Skip to main content
SpringerLink
Log in

A Framework for Formal Analysis of Privacy on SSO Protocols

  • Conference paper
  • First Online:
Book cover Security and Privacy in Communication Networks (SecureComm 2017)

Abstract

Single Sign-on (SSO) protocols, which allow a website to authenticate its users via accounts registered with another website, are forming the basis of user identity management in contemporary websites. Given the critical role they are playing in safeguarding the privacy-sensitive web services and user data, SSO protocols deserve a rigorous formal verification. In this work, we provide a framework facilitating formal modeling of SSO protocols and analysis of their privacy property. Our framework incorporates a formal model of the web infrastructure (e.g., network and browsers), a set of attacker models (e.g., malicious IDP) and a formalization of the privacy property with respect to SSO protocols. Our analysis has identified a new type of attack that allows malicious participants to learn which websites the victim users have logged in to.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 143.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    For simple reference to the same information in different figures, we use the following format ((k), line \( x_j \)) to represent the step k in Fig. 3, line \(x_j\) in Fig. 5 (when \(x_j\) is a \( q_j \)) or Fig. 6 (when \(x_j\) is a \(p_j\)).

References

  1. Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through Facebook and Google: a traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE S&P (2012)

    Google Scholar 

  2. Fett, D., Küsters, R., Schmitz, G.: An expressive model for the web infrastructure: definition and application to the BrowserID SSO system. In: IEEE S&P (2014)

    Google Scholar 

  3. Fett, D., Küsters, R., Schmitz, G.: Analyzing the BrowserID SSO system with primary identity providers using an expressive model of the web. In: ESORICS, pp. 43–65 (2015)

    Chapter  Google Scholar 

  4. Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: AuthScan: automatic extraction of web authentication protocols from implementations. In: NDSS (2013)

    Google Scholar 

  5. Sun, S.-T., Hawkey, K., Beznosov, K.: Systematically breaking and fixing openid security: formal analysis, semi-automated empirical evaluation, and practical countermeasures. Comput. Secur. 31, 465–483 (2012)

    Article  Google Scholar 

  6. Ye, Q., Bai, G., Wang, K., Dong, J.S.: Formal analysis of a single sign-on protocol implementation for android. In: ICECCS, pp. 90–99 (2015)

    Google Scholar 

  7. Hanna, S., Shinz, E.C.R., Akhawe, D., Boehmz, A., Saxena, P., Song, D.: The emperor’s new API: on the (in)secure usage of new client side primitives. In: W2SP (2010)

    Google Scholar 

  8. Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for Google apps. In: Workshop on Formal Methods in Security Engineering (2008)

    Google Scholar 

  9. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL, pp. 104–115 (2001)

    Article  Google Scholar 

  10. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: CSFW, pp. 82–96 (2001)

    Google Scholar 

  11. Delaune, S., Kremer, S., Ryan, M.: Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 17, 435–487 (2009)

    Article  Google Scholar 

  12. Fett, D., Küsters, R., Schmitz, G.: SPRESSO: a secure, privacy-respecting single sign-on system for the web. In: CCS, pp. 1358–1369 (2015)

    Google Scholar 

  13. Dolev, D., Yao, A.C.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29, 198–207 (1983)

    Article  MathSciNet  Google Scholar 

  14. Jackson, D.: In: Tools and Algorithms for the Construction and Analysis of Systems: 8th International Conference, TACAS, p. 20 (2002)

    Google Scholar 

  15. Kerschbaum, F.: Simple cross-site attack prevention. In: Workshop on Security and Privacy in Communications Networks, pp. 464–472 (2007)

    Google Scholar 

  16. Bai, G., Hao, J., Wu, J., Liu, Y., Liang, Z., Martin, A.: Trustfound: towards a formal foundation for model checking trusted computing platforms. In: FM, pp. 110–126 (2014)

    Google Scholar 

  17. Hao, J., Liu, Y., Cai, W., Bai, G., Sun, J.: vTRUST: a formal modeling and verification framework for virtualization systems. In: ICFEM, pp. 329–346 (2013)

    Chapter  Google Scholar 

  18. Akhawe, D., Barth, A., Lam, P.E., Mitchell, J., Song, D.: Towards a formal foundation of web security. In: CSF, pp. 290–304 (2010)

    Google Scholar 

  19. Bansal, C., Bhargavan, K., Delignat-Lavaud, A., Maffei, S.: Keys to the cloud: formal analysis and concrete attacks on encrypted web storage. In: POST, pp. 126–146 (2013)

    Google Scholar 

  20. Bansal, C., Bhargavan, K., Maffeis, S.: Discovering concrete attacks on website authorization by formal analysis. In: CSF, pp. 247–262 (2012)

    Google Scholar 

Download references

Acknowledgment

This research is supported by the National Research Foundation, Singapore (No. NRF2015NCR-NCR003-003).

Author information

Authors and Affiliations

  1. National University of Singapore, Singapore, Singapore

    Kailong Wang, Naipeng Dong & Jin Song Dong

  2. Singapore Institute of Technology, Singapore, Singapore

    Guangdong Bai

  3. Griffith University, Nathan, Australia

    Jin Song Dong

Authors
  1. Kailong Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guangdong Bai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Naipeng Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jin Song Dong
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Guangdong Bai .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wang, K., Bai, G., Dong, N., Dong, J.S. (2018). A Framework for Formal Analysis of Privacy on SSO Protocols. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_41

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78813-5_41

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78812-8

  • Online ISBN: 978-3-319-78813-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation