论文信息 - Why Protocols Fail to Transition to Mobile Domains

Why Protocols Fail to Transition to Mobile Domains

Applying protocols to new settings for which they were not originally designed can result in failures and vulnerabilities. This problem becomes particularly severe when security protocols are concerned. As more and more novel technologies such as IoT are being put into practical use, the study of the above mentioned problems gains an increasing importance. This paper investigates the issues which arise when transitioning the OAuth protocol to the mobile phone setting. First, we informally discuss the issues arising during such transitioning. Then, we revist the formal analysis of the OAuth protocol presented by Fett et al. at ACM CCS 2017 [1], pinpointing the issues that may lead to vulnerabilities in the mobile scenario.

Josh Talkington | Ram Dantu | Kirill Morozov

[1] Srinivas Devadas,et al. Controlled physical random functions , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[2] Dick Hardt,et al. The OAuth 2.0 Authorization Framework , 2012, RFC.

[3] Roy T. Fielding,et al. Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[4] Yuan Tian,et al. OAuth Demystified for Mobile Application Developers , 2014, CCS.

[5] Kai Chen,et al. Unleashing the Walking Dead: Understanding Cross-App Remote Infections on Mobile WebViews , 2017, CCS.

[6] John Bradley,et al. Proof Key for Code Exchange by OAuth Public Clients , 2015, RFC.

[7] R. Pappu,et al. Physical One-Way Functions , 2002, Science.

[8] Ralf Küsters,et al. A Comprehensive Formal Security Analysis of OAuth 2.0 , 2016, CCS.

[9] John Bradley,et al. OAuth 2.0 for Native Apps , 2017, RFC.

[10] Josh Talkington,et al. Verifying OAuth Implementations Through Encrypted Network Analysis , 2019, SACMAT.