Optimization Method for OAuth2.0 Protocol

doi:10.3969/j.issn.1671-1122.2016.09.002

Abstract

Abstract:

To improve the security of protocol OAuth2.0, we optimize the protocol by introducing a security point and an synchronization mechanism based on the basic OAuth2.0 protocol. OAuth protocol for the current more popular authorization protocol, has experienced two versions of OAuth2.0 and OAuth1.0 is still in constant optimization. We proposed a new authorization process based on authorization code. Firstly, we studied the basic OAuth2.0 protocol. To prevent the security threats in information disclosure, we present a detailed model, in which a security node is introduced in the authorization server to check the security of authorization request, and a synchronization mechanism is introduced between the authorization server and the resource server to synchronize the information between the servers, then, we describes the new authorization model and the framework for realization of this protocol. Finally, we gave an example of system design to fulfill the new protocol model.

Key words: OAuth2.0, security, authorization, security point, authorization code

CLC Number:

TP309

Chengkun WEI, Xiangdong LIU, Zhaojun SHI. Optimization Method for OAuth2.0 Protocol[J]. Netinfo Security, 2016, 16(9): 6-11.

Figures/Tables 12

References 12

[1]	Cloud Security Alliance. The Treacherous Twelve. [EB/OL]. , 2016-04-02.
[2]	HARDT D. The OAuth2.0 Authorization Framework. [EB/OL]. , 2013-2-1.
[3]	YAN Haixing, FANG Huixing, KUKA C, et al.Verification for OAuth Using ASLan++[C]// IEEE.High Assurance Systems Engineering (HASE), 2015 IEEE 16th International Symposium on, January 8-10, 2015, Florida, USA. USA: IEEE, 2015:76-84.
[4]	PAI S, SHARMA Y, KUMAR S, et al.Formal verification of OAuth 2.0 Using Alloy Framework[C]// Communication Systems and Network Technologies (CSNT), June 3-5,2011, Katra, Jammu, India. NewYork: IEEE, 2011: 655-659.
[5]	BANSAL C, BHARGAVAN K, MAFFEIS S.Discovering Concrete Attacks on Website Authorization by Formal Analysis[C] //IEEE.2012 IEEE 25th Computer Security Foundations Symposium ,Cambridge, MA, 2012:247-262.
[6]	BURANASAKSEE U, PORKAEW K, SUPASITTHIMETHEE U.Supasitthimethee. AccAuth: Accounting system for OAuth protocol[C]//IEEE.2014 Fifth International Conference onApplications of Digital Information and Web Technologies (ICADIWT), Bangalore, 2014:8-13.
[7]	E Torroglosa-García, AD Pérez-Morales, P Martinez-Julia, et al. Integration of the OAuth and Web Service Family Security Standards[J].Computer Networks the International Journal of Computer & Telecommunications Networking , 2013, 57(10) : 2233-2249.
[8]	张平,陈长松,胡红钢. 基于分组密码的认证加密工作模式[J]. 信息网络安全,2014(11):8-17.
[9]	ALOTAIBI A, MAHMMOD A.Enhancing OAuth services security by an authentication service with face recognition[C] //IEEE.Systems. Applications and Technology Conference (LISAT), 2015 IEEE Long Island, Farmingdale, NY, 2015: 1-6.
[10]	仇各各,汪学明,张言胜. 基于HECC的WSN身份认证协议研究[J]. 信息网络安全,2015(12):54-58.
[11]	HARDT D. The OAuth2.0 Authorization Framework [EB/OL]. , 2012.
[12]	赵洋,陈阳,熊虎,等. 云环境下一种可撤销授权的数据拥有性证明方案[J]. 信息网络安全,2015(8):1-7.

[1]	Jianwei LIU, Yiran HAN, Bin LIU, Beiyuan YU. Research on 5G Network Slicing Security Model [J]. Netinfo Security, 2020, 20(4): 1-11.
[2]	Zhizhou FU, Liming WANG, Ding TANG, Shuguang ZHANG. HBase Secondary Ciphertext Indexing Method Based on Homomorphic Encryption [J]. Netinfo Security, 2020, 20(4): 55-64.
[3]	Zhiyan ZHAO, Xiaomo JI. Research on the Intelligent Fusion Model of Network Security Situation Awareness [J]. Netinfo Security, 2020, 20(4): 87-93.
[4]	Ning LI, Bochao LI. Token-based UTM Architecture for Mobile Internet [J]. Netinfo Security, 2020, 20(3): 18-28.
[5]	Xinglong ZHANG, Yuting LI, Qingfeng CHENG, Lulu GUO. A Browser Security Model for Preventing TLS Protocol Downgrade Attacks [J]. Netinfo Security, 2020, 20(3): 65-74.
[6]	Yi ZHANG, Hongyan LIU, Hequn XIAN, Chengliang TIAN. A Cloud Storage Encrypted Data Deduplication Method Based on Authorization Records [J]. Netinfo Security, 2020, 20(3): 75-82.
[7]	Shuilin LI, Guobang ZHU, Chunling FAN, Guangyong CHEN. Research on a New Scoring Algorithm of Testing and Evaluation for Classified Cybersecurity Protection [J]. Netinfo Security, 2020, 20(2): 1-6.
[8]	Xiao WANG, Jun ZHAO, Jianbiao ZHANG. Research on Dynamic Monitoring Mechanism for Virtual Machine Based on Trusted Software Base [J]. Netinfo Security, 2020, 20(2): 7-13.
[9]	Weimin LANG, Han ZHANG, Yifeng ZHAO, Jinfang YAO. A Blockchain-based Behavior Regulation and Activities Management Scheme for Internet of Things [J]. Netinfo Security, 2020, 20(2): 22-29.
[10]	Mengmeng YAO, Li TANG, Yongxing LING, Weidong XIAO. Formal Analysis of Security Protocol Based on Strand Space [J]. Netinfo Security, 2020, 20(2): 30-36.
[11]	Lu YU, Senlin LUO. A Method of Internal Intrusion Detection of Database in RBAC Mode [J]. Netinfo Security, 2020, 20(2): 83-90.
[12]	Tao JING, Wei WAN. Research on a P2P Network Communication Behavior Analytical Method for Status Migration Attribute-oriented [J]. Netinfo Security, 2020, 20(1): 16-25.
[13]	Die HU, Dongtang MA, Ming GONG, Zhao MA. A Physical Layer Security Authentication Method Based on PUF [J]. Netinfo Security, 2020, 20(1): 61-66.
[14]	Chonghua WANG, Jun LI, Xuehong CHEN. Research on Industrial Internet Platform Security Protection [J]. Netinfo Security, 2019, 19(9): 6-10.
[15]	Guogang ZHENG. Implementation Methods and Technical Measures for Security Inspection of Important Information Systems [J]. Netinfo Security, 2019, 19(9): 16-20.