A framework for formal analysis of privacy on SSO protocols

Wang, K; Bai, G; Dong, N; Dong, JS

doi:10.1007/978-3-319-78813-5_41

Author(s)

Wang, K

Bai, G

Dong, N

Dong, JS

Griffith University Author(s)

Bai, Guangdong

Dong, Jin-Song

Year published

2018

Metadata

Show full item record

Abstract

Single Sign-on (SSO) protocols, which allow a website to authenticate its users via accounts registered with another website, are forming the basis of user identity management in contemporary websites. Given the critical role they are playing in safeguarding the privacy-sensitive web services and user data, SSO protocols deserve a rigorous formal verification. In this work, we provide a framework facilitating formal modeling of SSO protocols and analysis of their privacy property. Our framework incorporates a formal model of the web infrastructure (e.g., network and browsers), a set of attacker models (e.g., malicious IDP) ...
View more >Single Sign-on (SSO) protocols, which allow a website to authenticate its users via accounts registered with another website, are forming the basis of user identity management in contemporary websites. Given the critical role they are playing in safeguarding the privacy-sensitive web services and user data, SSO protocols deserve a rigorous formal verification. In this work, we provide a framework facilitating formal modeling of SSO protocols and analysis of their privacy property. Our framework incorporates a formal model of the web infrastructure (e.g., network and browsers), a set of attacker models (e.g., malicious IDP) and a formalization of the privacy property with respect to SSO protocols. Our analysis has identified a new type of attack that allows malicious participants to learn which websites the victim users have logged in to.
View less >

Conference Title

Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

Volume

238

DOI

https://doi.org/10.1007/978-3-319-78813-5_41

Subject

Distributed computing and systems software

Publication URI

http://hdl.handle.net/10072/384239

Collection

Conference outputs