Talk: Identity X.0 – Securing the Insecure

René Pfeiffer/ October 10, 2011/ Conference

Identities are important. You might already know this, but in the times of heavily meshed web applications and users moving between different web sites keeping track of a client’s identity can be difficult. Moreover it’s not just about identities but also about transporting account/user attributes by various protocols and standards between various applications. You might remember Microsoft Wallet/Passport which is now Windows Live ID. OpenID defines an open standard about authenticating an user by using a decentralized architecture. OAuth is another open standard, handling authorization and it is widely used by small and large organizations such as Yahoo! and Twitter.

So where’s the security? How resilient are these protocols against attacks? Khash Kiani will address these questions in his presentation titled Identity X.0 – Securing the Insecure. His talk focuses on some of these emerging user-centric identity technologies and their key security implications. Scenarios of how insecure implementations of these protocols can be abused maliciously will be discussed as well. You will gain an insight into the characteristics of some of these attack vectors, with real-world examples, and focus on secure application implementation and countermeasures against attacks. OpenID and OAuth will be protocol specification will be introduced briefly, setting the foundation for the upcoming attack vectors and countermeasures.  The majority of the presentation will be spent on attacks and remediation techniques. Khash will cover real-world examples of insecure implementations by presenting user-stories, code snippets and design flaws.

The intended target audience is anyone whose applications or systems has to deal with identities. You get extra points if you can explain why this is not applying to you, your organisation or at least one process of a typical day at work.

Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.