International Journal of Computer Network and Information Security (IJCNIS)
IJCNIS Vol. 16, No. 2, 8 Apr. 2024
Cover page and Table of Contents: PDF (size: 702KB)
Vulnerability Detection in Intelligent Environments Authenticated by the OAuth 2.0 Protocol over HTTP/HTTPS
PDF (702KB), PP.1-13
Views: 0 Downloads: 0
Author(s)
Gilson da Silva Francisco
1
Anderson Aparecido Alves da Silva
2,*
Marcelo Teixeira de Azevedo
3
Eduardo Takeo Ueda
1
Adilson Eduardo Guelfi
4
Jose Jesus Perez Alcazar
5
Index Terms
Internet of Things (IoT), Smart Environments, FIWARE, OAuth 2.0, HTTP, HTTPS
Abstract
OAuth 2.0 provides an open secure protocol for authorizing users across the web. However, many modalities of this standard allow these protections to be implemented optionally. Thus, its use does not guarantee security by itself and some of the deployment options in the OAuth 2.0 specification can lead to incorrect settings. FIWARE is an open platform for developing Internet applications of the future. It is the result of the international entity Future Internet Public-Private Partnership. [1,2] FIWARE was designed to provide a broad set of API to stimulate the development of new businesses in the context of the European Union. This platform can be understood as a modular structure to reach a broad spectrum of applications such as IoT, big data, smart device management, security, open data, and virtualization, among others. Regarding security, the exchange of messages between its components is done through the OAuth 2.0 protocol. The objective of the present work is to create a system that allows the detection and analysis of vulnerabilities of OAuth 2.0, executed on HTTP/HTTPS in an on-premise development environment focused on the management of IoT devices and to help developers to implement them ensuring security for these environments. Through the system proposed by this paper, it was possible to find vulnerabilities in FIWARE components in HTTP/HTTPS environments. With this evidence, mitigations were proposed based on the mandatory recommendations by the IETF.
Cite This Paper
Gilson da Silva Francisco, Anderson Aparecido Alves da Silva, Marcelo Teixeira de Azevedo, Eduardo Takeo Ueda, Adilson Eduardo Guelfi, Jose Jesus Perez Alcazar, "Vulnerability Detection in Intelligent Environments Authenticated by the OAuth 2.0 Protocol over HTTP/HTTPS", International Journal of Computer Network and Information Security(IJCNIS), Vol.16, No.2, pp.1-13, 2024. DOI:10.5815/ijcnis.2024.02.01
Reference
[1](FI-PPP), F. I. P.-P. P. FI-PPP: FutureInternet Public Partnership. 2019. Disponível em: <https://ec.europa.eu/digital-single-market/en/future-internet-public-private-partnership>.
[2]PONOMAREV, K.; NISSENBAUM, O. Attribute-based encryption with authentication provider in fiware platform. In: IEEE. 2018 Dynamics of Systems, Mechanisms and Machines (Dynamics). [S.l.], 2018. p. 1–5.
[3]ELRAWY, M. F.; AWAD, A. I.; HAMED, H. F. Intrusion detection systems for iot-based smart environments: a survey. Journal of Cloud Computing, Springer, v. 7, n. 1, p. 1–20, 2018.
[4]ULLO, S. L.; SINHA, G. R. Advances in smart environment monitoring systems using iot and sensors. Sensors, Multidisciplinary Digital Publishing Institute, v. 20, n. 11, p. 3113, 2020.
[5]SETHI, P.; SARANGI, S. R. Internet of things: architectures, protocols, and applications. Journal of Electrical and Computer Engineering, Hindawi, v. 2017, 2017.
[6]KARIE, N. M. et al. A review of security standards and frameworks for iot-based smart environments. IEEE Access, IEEE,2021.
[7]SIRIWARDENA, P. Advanced API security: OAuth 2.0 and beyond. [S.l.]: Springer, 2020.
[8]OFOEDA, J.; BOATENG, R.; EFFAH, J. Application programming interface (api) research: A review of the past to inform the future. International Journal of Enterprise Information Systems (IJEIS), IGI Global, v. 15, n. 3, p. 76–95, 2019.
[9]GMBH, T. O. B. P. Open Banking Project. 2020. Disponível em: <https://www.openbankingproject.com>.
[10]CRUZ-PIRIS, L.; RIVERA, D.; VEGA-BARBAS, M. Methodology for massive configuration of oauth 2.0 tokens in large iot scenarios. In: IEEE. 2020 16th International Conference on Intelligent Environments (IE). [S.l.], 2020. p. 5–12.
[11]EMERSON, S. et al. An oauth based authentication mechanism for iot networks. In: IEEE. 2015 International Conference on Information and Communication Technology Convergence (ICTC). [S.l.], 2015. p. 1072–1074.
[12]OH, S.-R.; KIM, Y.-G. Afaas: Authorization framework as a service for internet of things based on interoperable oauth. International Journal of Distributed Sensor Networks, SAGE Publications Sage UK: London, England, v. 16, n. 2, p. 1550147720906388, 2020.
[13]RASYID, M. U. H. A.; MUBARROK, M. H.; HASIM, J. A. N. Implementation of environmental monitoring based on kaa iot platform. Bulletin of Electrical Engineering and Informatics, v. 9, n. 6, p. 2578–2587, 2020.
[14]FERRY, N. et al. Enact: Development, operation, and quality assurance of trustworthy smart iot systems. In: SPRINGER. International Workshop on Software Engineering Aspects of Continuous Development and New Paradigms of Software Production and Deployment. [S.l.], 2018. p. 112–127.
[15]BADII, C. et al. Smart city iot platform respecting gdpr privacy and security aspects. IEEE Access, IEEE, v. 8, p. 23601–23623, 2020.
[16]SALHOFER, P.; JOANNEUM, F. Evaluating the fiware platform: A case-study on implementing smart application with fiware. In: Proceedings of the 51st Hawaii International Conference on System Sciences. [S.l.: s.n.], 2018. v. 9, p. 5797–5805.
[17]ALONSO, Á. et al. An identity framework for providing access to fiware oauth 2.0-based services according to the eidas european regulation. IEEE Access, IEEE, v. 7, p. 88435–88449, 2019.
[18]CABRINI, F. H. et al. Enabling the industrial internet of things to cloud continuum in a real city environment. Sensors, MDPI, v. 21, n. 22, p. 7707, 2021.
[19]CABRINI, F. H. et al. Helix multi-layered: a context broker federation for an efficient cloud-to-things continuum. Annals of Telecommunications, Springer, p. 1–13, 2022.
[20]JUNIOR, N. F. et al. Performance evaluation of publish-subscribe systems in iot using energy-efficient and context-aware secure messages. Journal of Cloud Computing, SpringerOpen, v. 11, n. 1, p. 1–17, 2022.
[21]JUNIOR, N. F. et al. Lightweight and secure publish-subscribe system for cloud-connected ultra low power iot devices. Journal of Communication and Information Systems, v. 36, n. 1, p. 100–113, 2021.
[22]AL-MASRI, E. et al. Investigating messaging protocols for the internet of things (iot). IEEE Access, IEEE, v. 8, p. 94880–94911, 2020.
[23]USLU, B. Ç.; OKAY, E.; DURSUN, E. Analysis of factors affecting iot-based smart hospital design. Journal of Cloud Computing, SpringerOpen, v. 9, n. 1, p. 1–23, 2020.
[24]JUNIOR, N. F. et al. Iot6sec: reliability model for internet of things security focused on anomalous measurements identification with energy analysis. Wireless Networks, Springer, v. 25, n. 4, p. 1533–1556, 2019.
[25]GÖÇER, B. D.; BAHTIYAR, ¸ S. An authorization framework with oauth for fintech servers. In: IEEE. 2019 4th International Conference on Computer Science and Engineering (UBMK). [S.l.], 2019. p. 536–541.
[26]ACADEMY, F. Keyrock Identity Management. 2021. Disponível em: <https://fiwareacademy. readthedocs.io/en/latest/security/keyrock/index.html>.
[27]FETT, D.; KÜSTERS, R.; SCHMITZ, G. A comprehensive formal security analysis of oauth 2.0. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. [S.l.: s.n.], 2016. p. 1204–1215.
[28]SILVA, A. et al. Energy-efficient node position identification through payoff matrix and variability analysis. Telecommunication Systems, Springer, v. 65, p. 459–477, 2017.
[29]JUNIOR, N. F. et al. Privacy-preserving cloud-connected iot data using context-aware and end-to-end secure messages. Procedia Computer Science, Elsevier, v. 191, p. 25–32, 2021.
[30]SILVA, A. et al. Grouping detection and forecasting security controls using unrestricted cooperative bargains. Computer Communications, Elsevier, v. 146, p. 155–173, 2019.
[31]CABRINI, F. H. et al. Helix sandbox: An open platform to fast prototype smart environments applications. In: IEEE. 2019 IEEE 1st Sustainable Cities Latin America Conference (SCLA). [S.l.], 2019. p. 1–6.
[32]HARDT, D. RFC 6749: The oauth 2.0 authorization framework. Internet Engineering Task Force (IETF), v. 10, n. 10.17487, 2017.
[33] DENNISS, W.; BRADLEY, J. RFC 8252: Oauth 2.0 for native apps. Internet Engineering Task Force (IETF), 2017.
[34]SHERNAN, E. et al. More guidelines than rules: Csrf vulnerabilities from noncompliant oauth 2.0 implementations. In: SPRINGER. International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. [S.l.], 2015. p. 239–260.
[35]ACADEMY, F. FIWARE Academy Docs. 2021. Disponível em: <https://fiware-academy.readthedocs.io/en/latest/>.
[36]ACADEMY, F. PEP-Proxy Wilma. 2021. Disponível em: <https://fiware-pep-proxy.readthedocs.io/en/latest/>.
[37]LODDERSTEDT, T.; MCGLOIN, M.; HUNT, P. OAuth 2.0 threat model and security considerations. [S.l.], 2013.
[38]ACADEMY, F. OASIS eXtensible Access Control Markup Language (XACML). 2021. Disponível em: <http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html>.
[39]LODDERSTEDT, T. et al. Oauth 2.0 security best current practice. IETF Web Authorization Protocol, Tech. Rep. draft-ietf-oauth-security-topics-16, 2020.
[40]SELHAUSEN, K. zu; FETT, D. Oauth 2.0 authorization server issuer identifier in authorization response. IETF Web Authorization Protocol, Tech. Rep. draft-ietf-oauth-security-topics-16, 2021.
[41]LI, W.; MITCHELL, C. J.; CHEN, T. Your code is my code: Exploiting a common weakness in oauth 2.0 implementations. In: SPRINGER. Cambridge International Workshop on Security Protocols. [S.l.], 2018. p. 24–41.
[42]YANG, R. et al. Model-based security testing: An empirical study on oauth 2.0 implementations. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. [S.l.: s.n.], 2016. p. 651–662.
[43]DEVESA, J. et al. An efficient security solution for dealing with shortened url analysis. In: WOSIS. [S.l.: s.n.], 2011. p. 70–79.