期刊文献+

一种改进的OAuth授权机制有效性分析 预览 被引量:1

VALIDITY ANALYSIS OF AN IMPROVED OAUTH AUTHORIZATION MECHANISM
在线阅读 下载PDF
分享 导出
摘要 国内微博、微信、百度等开放平台的出现,使“第三方”认证授权登录广泛应用到各个领域,因此,OAuth(Open Authorization)协议作为开放平台认证授权系统的标准协议而备受关注。众多研究表明这些开放平台中现今广泛使用的OAuth2.0协议在具体的实现过程中,很容易遭受钓鱼攻击、中间人攻击和CSRF攻击。为了抵抗网络中最常见的钓鱼攻击,研究提出通过防止攻击者伪装成授权服务器来改进OAuth2.0授权机制的解决方案,并证明了改进授权机制的安全有效性。为OAuth2.0协议的安全性改进提供了借鉴。 Third party authentication and authorization login mode has been applied to MicroBlog, WeChat, Baidu and other open platform. As a result, this login mechanism is widely used in various fields of our country. Therefore, the OAuth protocol as a standard protocol of the open platform for authentication and authorization system is closely watched. Many researches show that the OAuth2.0 protocol, which is widely used in these open platforms, is vulnerable to phishing attacks, man-in-the-middle attacks and CSRF attacks during the implementation. In order to resist the most common phishing attacks in the network, this paper proposes a solution to improve the OAuth2. 0 authorization mechanism by preventing the attacker from masquerading as an authorization server, and proving the security and effectiveness of the improved authorization mechanism. It provides a reference for the security improvement of OAuth2.0 protocol.
作者 欧海文 付永亮 于芋 胡馨月 Ou Haiwen1,2 ,Fu Yongliang2, Yu Yu1, Hu Xinyue1 (1Beijing Eleetrome Science and Technology Institute ,Beijing 100071, China;2 Xidian University, Xi' an 710071, Shaanxi, China)
出处 《计算机应用与软件》 2017年第12期196-201,共6页 Computer Applications and Software
关键词 OAuth2.0 授权机制 有效性分析 钓鱼攻击 OAuth2.0 Authentication mechanism Validity analysis Phishing attack
作者简介 欧海文,教授,主研领域:密码编码与应用技术。;付永亮,硕士生。;于芋,硕士生。;胡馨月,硕士生。
  • 相关文献

参考文献4

二级参考文献29

  • 1Gonzalez JF, Rodriguez MC, Nistal ML, et al. Reverse OAuth: A solution to achieve deleated authorizations in single sign-on e-learning systems. Computers & Security, 2009,28:43-856. 被引量:1
  • 2The OAuth 2.0 Authorization Protocol (dmfl-ietf-oauth -v2-16),http://tools.ietf.org/html/draR-ietf-oauth-v2-16,2011.5. 被引量:1
  • 3The OAuth 1.0 Protocol. http://tools.ietf.org/html/rfc5849, 2010.4. 被引量:1
  • 4RFC5849: The OAuth 1.0 Protocol[S]. 被引量:1
  • 5张卫全,胡志远.浅析作用于Web2_0安全防范的OpenID和OAuth机制[J].通信管理技术,2011,4(2):15-18. 被引量:1
  • 6Dolev D, Yao A C. On the security of public key protocols[ J]. Information Theory, IEEE Transactions on, 1983, 29 (2) 198-208. 被引量:1
  • 7Sun S T, Hawkey K, Bezn,sov K. Systematically breaking and fixing OpenlD security: Formal analysis, semi-automated em- pirical evaluation, and praetical countermeasures[ J]. Computers & Security, 2012, 31 (4) : 465-483. 被引量:1
  • 8Tassanaviboon A, Gong G. OAuth and ABE based authorization in semi-trusted cloud computing: aauth[ C ]//Proceedings of the second international wor kshop on Data intensive computing in the clouds. 2011 : 41-50. 被引量:1
  • 9Pal S, Sharma Y, Kumar S, et al. Formal verification of OAuth 2.0 using Alloy framework [ C ]//Communication Systems and Network Technologies (CSNT) , 2011 International Conference on. 2011: 655-659. 被引量:1
  • 10Chari S, Jutla C S, Roy A Universally Composable Security Analysis of OAuth v2. 0[J]. IACR Cryptology ePrint Archive, 2011 : 526-527. 被引量:1

共引文献48

同被引文献13

引证文献1

投稿分析

相关作者

内容加载中请稍等...

相关机构

内容加载中请稍等...

相关主题

内容加载中请稍等...

浏览历史

内容加载中请稍等...
;
使用帮助 返回顶部 意见反馈