Infrastructure for secure medical image sharing between distributed PACS and DI-r systems.

Kurlakose, Krupa Anna

01 December 2013

Recent developments in information and communication technologies and their incor- poration into the medical domain have opened doors for the enhancement of health care services and thereby increasing the work ow at a reasonable rate. However, to implement such services, current medical system needs to be exible enough to support integration with other systems. This integration should be achieved in a secure manner and the resultant service should be made available to all health professionals and patients. This thesis proposes a new infrastructure for secure medical image sharing between legacy PACS and DI-r. The solution employs OpenID standard for user authentication, OAuth service to grant authorization and IHE XDS-I pro les to store and retrieve medical im- ages and associated meta data. In the proposed infrastructure cooperative agents are employed to provide a user action, patient consent and system policy based access con- trol mechanism to securely share medical images. This allows safe integration of PACS and DI-r systems within a standard EHR system. In addition to this, a behavior-pattern based security policy enhancement feature is added to the system to assist the system security administrator. The resulting secure and interoperable medical imaging systems are easy to expand and maintain. Behavior of the entire system is analysed using general- purpose model driven development tool IBM Rational Rhapsody. The code generation and animation capability of the tool makes it powerful for running e ective simulations. We mainly explore the use of state charts and their interactions with MySQL database to learn the behavior of the system.

Access control

PACS

DI-r

OpenID

OAuth

Electronic Identification Based on OpenID Connect : A Design Proposal / E-legitimation baserad på OpenID Connect : Ett designförslag

Johansson, Tom

January 2017

Electronic identification is used by an individual to prove who he or she is by electronic means and is normally used for logging in to various services. In Sweden there are a number of different solutions that are developed and provided by different parties. In order to promote and coordinate electronic identification for public services, the Swedish E-identification Board was founded in 2011. The Board has developed a technical framework for integration between the Relying Party and the Identity Provider based on the Security Assertion Markup Language V2.0 (SAML) standard. SAML is a quite old standard that has some limitations complicating an electronic identification solution based on it. A newer competing standard is OpenID Connect, which could be a possible candidate as an alternative to SAML. The objective of this thesis is to determine to what extent it is possible to ensure confidentiality, integrity, and accountability in an electronic identification based on OpenID Connect. To achieve this, a number of requirements for electronic identifications were identified and a design proposal based on OpenID Connect was developed together with a proof-of-concept implementation. The design proposal was evaluated against the requirements, with the final result that an electronic identification based on OpenID Connect could meet the requirements. / E-legitimation används av en individ för visa vem han eller hon är på elektronisk väg och används vanligtvis för att logga in på olika tjänster. I Sverige finns ett antal olika lösningar som utvecklas och tillhandahålls av olika parter. För att främja och samordna elektronisk identifiering för offentliga tjänster grundades E-legitimationsnämnden 2011. Nämnden har tagit fram ett tekniskt ramverk för integrationen mellan Förlitande Part och Legitimeringstjänst baserad på Security Assertion Markup Language V2.0 (SAML) standarden. SAML är en relativt gammal standard med vissa begränsningar som komplicerar en e-legitimationslösning baserad på den. En nyare konkurrerande standard är OpenID Connect, vilket kan vara en möjlig kandidat som ett alternativ till SAML. Syftet med detta examensarbete är att undersöka i vilken utsträckning det är möjligt att säkerställa sekretess, integritet och ansvarsskyldighet för en e-legitimation baserad på OpenID Connect. För att uppnå detta, identifierades ett antal krav för e-legitimationer och ett designförslag baserat på OpenID Connect utvecklades tillsammans med en proof-of-concept implementation. Designförslaget utvärderades mot kraven, med det slutliga resultatet att en e-legitimation baserad på OpenID Connect kan uppfylla kraven.

