| 开放授权协议OAuth2.0的安全性形式化分析 |
| |
| 引用本文: | 王焕孝,顾纯祥,郑永辉. 开放授权协议OAuth2.0的安全性形式化分析[J]. 信息工程大学学报, 2014, 15(2): 141-147 |
| |
| 作者姓名: | 王焕孝 顾纯祥 郑永辉 |
| |
| 作者单位: | 数学工程与先进计算国家重点实验室 |
| |
| 基金项目: | 国家自然科学基金资助项目(61072047);河南省科技创新杰出青年基金资助项目(134100510002) |
| |
| 摘 要: | 开放授权协议OAuth是云上一个新的开放标准,解决了用户多账号通用和资源共享的问题.文章针对OAuth2.0的协议规范,利用Alice-Bob标记语言和HLPSL协议高级语言对其进行了形式化描述,并借助基于状态空间搜索的安全协议分析工具,分别讨论了通信三方在使用和未使用HTTPS加密的情况下协议的安全性,对于不安全的情况得到了相应的攻击路径.另外,在实际的网络环境中观察分析了OAuth2.0的相应实现,对国内访问量前100名的网站做了统计,发现其中可以作为OAuth2.0协议服务端的网站有63.6%存在安全漏洞,可以作为客户端的网站有90.2%存在安全漏洞,实验结果对规范网络安全环境有重要的作用和意义.
|
| 关 键 词: | 云计算 OAuth2 0 形式化分析 攻击路径 |
Formal Security Analysis of OAuth2.0 Authorization Protocol |
| |
| WANG Huan-xiao;GU Chun-xiang;ZHENG Yong-hui. Formal Security Analysis of OAuth2.0 Authorization Protocol[J]. , 2014, 15(2): 141-147 |
| |
| Authors: | WANG Huan-xiao GU Chun-xiang ZHENG Yong-hui |
| |
| Affiliation: | WANG Huan-xiao;GU Chun-xiang;ZHENG Yong-hui;State Key Laboratory of Mathematical Engineering and Advanced Computing; |
| |
| Abstract: | OAuth is a new open standard in cloud computing; it solves the problems of multiple accounts and resource sharing. This paper focuses on the protocol specification of OAuth2.0, formally describes the OAuth2.0 protocol using the Alice Bob markup language and HLPSL protocol high level languages, and with security protocol analysis tools based on State Space Search, it discusses respectively the security of the protocol in tripartite communication with and without HTTPS encryption. For the unsafe case, the corresponding attack paths are given. In addition, the implementation of OAuth2.0 in the actual network environment is observed and analyzed. Statistics is also made about the websites with top one hundred domestic visit quantity, thus reaching a conclusion that the implementation of OAuth2.0 protocol has insecurity and irregularities, because 63.6% server websites and 90.2% client websites based on OAuth 2.0 protocol suffer security vulnerabilities. |
| |
| Keywords: | cloud computing OAuth2.0 formal analysis attack paths |
| 本文献已被 CNKI 维普 等数据库收录! |
| 点击此处可从《信息工程大学学报》浏览原始摘要信息 |
|
点击此处可从《信息工程大学学报》下载免费的PDF全文 |
|
