Model Driven Security Analysis of IDaaS Protocols

  • Apurva Kumar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7084)


Offloading user management functions like authentication and authorization to identity providers is a key enabler for cloud computing based services. Protocols used to provide identity as a service (IDaaS) are the foundation of security for many business transactions on the web and need to be thoroughly analyzed. While analysis of cryptographic protocols has been an active research area over the past three decades, the techniques have not been adapted to analyze security for complex web interactions. In this paper, we identify gaps in the area and propose means to address them. We extend an important belief logic (the so-called BAN logic) used for analyzing security in authentication protocols to support new concepts that are specific to browser based IDaaS protocols. We also address the problem of automating belief based security analysis through a UML based model driven approach which can be easily integrated with existing software engineering tools. We demonstrate benefits of the extended logic and model driven approach by analyzing two of the most commonly used IDaaS protocols.


Security Protocol Analysis Identity Management Model Driven Security Identity as a Service 


  1. 1.
    Burrows, M., Abadi, M., Needham, R.: A Logic of Authentication. ACM Transactions on Computer Systems (TOCS) 8(1), 18–36 (1990)CrossRefzbMATHGoogle Scholar
  2. 2.
    OASIS SAML Specifications. SAML v2.0, Core,
  3. 3.
  4. 4.
    The OAuth 1.0 Protocol. IETF RFC: 5849,
  5. 5.
    Gong, L., Needham, R., Yahalom, R.: Reasoning about Belief in Cryptographic Protocols. In: Proceedings 1990 IEEE Symposium on Research in Security and Privacy (1990)Google Scholar
  6. 6.
    Abadi, M., Tuttle, M.R.: A semantics for a logic of authentication. In: Proceedings of the ACM Symposium of Principles of Distributed Computing (1991)Google Scholar
  7. 7.
    Kessler, V., Wedel, G.: AUTLOG: An advanced logic of authentication. In: Proceedings of Computer Security Foundation Workshop VII, pp. 90–99 (1994)Google Scholar
  8. 8.
    Syverson, P., van Oorschot, P.: On unifying some cryptographic protocol logics. In: Proceedings of the Symposium on Security and Privacy, Oakland, CA, pp. 14–28 (1994)Google Scholar
  9. 9.
    Schumann, J.: Automatic Verification of Cryptographic Protocols with SETHEO. In: McCune, W. (ed.) CADE 1997. LNCS, vol. 1249, pp. 831–836. Springer, Heidelberg (1997)Google Scholar
  10. 10.
    Craigen, D., Saaltink, M.: Using EVES to analyze authentication protocols. Technical Report TR-96-5508-05, ORA Canada (1996)Google Scholar
  11. 11.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inform. Theory IT-29, 198–208 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Meadows, C.: Applying formal methods to the analysis of a key management protocol. Journal of Computer Security 1, 5–53 (1992)CrossRefGoogle Scholar
  13. 13.
    Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  14. 14.
    Armando, A., et al.: An Optimized Intruder Model for SAT-based Model-Checking of Security Protocols. Elec. Notes in Theoret. Comp. Sci. 125(1) (March 2005)Google Scholar
  15. 15.
    Groß, T.: Security analysis of the SAML single sign-on browser/artifact profile. In: Proceedings of 19th ACSAC 2003, pp 298–307. IEEE Computer Society Press (2003)Google Scholar
  16. 16.
    Hammer-Lahav, E.: Explaining the OAuth Session Fixation Attack,
  17. 17.
    Kumar, A.: Integrated Security Context Management of Web Components and Services in Federated Identity Environments. In: Bouguettaya, A., Krueger, I., Margaria, T. (eds.) ICSOC 2008. LNCS, vol. 5364, pp. 565–571. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Apurva Kumar
    • 1
  1. 1.IBM Research - IndiaNew DelhiIndia

Personalised recommendations