Research Article
A Framework for Formal Analysis of Privacy on SSO Protocols
@INPROCEEDINGS{10.1007/978-3-319-78813-5_41, author={Kailong Wang and Guangdong Bai and Naipeng Dong and Jin Dong}, title={A Framework for Formal Analysis of Privacy on SSO Protocols}, proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings}, proceedings_a={SECURECOMM}, year={2018}, month={4}, keywords={Single Sign-on Privacy Formal verification framework}, doi={10.1007/978-3-319-78813-5_41} }
- Kailong Wang
Guangdong Bai
Naipeng Dong
Jin Dong
Year: 2018
A Framework for Formal Analysis of Privacy on SSO Protocols
SECURECOMM
Springer
DOI: 10.1007/978-3-319-78813-5_41
Abstract
Single Sign-on (SSO) protocols, which allow a website to authenticate its users via accounts registered with another website, are forming the basis of user identity management in contemporary websites. Given the critical role they are playing in safeguarding the privacy-sensitive web services and user data, SSO protocols deserve a rigorous formal verification. In this work, we provide a framework facilitating formal modeling of SSO protocols and analysis of their privacy property. Our framework incorporates a formal model of the web infrastructure (e.g., network and browsers), a set of attacker models (e.g., malicious IDP) and a formalization of the privacy property with respect to SSO protocols. Our analysis has identified a new type of attack that allows malicious participants to learn which websites the victim users have logged in to.