Biblio

OAuth 2.0 is one of the most widely used Internet protocols for authorization/single sign-on (SSO) and is also the foundation of the new SSO protocol OpenID Connect. Due to its complexity and its flexibility, it is difficult to comprehensively analyze the security of the OAuth 2.0 standard, yet it is critical to obtain practical security guarantees for OAuth 2.0. In this paper, we present the first computationally sound security analysis of OAuth 2.0. First, we introduce a new primitive, the three-party authenticated secret distribution (3P-ASD for short) protocol, which plays the role of issuing the secret and captures the token issue process of OAuth 2.0. As far as we know, this is the first attempt to formally abstract the authorization technology into a general primitive and then define its security. Then, we present a sufficiently rich three-party security model for OAuth protocols, covering all kinds of authorization flows, providing reasonably strong security guarantees and moreover capturing various web features. To confirm the soundness of our model, we also identify the known attacks against OAuth 2.0 in the model. Furthermore, we prove that two main modes of OAuth 2.0 can achieve our desired security by abstracting the token issue process into a 3P-ASD protocol. Our analysis is not only modular which can reflect the compositional nature of OAuth 2.0, but also fine-grained which can evaluate how the intermediate parameters affect the final security of OAuth 2.0.

White-box cryptography protects cryptographic software in a white-box attack context (WBAC), where the dynamic execution of the cryptographic software is under full control of an adversary. Protecting AES in the white-box setting attracted many scientists and engineers, and several solutions emerged. However, almost all these solutions have been badly broken by various efficient white-box attacks, which target compositions of key-embedding lookup tables. In 2014, Luo, Lai, and You proposed a new WBAC-oriented AES implementation, and claimed that their implementation is secure against both Billet et al.'s attack and De Mulder et al.'s attack. In this study, based on the existing table-composition-targeting cryptanalysis techniques, the authors show that the secret key of the Luo-Lai-You (LLY) implementation can be recovered with a time complexity of about 244. Furthermore, the authors propose a new white-box AES implementation based on table lookups, which is shown to be resistant against the existing table-composition-targeting white-box attacks. The authors, key-embedding tables are obfuscated with large affine mappings, which cannot be cancelled out by table compositions of the existing cryptanalysis techniques. Although their implementation requires twice as much memory as the LLY WBAES to store the tables, its speed is about 63 times of the latter.

A two-server password-based authentication (2PA) protocol is a special kind of authentication primitive that provides additional protection for the user's password. Through a 2PA protocol, a user can distribute his low-entropy password between two authentication servers in the initialization phase and authenticate himself merely via a matching password in the login phase. No single server can learn any information about the user's password, nor impersonate the legitimate user to authenticate to the honest server. In this paper, we first formulate and realize the security definition of two-server password-based authentication in the well-known universal composability (UC) framework, which thus provides desirable properties such as composable security. We show that our construction is suitable for the asymmetric communication model in which one server acts as the front-end server interacting directly with the user and the other stays backstage. Then, we show that our protocol could be easily extended to more complicate password-based cryptographic protocols such as two-server password-authenticated key exchange (2PAKE) and two-server password-authenticated secret sharing (2PASS), which enjoy stronger security guarantees and better efficiency performances in comparison with the existing schemes.