VOAuth: A solution to protect OAuth against phishing

Abstract The OAuth protocol is designed for authorization which enables users to grant third-party applications to access their resources stored at a server. However, OAuth cannot prevent counterfeiting the Authorization Server , thus phishing attacks are usually encountered. Although the version 2.0 of OAuth has been widely used in web authorization services, counterfeiting problem remains unsolved. In this paper, VOAuth (Validation OAuth) is proposed as a novel solution to address this problem, which brings in a Validation System and optimizes the processes of OAuth. The Validation System including Validation Gateway and Validation Client can guarantee the authenticity of Authorization Server by taking tripartite consultation and one-time pad into account, hence users can be protected from phishing due to that passwords will not be stored or submitted for a long time. In order to prove that VOAuth can avoid phishing attacks especially counterfeiting Authorization Server effectively, countermeasures on phishing threat models and formal verification in VOAuth are shown with Alloy Analyzer. Finally, VOAuth is implemented in an actual mobile Internet application and has been on-line for more than two years with over 15 million users. So far, the leakage of user privacy data does not occur and there is no phished account reported, which provides further evidence of the effectiveness of VOAuth.

[1]  Jonathan Jacky,et al.  The Way of Z: Practical Programming with Formal Methods , 1996 .

[2]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[3]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[4]  Daniel Le Berre,et al.  The Sat4j library, release 2.2 , 2010, J. Satisf. Boolean Model. Comput..

[5]  Eugene Goldberg,et al.  BerkMin: A Fast and Robust Sat-Solver , 2002 .

[6]  Sharad Malik,et al.  Chaff: engineering an efficient SAT solver , 2001, Proceedings of the 38th Design Automation Conference (IEEE Cat. No.01CH37232).

[7]  Emina Torlak,et al.  Kodkod: A Relational Model Finder , 2007, TACAS.

[8]  Matthew W. Moskewicz,et al.  Engineering a (super?) efficient sat solver , 2001, Design Automation Conference.

[9]  Srinivas Devadas,et al.  Knowledge Flow Analysis for Security Protocols , 2005, ArXiv.

[10]  Sunil Kumar,et al.  Formal Verification of OAuth 2.0 Using Alloy Framework , 2011, 2011 International Conference on Communication Systems and Network Technologies.

[11]  Haitham S. Al-Sinani Browser Extension-based Interoperation Between OAuth and Information Card-based Systems , 2011 .