A Comprehensive Formal Security Analysis of OAuth 2.0
Offered By: Association for Computing Machinery (ACM) via YouTube
Course Description
Overview
Explore a comprehensive formal security analysis of OAuth 2.0 in this 25-minute conference talk presented at CCS 2016, the 23rd ACM Conference on Computer and Communications Security. Delve into the contributions, formal analysis methods, and web application standards discussed by authors Daniel Fett, Ralf Küsters, and Guido Schmitz from the University of Trier. Examine the web model, browser model, and limitations of OAuth 2.0. Investigate various OAuth modes, multiple IdPs, and key security properties including authorization, authentication, and session integrity. Uncover potential attacks, such as the 307 Redirect Attack and IdP Mix-Up Attack, along with their mitigation strategies. Gain insights into the security proof assumptions, network attacker scenarios, and related work in the field of OAuth 2.0 security analysis.
Syllabus
Intro
Our Contributions
Formal Analysis of Web Applications and Standards
Sources
Web Model
Web Browser Model
Limitations
Previous Work
OAuth Modes
Multiple IdPs
Authorization Property
Authentication Property
Session Integrity Property
Attacks: Overview
307 Redirect Attack
IdP Mix-Up Attack in implicit Mode
IdP Mix-Up Attack: Mitigation
Impact
Proof: Assumptions
Session Integrity: Network Attacker
OAuth 2.0: Security Proof
Some Related Work
Taught by
ACM CCS
Related Courses
A Framework for Prototyping Applications Using Multilinear Maps and Matrix Branching ProgramsAssociation for Computing Machinery (ACM) via YouTube Acing the IOC Game - Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence
Association for Computing Machinery (ACM) via YouTube Call Me Back! Attacks on System Server and System Apps in Android through Synchronous Callback
Association for Computing Machinery (ACM) via YouTube A Secure Sharding Protocol for Open Blockchains
Association for Computing Machinery (ACM) via YouTube A Software Approach to Defeating Side Channels in Last-Level Caches
Association for Computing Machinery (ACM) via YouTube