230 likes | 496 Views
API Authentication and Authorization Protocols. David Lee and Yating Hsu The Ohio State University Feb. 2, 2010 (Dagstuhl Seminar). Project. Protocol System Fingerprinting [1] G. Shu and D. Lee, “Network Protocol System Fingerprinting - A Formal Approach”, IEEE Infocom 2006
E N D
API Authentication and Authorization Protocols David Lee and Yating Hsu The Ohio State University Feb. 2, 2010 (Dagstuhl Seminar)
Project • Protocol System Fingerprinting [1] G. Shu and D. Lee, “Network Protocol System Fingerprinting - A Formal Approach”, IEEE Infocom 2006 [2] G. Shu and D. Lee, "A Formal Methodology for Network Protocol Fingerprinting", IEEE Trans. on Parallel and Distributed Systems, 2010
Project • Network Malicious Nodes Conviction N. Li and D. Lee, “Network Court Protocol and Malicious Node Conviction”, IEEE ICNP 2007
Project • Protocol Implementation Security Flaw Detection Y. Hsu, G. Shu and D. Lee, “A Model-based Approach to Security Flaw Detection of Network Protocol Implementations”, IEEE ICNP 2008
Project (in progress) • Anonymous Content Delivery (Funded by AT&T)
Project (in progress) • Federated Protocol authentication and authorization (funded by Google)
API Authentication and Authorization • Valet key for the web • A photo printing service website prints user’s photos stored at another website. • User authorizes the photo printing website to access photos without sharing his password ? Photo printing website Web album username/password
API Authentication Protocols • Three party authentication • Service Provider: web album • Consumer: photo printing service website • User • A method for the User to grant Consumer access to the data stored at Service Provider • Through the API defined by Service Provider • AOL OpenAuth, Yahoo! BBAuth, Flicker API, Amazon Web Services API • OAuth: an attempt to standardize API authentication protocols by Google et al
OAuth Workflow • Part I • User visits the Consumer (photo printing service website) to request for a service (order prints) • Consumer request a Request Token from the Service Provider • Service Provider grants Consumer a Request Token 2 3 Consumer Service Provider 1 User
OAuth Workflow • Part II • Consumer redirects User to Service Provider’s User Authorization URL with the Request Token • User signs in at Service Provider; Service Provider authenticates User and asks his authorization for access by Consumer • Service Provider redirects User back to Consumer with the Request Token authorized Consumer Service Provider 5 6 6 4 User
OAuth Workflow • Part III • Consumer uses authorized Request Token to exchange it for Access Token. • Service Provider grants Consumer Access Token • Consumer uses Access Token to access Protected Resources (photos). 7 8 Consumer 9 Service Provider User
Formal Model of OAuth • Model OAuth with Communicating Extended FSM • Each communicating principal is an EFSM • Service Provider: 4 states, 5 transitions, 3 variables • Consumer: 5 states, 6 transitions, 3 variables • User: 3 states, 4 transitions, 2 variables • Attacker model • Restricted Dolev-Yao model • Only injects valid OAuth messages that are executable • Secure/insecure interfaces (HTTPS/HTTP)
Analysis of Security Properties • Unauthorized access of protected resources • Reachability graph and online minimization • Attacker involvement • Attack traces
Verification Method • Each step of normal protocol run is A1, A2, …, A12 • The attacker can also take the 12 steps: B1, B2, …, B12 • Represent attacker’s operation by C0, C1, …, C12, where Ci is a set of sequences of actions from {B1, B2, …, B12} in an arbitrary order C12 C0 A1 A12 …
Goals • Rediscover known security flaws • Session Fixation attack of OAuth 1.0 was found • OAuth 1.0A was announced to address this attack • Find unknown security flaws • Or prove OAuth 1.0A is secure
General Problems • Multiple Users and Consumers • Protocols • Security Properties • Federated Authentication Protocols • OpenID • Universal Single Sign-in • Roaming Access • ……