Security Analysis of OpenID Connect Protocol with Cryptoverif in the Computational Model
作者: Jinli Zhang , Jintian Lu , Zhongyu Wan , Jing Li , Bo Meng
DOI: 10.1007/978-3-319-49109-7_90
关键词: Protocol (object-oriented programming) 、 OpenID Connect 、 Authorization 、 Authentication 、 Computer science 、 Computer network 、 Computer security 、 Message flow 、 Security analysis 、 Security token 、 Syntax (programming languages)
摘要: OpenID Connect protocol is widely used today, and it one of the newest Single Sign-On protocols in authentication. At present, a lot people are deeply focused on researches security analysis it. In this paper, we aimed at analyzing authentication by getting message term through its flow, then formalizing with Blanchet calculus computational model, finally transforming model into syntax CryptoVerif, generate CryptoVerif inputs form channels Front-end, import mechanized tool to analyze The result shows that has no between End-User Authorization Server, Token Endpoint can’t authenticate Client, while Client can Endpoint.
springer.com
sci-hub.st 参考文章(14)
Alireza Pirayesh Sabzevar, Joao Pedro Sousa, None, Authentication, authorisation and auditing for ubiquitous computing: a survey and vision International Journal of Space-Based and Situated Computing. ,vol. 1, pp. 59- 67 ,(2011) , 10.1504/IJSSC.2011.039107
Xi Sun, ZhengTao Jiang, MeiRong Zhou, Yumin Wang, Versatile identity-based signatures for authentication in multi-user settings International Journal of Grid and Utility Computing. ,vol. 5, pp. 156- 164 ,(2014) , 10.1504/IJGUC.2014.062905
B. Blanchet, A computationally sound mechanized prover for security protocols ieee symposium on security and privacy. pp. 140- 154 ,(2006) , 10.1109/SP.2006.1
Dick Hardt, The OAuth 2.0 Authorization Framework RFC. ,vol. 6749, pp. 1- 76 ,(2012)
Danai Chasaki, Christopher Mansour, Security challenges in the internet of things International Journal of Space-Based and Situated Computing. ,vol. 5, pp. 141- 149 ,(2015) , 10.1504/IJSSC.2015.070945
Prabath Siriwardena, Advanced API Security: Securing APIs with OAuth 2.0, OpenID Connect, JWS, and JWE ,(2014)
Christian Mainka, Florian Feldmann, Vladislav Mladenov, Jörg Schwenk, Julian Krautwald, On the security of modern Single Sign-On Protocols: OpenID Connect 1.0. arXiv: Cryptography and Security. ,(2015)
Xiaoping Che, Stephane Maag, Formally testing the protocol performances International Journal of Space-Based and Situated Computing. ,vol. 5, pp. 76- 88 ,(2015) , 10.1504/IJSSC.2015.069197
Wanpeng Li, Chris J. Mitchell, Analysing the Security of Google's Implementation of OpenID Connect international conference on detection of intrusions and malware and vulnerability assessment. pp. 357- 376 ,(2016) , 10.1007/978-3-319-40667-1_18
Daniel Fett, Ralf Küsters, Guido Schmitz, A Comprehensive Formal Security Analysis of OAuth 2.0 computer and communications security. pp. 1204- 1215 ,(2016) , 10.1145/2976749.2978385