OpenID Connect

OIDC

Electronic Identification

eID

OpenID Connect

OIDC

E-legitimation

e-leg

Computer Sciences

Datavetenskap (datalogi)

Comparison of Liberty Alliance and OpenID regarding their ability to protect the confidentiality, integrity and availability of the users’ information : a study based on the analysis of resistance to common attacks

de Souza, Jaqueline

January 2010

It is essential to solve the problem due to password fatigue in order to increase the security of the transactions on the Web and secure the users’ account and information. Web Single Sign-On is one of the techniques that have been created to solve these issues. Unfortunately, this method creates new opportunities for hackers. The Liberty Alliance and OpenID are two of the most known Web Single Sign-On frameworks. This work intends to review the strengths and the weaknesses of both regarding their ability to protect the confidentiality, integrity and availability of the users’ information, by studying their aptitude to prevent some of the most dangerous attacks on the web. The analysis of the results shows that Liberty Alliance has created a strong infrastructure in order to mitigate those attacks. Consequently, this framework protects the confidentiality, integrity and availability of the users’ information more efficiently than OpenID. On the other hand, this latter shows significant weaknesses that compromises the confidentiality, integrity and availability of the users’ information.

WebSSO

OpenID

Liberty Alliance

information security

attacks

Computer Sciences

Datavetenskap (datalogi)

Současné trendy služeb na internetu / Contemporary trends of internet services

Fišer, Jan

January 2008

Internet has been a common part of our private and work-related lives for a rather long time, yet it doesn't seem this is going to change. On the contrary - the importance of Internet is steadily growing as well as number of it's users and only few technologies have similar impact on individuals or even whole businesses and industries. But Internet evolves as well and it is not the same that it was 10 years ago. Today, Internet is more than just email or static (business) presentation on the web; it's more an interactive medium and is often associated with so called "Web 2.0". Yet even this concept isn't likely to last forever. That's why I find important to focus on contemporary Internet trends and try to describe some of the most influential ones regarding the future, i.e. social networking, wiki systems and blogs, APIs and mashups, but also Creative Commons licences and possible solution to multiple online identity issue, the OpenID project. Although I'm going to use particular examples of services in order to describe some of the trends, I would like to avoid unnecessary details. I'm going to focus on features the services have in common, not just considering particular service categories, but across the Internet as a whole as well. The aim is to create a survey, evaluation of contemporary Internet services and describe some approaches to solving specific issues related to this environment. Information resources will be mostly technologically oriented servers, blogs and other contemporary trends or particular product related websites. Obviously I'm going to embed my personal experience as well.

A Framework To Implement OpenID Connect Protocol For Federated Identity Management In Enterprises

Rasiwasia, Akshay

January 2017

Federated Identity Management (FIM) and Single-Sign-On (SSO) concepts improve both productivity andsecurity for organizations by assigning the responsibility of user data management and authentication toone single central entity called identity provider, and consequently, the users have to maintain only oneset of credential to access resources at multiple service provider. The implementation of any FIM and SSOprotocol is complex due to the involvement of multiple organizations, sensitive user data, and myriadsecurity issues. There are many instances of faulty implementations that compromised on security forease of implementation due to lack of proper guidance. OpenID Connect (OIDC) is the latest protocolwhich is an open standard, lightweight and platform independent to implement Federated IdentityManagement; it offers several advantages over the legacy protocols and is expected to have widespreaduse. An implementation framework that addresses all the important aspects of the FIM lifecycle isrequired to ensure the proper application of the OIDC protocol at the enterprise level. In this researchwork, an implementation framework was designed for OIDC protocol by incorporating all the importantrequirements from a managerial, technical and security perspective of an enterprise level federatedidentity management. The research work closely follows the design science research process, and theframework was evaluated for its completeness, efficiency, and usability.

FIM

SSO

OpenID Connect

OIDC

Single Sign On

Federated Identity Management

Computer Systems

Datorsystem

Simple, Secure, Selective Delegation in Online Identify Systems

Cutler, Bryant Gordon

14 July 2008

The ability to delegate privileges to others is so important to users of online identity systems that users create ad hoc delegation systems by sharing authentication credentials if no other easy delegation mechanism is available. With the rise of internet-scale relationship-based single sign-on protocols like OpenID, the security risks of password sharing are unacceptable. We therefore propose SimpleAuth, a simple modification to relationship-based authentication protocols that gives users a secure way to selectively delegate subsets of their privileges, making identity systems more flexible and increasing user security. We also present a proof-of-concept implementation of the SimpleAuth pattern using the sSRP authentication protocol to demonstrate the generality of our technique.

