Title | Modular Security Analysis of OAuth 2.0 in the Three-Party Setting |
Publication Type | Conference Paper |
Year of Publication | 2020 |
Authors | Li, Xinyu, Xu, Jing, Zhang, Zhenfeng, Lan, Xiao, Wang, Yuchen |
Conference Name | 2020 IEEE European Symposium on Security and Privacy (EuroS P) |
Keywords | Authorization, compositionality, cryptographic protocols, oAuth, Predictive Metrics, provable security, pubcrawl, Resiliency, security model |
Abstract | OAuth 2.0 is one of the most widely used Internet protocols for authorization/single sign-on (SSO) and is also the foundation of the new SSO protocol OpenID Connect. Due to its complexity and its flexibility, it is difficult to comprehensively analyze the security of the OAuth 2.0 standard, yet it is critical to obtain practical security guarantees for OAuth 2.0. In this paper, we present the first computationally sound security analysis of OAuth 2.0. First, we introduce a new primitive, the three-party authenticated secret distribution (3P-ASD for short) protocol, which plays the role of issuing the secret and captures the token issue process of OAuth 2.0. As far as we know, this is the first attempt to formally abstract the authorization technology into a general primitive and then define its security. Then, we present a sufficiently rich three-party security model for OAuth protocols, covering all kinds of authorization flows, providing reasonably strong security guarantees and moreover capturing various web features. To confirm the soundness of our model, we also identify the known attacks against OAuth 2.0 in the model. Furthermore, we prove that two main modes of OAuth 2.0 can achieve our desired security by abstracting the token issue process into a 3P-ASD protocol. Our analysis is not only modular which can reflect the compositional nature of OAuth 2.0, but also fine-grained which can evaluate how the intermediate parameters affect the final security of OAuth 2.0. |
DOI | 10.1109/EuroSP48549.2020.00025 |
Citation Key | li_modular_2020 |