6), 353–358 (2009)
Sakimura, N.: Authorization delegation: a financial accounts aggregation use case. https://nat.sakimura.org/2016/01/29/authorization-delegation-a-financial-accounts-aggregation-use-case/. Accessed 25 Mar 2021
Sakimura, N., Bradley, J., Jay, E.: Financial-grade API - part 1: Baseline security profile. Accessed 23 Nov 2020
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: OpenID connect core 1.0 incorporating errata set 1. The OpenID Foundation 335 (2014)
Siena, A., Morandini, M., Susi, A.: Modelling risks in open source software component selection. In: Yu, E., Dobbie, G., Jarke, M., Purao, S. (eds.) ER 2014. LNCS, vol. 8824, pp. 335–348. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-12206-9_28
Similartech.com: Login providers. https://www.similartech.com/categories/login-provider. Accessed 29 Dec 2020
Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of ACM ASIACCS (2012)
Torsten, L., Daniel, F.: OpenID connect for identity assurance 1.0. https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html. Accessed 19 June 2019
Wuyts, K., Scandariato, R., Joosen, W., Deng, M., Preneel, B.: LINDDUN: a privacy threat analysis framework (2019)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Dashti, S., Sharif, A., Carbone, R., Ranise, S. (2021). Automated Risk Assessment and What-if Analysis of OpenID Connect and OAuth 2.0 Deployments. In: Barker, K., Ghazinour, K. (eds) Data and Applications Security and Privacy XXXV. DBSec 2021. Lecture Notes in Computer Science(), vol 12840. Springer, Cham. https://doi.org/10.1007/978-3-030-81242-3_19
Download citation
DOI: https://doi.org/10.1007/978-3-030-81242-3_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-81241-6
Online ISBN: 978-3-030-81242-3
eBook Packages: Computer ScienceComputer Science (R0)
