Formal analysis of Facebook Connect Single Sign-On authentication protocol
暂无分享,去创建一个
We present a formal analysis of the authentication protocol of Facebook Connect, the Single Sign-On service offered by the Facebook Platform which allows Facebook users to login to affiliated sites. Formal specification and verification have been carried out using the specification language HLPSL and AVISPA, a state-of-the-art verification tool for security protocols. AVISPA has revealed two security flaws, one of which (previously unheard of, up to our knowledge) allows an intruder to impersonate a user at a service provider affiliated with Facebook. To address this problem, we propose a modification of the protocol, by adding a message authentication mechanism; this protocol has been verified with AVISPA to be safe from the masquerade attack. Finally, we sketch a JavaScript implementation of the modified protocol.
[1] Sebastian Mödersheim,et al. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.
[2] Alessandro Armando,et al. Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.
[3] Benjamín Ramos,et al. Formal Validation of OFEPSP+ with AVISPA , 2009, ARSPA-WITS.