identity

security

delegation

SimpleAuth

SimplePermissions

OpenID

OAuth

identity systems

internet

online

authentication

selective delegation

Computer Sciences

Decentralized Authentication in OpenStack Nova : Integration of OpenID

Khan, Rasib Hassan

January 2011

The evolution of cloud computing is driving the next generation of internet services. OpenStack is one of the largest open-source cloud computing middleware development communities. Currently, OpenStack supports platform specific signatures and tokens for user authentication. In this thesis, we aim to introduce a platform independent, flexible,and decentralized authentication mechanism in OpenStack. We selected OpenID as an open-source authentication platform. It allows a decentralized framework for user authentication. OpenID has its own advantages for web services, which include improvements in usability and seamless SSO experience for the users. This thesis presents the OpenID-Authentication-as-a-Service APIs in OpenStack for front-end GUI servers, and performs the authentication in the back-end at a single Policy Decision Point. The design was implemented in OpenStack, allowing users to use their OpenID Identifiers from standard OpenID providers and log into the Dashboard/Django- Nova graphical interface of OpenStack. / Utvecklingen av molndatabearbetning är drivande nästa generation av Internet-tjänster. OpenStack är en av de största öppen källkod mellanprogramvara datormoln utveckling samhällen. För närvarande stöder ITplattform specifika signaturer och pollett som för användarautentisering. I denna avhandling vill vi införa en plattformsoberoende, flexibel och decentraliserad autentiseringsmekanism i OpenStack. Vi valde OpenID som en öppen källkod autentisering plattform. Det möjliggör en decentraliserad ram för användarautentisering. OpenID har sina fördelar för webbtjänster, som omfattar förbättringar i användbarhet och sömlös SSO-upplevelse för användarna. Denna avhandling presenterar de OpenID-Autentisering-as-a-Service APIer i OpenStack för front-end GUI servrar och utför autentisering i back-end i ett enda politiskt beslut punkt. Designen genomfördes i OpenStack, så att användarna kan använda sina OpenID kännetecken från standarden OpenID leverantörer och logga in på Dashboard / Django-Nova grafiskt gränssnitt av OpenStack.

Authentication

EC2API

OpenID

OpenStack Nova

OSAPI

Security

Engineering and Technology

Teknik och teknologier

Choosing authentication protocol for digital signatures : A comparison between SAML and OIDC / Val av autentisieringsprotokoll för digitala signaturer

Kågström, Pontus

January 2023

More and more companies are working toward digitizing their workflow and this has increased the necessity of digital signatures.An important part of digital signatures is the authentication process which is heavily regulated for Swedish government agencies by DIGG, DIGG only allows the use of Security Assertion Mark-up Language(SAML) for authentication but are looking into also allowing OpenID Connect(OIDC) and together with Swedish OIDC working group produce a specification.This thesis is looking into this preliminary specification and exploring if OIDC can do everything that SAML can do in regards of digital signatures, and if the inclusion of OIDC would render SAML obsolete.This is explored by implementing OIDC in twoday's services that follow DIGG's specifications to see if there are needs that OpenID Connect cannot meet.From the restriction in the thesis there was nothing that SAML could do that OIDC could not do, On the contrary their are features in OIDC that SAML could not match.The inclussion of OIDC would not make SAML obsolete unless customers use-cases evolve to include the features that SAML could not match.

Software Engineering

Programvaruteknik

Undersökning av webbsidors säkerhet vid användning avFacebook Login : Vidareutveckling och analys av OAuthGuard

