Smartphone-based authorization system Advisor: Dr. Wenjun Zeng - Professor Presenter: Yilihamujiang, Ailiyasijiang Zhou, Guanlong Al-Sinani, H. S. (2011).

Smartphone-based authorization system

Advisor: Dr. Wenjun Zeng - Professor

Presenter:

Yilihamujiang, Ailiyasijiang

Zhou, Guanlong

Al-Sinani, H. S. (2011). Integrating OAuth with Information Card Systems. In Proceedings of IAS '11: 7th International Conference on Information Assurance and Security, Malacca, Malaysia, 5-8 December 2011. IEEE.

Abstract

The scheme using between the OAuth and Information Card

System(CardSpace) (The Scheme in Mid-Term)

The drawbacks of OAuth/OpenID and Information Card System

The scheme in Smartphone-based authorization system

The implementation - http://sng.mizzou1.com

The Snap & Go App on Android System

Red words are our contribution

In the Mid-term presentation:

A scheme using between the OAuth and Information Card System(CardSpace) was presented.

Why dose the paper try to use this scheme?

To mitigate identity-oriented attacks, a number of identity

systems (e.g. CardSpace, OAuth, OpenID, etc.) have been

proposed .

An identity provider in such systems supplies a user agent with a

security token that can be consumed by a relying party.

Whilst one RP might support an Information Card system, another

might only sup- port OAuth .

To make these systems available to the largest possible group of

users, interoperability between such systems is needed.

How CardSpace w/ OAuth works

Policy

2.

“I would like a SAML 1.1 token, containing First Name, Surname, issued by *any*”

3. UI filters cards that can satisfy policy

4. User picks a card

5. Token is requested

1. Access resource

6. Token is created

7. Token is presented

Relying Party

Identity Provider

OAuthCard

copied

check

hold & modified

The drawbacks of OAuth/Open-ID and Information Card System

1.The Information Card System requires different extensions installed on the different browsers.

The drawbacks of OAuth/Open-ID and Information Card System

2.The Information Card System has been abandoned.

Microsoft announced that Windows CardSpace 2.0 will not be shipped.

The drawbacks of OAuth/Open-ID and Information Card System

3. Users still need to enter username and password when logging using OAuth / Open-ID

(On the public computers or they didn’t login)

NOT CONVENIENTNOT SAFE

Our scheme: Snap & Go

User has some cards in their smart-phone.

(the real information behind the cards is saved on the Identity Provider Server)

User logs in the “Snap & Go” app on his smart-phone.

User uses the app to shoot at the QR-code on the website.

User logged in successfully into his account.

How “Snap & Go” works?

Policy

“I would like some information, containing First Name, Surname, issued by snap&go”

4. Scan the QR code on the page

5. User picks a card 1. Access resource

Relying Party

Identity Provider

2.

2. Login Snap&Go using any android device

2.c 2.c

2.

2.c

2. Token is requested

3. Access token is presented

6. Information presented

What’s on where?

In the App( On Smart-phone)All the cards that contain user’s

information

What’s on where?

On Identity Provider Server

• Users Accounts Information(Username & Password)

• All the cards that contain user’s information• APIs(Relying Parties Information and keys)• The relation between one authorized card and

one relying party.

What’s on where?

On Relying Party Server

• API key to connect to Identity Provider Server(IPS)

• QR-code generator• The token got from the IPS• The users information got from the IPS

How to use “Snap & Go”?

Download the Snap n Go app from our website: sng.mizzou1.com

Install the app

How to use “Snap & Go”?

Register in the App

Login

The Account Username and Password will be saved on the Identity Provider Server.

How to use “Snap & Go”?

Choose Enter Passcode(Create New Card)

How to use “Snap & Go”?

Enter the information and save as a card

The information card will be saved on the server as well as in the phone.

How to use “Snap & Go”?

We can see, edit or create cards under my account

How to use “Snap & Go”?Open a relying party website that needed to login.For example: http://sng.mizzou1.com/

How to use “Snap & Go”?

Choose Scan QRcode button

How to use “Snap & Go”?

Use the camera on the phone to scan the QRcode on the computer screen

How to use “Snap & Go”?

Choose one card that you want to use

How to use “Snap & Go”?

Login Succeed

How to use “Snap & Go”?

Card Information Received by the Relying Party Server.

Thank You!

Smartphone-based author izat ion system

Zhou, Guanlong– Web & Database DeveloperYi l ihamuj iang, A i l iyas i j iang – App Developer