Universally Composable Web Security Protocols for Delegation

With the advent of content mixing applications or mash-ups there has been a proliferation of web security protocols for secure delegation i.e. protocols which allow end-users to delegate to service consumers content which the end-user has stored at other service providers. The OAuth protocol[OAu07] has emerged as the unofficial standard for these protocols and has been widely adopted by many consumers and providers. Until now, these protocols have not been subjected to formal analysis and as recently shown[OAu09], can be vulnerable to attacks. In this paper, we rigorously analyze OAuth and related protocols using established cryptographic formalisms such as universal composability. We analyze a corrected version of the OAuth protocol and precisely characterize the intended abstract functionality and formally argue that the corrected OAuth protocol realizes this functionality. This work thus gives formal assurance that the corrected version will indeed make the protocol secure. Using the universal composability framework, we show the robustness of our definitions by using this abstract functionality in a larger protocol AppStore which captures the idea of delegated computation or in general a server-side data mash-up. Our work is the first to rigorously apply established cryptographic formalisms to the analysis of web security protocols. As part of our proof, to model the common case where the end-user authenticates to the service password using username and password, we develop a universally composable proof of pwAKE- a password based asymmetric key exchange where one of the parties authenticates with a password and the other is able to authenticate with a public key, a result which is of independent interest.

By: Suresh Chari; Charanjit Jutla

Published in: RC24856 in 2009

LIMITED DISTRIBUTION NOTICE:

This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.

rc24856.pdf

Questions about this service can be mailed to reports@us.ibm.com .