OPEN ID Associate Professor, Dr: Trần Minh Triết Presenter: Trần Tiên Tín Võ Văn Mỹ INTRODUCTION • Too many Usernames and Passwords • Someone took your desired Username • User profile is distributed • Account management is difficult • Get bored of filling long forms again and again INTRODUCTION With OpenId, you get to choose who manages your identity INTRODUCTION • “ OpenID (OID) is an open standard and decentralized protocol by the non-profit OpenID Foundation that allows users to be authenticated by certain co-operating sites (known as Relying Parties or RP) using a third party service ” INTRODUCTION HISTORY 02/2014 – OpenID Connect 2009, 2013… 2008 - Yahoo announced initial OpenID 2.0 support, both as a provider and as a relying party, releasing the service by the end of the month In early February, Google, IBM, Microsoft, VeriSign, and Yahoo! joined the OpenID Foundation as corporate board members 2006 - Submitted a proposal to formalize extensions to OpenID 2007 – Computer security company announced support for OpenID in its Identity Initiative products and service 5/2005 - Brad Fitzpatrick creator of popular community website LiveJournal, while working at Six Apart HOW OPENID WORK ? HOW OPENID WORK ? • Site Fetches the HTML of my openID • Finds “ openid.server” • Establishes a shared secret with the provider • Redirects my browser to the provider where I authenticate and allow the openId login • Provider redirects my browser back to the site with an openId response • Site verifies the signature and logs me in PROTOCOLS AND SECURITY • Authentication Uses URL as the Identity of User • OpenID 2.0 uses Yadis • Uses Diffie-Hellman Key Exchange Mechanism at different level • Use Secured Socket Layer • Generate strong MAC keys PROTOCOLS AND SECURITY • Authentication bugs • Phishing • Privacy / Trust Issue • Authentication Hijacking in Unsecured Connection ADVANTAGES • Globally unique & your URL is your Identity • Few usernames and passwords to remember • Many OpenID provider like AOL, yahoo,verisignlabs, myOpenID • Can put OpenID URL on your app also • Profile data are stored at one place only • Control of sharing information • Can easily increase business DEMO REFERENCES • Ansuya Chauhan, OPENID • http://openid.net/ • http://en.wikipedia.org/wiki/OpenID • http:// konstantin.beznosov.net/professional/archives/ 241 • http://www.cnet.com/news/serious-security-fl aw-in-oauth-and-openid-discovered / [...]... unique & your URL is your Identity • Few usernames and passwords to remember • Many OpenID provider like AOL, yahoo,verisignlabs, myOpenID • Can put OpenID URL on your app also • Profile data are stored at one place only • Control of sharing information • Can easily increase business DEMO REFERENCES • Ansuya Chauhan, OPENID • http://openid.net/ • http://en.wikipedia.org/wiki/OpenID • http:// konstantin.beznosov.net/professional/archives/... Chauhan, OPENID • http://openid.net/ • http://en.wikipedia.org/wiki/OpenID • http:// konstantin.beznosov.net/professional/archives/ 241 • http://www.cnet.com/news/serious-security-fl aw-in-oauth-and-openid-discovered / ... Apart HOW OPENID WORK ? HOW OPENID WORK ? • Site Fetches the HTML of my openID • Finds “ openid.server” • Establishes a shared secret with the provider • Redirects my browser to the provider where... again INTRODUCTION With OpenId, you get to choose who manages your identity INTRODUCTION • “ OpenID (OID) is an open standard and decentralized protocol by the non-profit OpenID Foundation that allows... Globally unique & your URL is your Identity • Few usernames and passwords to remember • Many OpenID provider like AOL, yahoo,verisignlabs, myOpenID • Can put OpenID URL on your app also • Profile