Hedmark, Alice

January 2019

Single Sign-On (SSO) är en autentiseringsprocess som tillåter en utvecklare att delegera autentiseringsansvaret till en dedikerad tjänst. OAuth 2.0 är ett auktoriseringsramverk som ofta står som grund för ett autentiseringslager som i sin tur möjliggör SSO. En identitetsleverantör är tjänsten som står för hantering av användaruppgifterna och autentiseringen, två vanliga identitetsleverantörer är Google och Facebook som i sin tur implementerar SSO med hjälp utav autentiseringslagren OpenID Connect respektive Facebooks egna autentiseringslager. Det har visat sig att många klienter som ska utnyttja SSO med OAuth 2.0 implementerar det fel så att säkerhetsbrister uppstår, studier har utförts med förslag till lösningar men många bristande implementationer fortsätter produceras och existera. Att skapa diverse verktyg för att främja säkerhet i dessa sammanhang är en metod där OAuthGuard utvecklats med visionen att även kunna skydda användaren, direkt från en webbläsare. OAuthGuard har även tidigare använts för att analysera säkerheten med Google SSO och visat att 50% av undersökta klienter har brister, men motsvarande studie eller verktyg saknas för Facebook SSO. Denna studie gjorde en motsvarande undersökning för Facebook SSO-klienter med en vidareutvecklad version av OAuthGuard och fann att de lider av brister med liknande trend som tidigare studies resultat mot Google-SSO-klienter, men att färre Facebook- SSO-klienter har brister i jämförelse. Vid vidareutvecklingen av OAuthGuard upptäcktes ett antal svårigheter och framtiden för denna typ av verktyg behöver vidare analyseras. Vidare analys behöver även göras för att bedöma om Facebook-SSO kan vara att föredra över Google-SSO ur säkerhetsperspektiv samt vidare utforskande av nya säkerhetsfrämjande metoder behöver utföras. / Single Sign-On (SSO) is an authentication process that allows a developer to delegate the authentication responsibility to a dedicated service. OAuth 2.0 is an authorization framework that often serves as a base for authentication layers to be built upon that in turn allows for SSO. An identity provider is the service that is responsible for handling user credentials and the authentication, two common identity providers are Google and Facebook that implement SSO with the authentication layers OpenID Connect respectively Facebooks own authentication layer. It has been shown that many clients using OAuth 2.0 as base for SSO make faulty implementations leading to security issues, a number of studies has proposed solutions to these issues but faulty implementations are continually being made. To create various tools to promote security in these contexts is a method where OAuthGuard has been developed with the vision to also directly protect the common website user directly from the browser. OAuthGuard has been used in an earlier study to analyze the security of clients using Google SSO and discovered that 50% of the analyzed clients had flaws, no comparable study has been done for clients using Facebook SSO, which is the second largest third party log in variant. This study made a comparable investigation for Facebook SSO clients with a further developed version of OAuthGuard and found that these clients suffer from flaws with a similar trend as the previous study with Google-SSO clients, although fewer Facebook-SSO clients suffer from these flaws. When further developing OAuthGuard a dumber of difficulties was discovered and the future of these kind of tools needs to be investigated. Further analysis needs to be done to assess if Facebook-SSO should be recommended over Google-SSO from a security perspective and also further exploration of new methods to promote security needs to be done.

Web browser extensions

OpenID Connect

OIDC

OAuth2.0

Single Sign-On

SSO

Security

Facebook

Social login.

Webbläsartillägg

OpenID Connect

OIDC

OAuth 2.0

Single

Sign-On

SSO

Säkerhet

Facebook

Social login.

Software Engineering

Programvaruteknik

Characterizing the Third-Party Authentication Landscape : A Longitudinal Study of how Identity Providers are Used in Modern Websites / Longitudinella mätningar av användandet av tredjepartsautentisering på moderna hemsidor

Josefsson Ågren, Fredrik, Järpehult, Oscar

January 2021

Third-party authentication services are becoming more common since it eases the login procedure by not forcing users to create a new login for every website thatuses authentication. Even though it simplifies the login procedure the users still have to be conscious about what data is being shared between the identity provider (IDP) and the relying party (RP). This thesis presents a tool for collecting data about third-party authentication that outperforms previously made tools with regards to accuracy, precision and recall. The developed tool was used to collect information about third-party authentication on a set of websites. The collected data revealed that third-party login services offered by Facebook and Google are most common and that Twitters login service is significantly less common. Twitter's login service shares the most data about the users to the RPs and often gives the RPs permissions to perform write actions on the users Twitter account.  In addition to our large-scale automatic data collection, three manual data collections were performed and compared to previously made manual data collections from a nine-year period. The longitudinal comparison showed that over the nine-year period the login services offered by Facebook and Google have been dominant.It is clear that less information about the users are being shared today compared to earlier years for Apple, Facebook and Google. The Twitter login service is the only IDP that have not changed their permission policies. This could be the reason why the usage of the Twitter login service on websites have decreased.  The results presented in this thesis helps provide a better understanding of what personal information is exchanged by IDPs which can guide users to make well educated decisions on the web.

Third Party Authentication

Authentication

Third-party Single Sign On

OpenID

OpenID connect

Oauth

TLS

Web Security

Identity Provider

Relying Party

IDP

RP

Longitudinal Analysis

Web Crawler

Selenium

Google

Facebook

Twitter

Apple

Information Systems