Modular Security Analysis of OAuth 2.0 in the Three-Party Setting

OAuth 2.0 is one of the most widely used Internet protocols for authorization/single sign-on (SSO) and is also the foundation of the new SSO protocol OpenID Connect. Due to its complexity and its flexibility, it is difficult to comprehensively analyze the security of the OAuth 2.0 standard, yet it is critical to obtain practical security guarantees for OAuth 2.0. In this paper, we present the first computationally sound security analysis of OAuth 2.0. First, we introduce a new primitive, the three-party authenticated secret distribution (3P-ASD for short) protocol, which plays the role of issuing the secret and captures the token issue process of OAuth 2.0. As far as we know, this is the first attempt to formally abstract the authorization technology into a general primitive and then define its security. Then, we present a sufficiently rich three-party security model for OAuth protocols, covering all kinds of authorization flows, providing reasonably strong security guarantees and moreover capturing various web features. To confirm the soundness of our model, we also identify the known attacks against OAuth 2.0 in the model. Furthermore, we prove that two main modes of OAuth 2.0 can achieve our desired security by abstracting the token issue process into a 3P-ASD protocol. Our analysis is not only modular which can reflect the compositional nature of OAuth 2.0, but also fine-grained which can evaluate how the intermediate parameters affect the final security of OAuth 2.0.

[1]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[2]  Ralf Küsters,et al.  The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[3]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[4]  Yuri Gurevich,et al.  Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization , 2013, USENIX Security Symposium.

[5]  Eran Hammer-Lahav,et al.  The OAuth 1.0 Protocol , 2010, RFC.

[6]  Douglas Stebila,et al.  Safely Exporting Keys from Secure Channels - On the Security of EAP-TLS and TLS Key Exporters , 2016, EUROCRYPT.

[7]  Hugo Krawczyk,et al.  Security Analysis of IKE's Signature-Based Key-Exchange Protocol , 2002, CRYPTO.

[8]  Ralf Küsters,et al.  An Expressive Model for the Web Infrastructure: Definition and Application to the Browser ID SSO System , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content , 2014, RFC.

[10]  Sunil Kumar,et al.  Formal Verification of OAuth 2.0 Using Alloy Framework , 2011, 2011 International Conference on Communication Systems and Network Technologies.

[11]  Charanjit S. Jutla,et al.  Universally Composable Security Analysis of OAuth v2.0 , 2011, IACR Cryptol. ePrint Arch..

[12]  Apurva Kumar Using automated model analysis for reasoning about security of web protocols , 2012, ACSAC '12.

[13]  Ralf Küsters,et al.  A Comprehensive Formal Security Analysis of OAuth 2.0 , 2016, CCS.

[14]  Jörg Schwenk,et al.  A Reduction-Based Proof for Authentication and Session Key Security in 3-Party Kerberos , 2019, IACR Cryptol. ePrint Arch..

[15]  Marc Fischlin,et al.  Composability of bellare-rogaway key exchange protocols , 2011, CCS '11.

[16]  Cristina Nita-Rotaru,et al.  How Secure and Quick is QUIC? Provable Security and Performance Analyses , 2015, 2015 IEEE Symposium on Security and Privacy.

[17]  Dengguo Feng,et al.  Multiple Handshakes Security of TLS 1.3 Candidates , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[18]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[19]  Patrick Traynor,et al.  More Guidelines Than Rules: CSRF Vulnerabilities from Noncompliant OAuth 2.0 Implementations , 2015, DIMVA.

[20]  Chris J. Mitchell,et al.  Security Issues in OAuth 2.0 SSO Implementations , 2014, ISC.

[21]  Michael Jones,et al.  OAuth 2.0 Mix-Up Mitigation , 2016 .

[22]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[23]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[24]  Marc Fischlin,et al.  A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates , 2015, IACR Cryptol. ePrint Arch..

[25]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[26]  B. Jayaraman,et al.  Verification of OAuth 2.0 Using UPPAAL , 2018 .

[27]  Karthikeyan Bhargavan,et al.  A Formal Treatment of Accountable Proxying Over TLS , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[28]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[29]  Chris Brzuska,et al.  A Modular Security Analysis of EAP and IEEE 802.11 , 2017, Public Key Cryptography.

[30]  Phil Hunt,et al.  OAuth 2.0 Threat Model and Security Considerations , 2013, RFC.

[31]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[32]  Bruno Blanchet,et al.  Security Protocol Verification: Symbolic and Computational Models , 2012, POST.

[33]  Gaven J. Watson,et al.  An analysis of the EMV channel establishment protocol , 2013, IACR Cryptol. ePrint Arch..

[34]  Ralf Küsters,et al.  An Extensive Formal Security Analysis of the OpenID Financial-Grade API , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[35]  Jonathan Herzog,et al.  A computational interpretation of Dolev-Yao adversaries , 2005, Theor. Comput. Sci..

[36]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[37]  Marc Fischlin,et al.  Multi-Stage Key Exchange and the Case of Google's QUIC Protocol , 2014, CCS.