The Scheme of Open Authorization Based on FIDO UAF

doi:10.3969/j.issn.1671-1122.2017.06.006

Abstract

Abstract: OAuth2.0 as open authorization standard,is one of the most popular API access control. While using the traditional authentication has some limitations: authorization server is responsible for issuing the access token as well as managing user’s information; traditional authentication such as username/password is vulnerable to many attacks. This scheme will be based on FIDO UAF architectural identity authentication combined with OAuth2.0 agreement, when a user logs in using biometric identification technology to identity himself, meeting the demand of security, user experience, etc. This paper studies OAuth2.0 and FIDO UAF, then designs authentication scheme and authorization scheme and mix them. We describe the framework and detail process of authentication and authorization.Finally, we give an example of system design to fulfill the new scheme.

Key words: OAuth2.0, FIDO, authorization, biometrics identification

CLC Number:

TP393

LI Lianglei, SHAO Lisong, WANG Chuanyong, LIU Yong. The Scheme of Open Authorization Based on FIDO UAF[J]. 信息网络安全, 2017, 17(6): 35-42.

References

[1] ALOTAIBI A, MAHMMOD A. Enhancing OAuth Services Security by an Authentication Service with Face Recognition[C]//IEEE. Systems Applications and Technology Conference (LISAT), 2015 IEEE Long Island, May 1 ,2015,Farmingdale, NY, USA .New York:IEEE,2015: 1-6.
[2] 吴世梁.基于OAUTH协议的动态口令认证平台设计与实现[D]. 北京：北京邮电大学,2014 .
[3] 魏成坤,刘向东,石兆军. 基于OAuth2.0的认证授权技术研究[J]. 信息网络安全, 2016(9) : 6-11.
[4] 阮杰辉.智能家居平台中认证授权系统的设计与实现[D]. 西安：西安电子科技大学,2014.
[5] 李俊.身份认证技术标准及FIDO介绍[EB/OL]. http://www.docin.com/p-1473275310.html,2015-11-15/2016-6-15.
[6] LINDERMANN D R. DAVIT B, BRAD H. FIDO Technical Glossary[EB/OL].https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-glossary-v1.0-ps-20141208.pdf,2014-12-10/2016-6-15.
[7] LINDERMANN D R. DAVIT B, BRAD H. FIDO Technical Glossary[EB/OL].https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-overview-v1.1-v1.1-id-20160915.html, 2014-12-10/2016-6-15.
[8] ARMANDO A, CARBONE R, COMPAGNA L,et al. An Authentication Flaw in Browser-based Single Sign-on Protocols: Impact and Remediations[J].Computers & Security,2013,33 (4)：41-58.
[9] ARMANDO A, CARBONE R, COMPAGNA L,et al. Formal Analysis of SAML 2.0 Web Browser Single Sign-on: Breaking the Saml-based Single Sign-on for Google Apps[C]//ACM. FMSE '08 Proceedings of the 6th ACM workshop on Formal methods in security engineering ,October 27 , 2008,Alexandria, Virginia, USA. New York: ACM,2008：1-10.
[10] RYCK P D,DESMET L,HEYMAN T,et al.Csfire: Transparent Client-Side Mitigation of Malicious Cross-Domain Requests[C]// ESSoS 2010.Engineering Secure Software and Systems, Second International Symposium, February 3-4, 2010 , Pisa, Italy. Heidelberg：Springer, 2010：18-34.
[11] PAI S,SHARMA Y,KUMAR S,et al.Formal Verification of Oauth 2.0 Using Alloy Framework[C]// IEEE .CSNT '11 Proceedings of the 2011 International Conference on Communication Systems and Network Technologies,June 03 - 05, 2011,Shri Mata Vaishno Devi University, Katra, Jammu,India. New York: IEEE, 2011：655-659.
[12] ALESSANDRI A D ,BESCHI S ,CASCIARO R,et al. The Devil is in the (Implementation) Details:an Empirical Analysis of Oauth SSO Systems[C]//ACM .CCS '12 Proceedings of the 2012 ACM conference on Computer and communications security. New York：ACM, 2012：378-390.
[13] 江伟玉,高能,刘泽艺,等.一种云计算中的多重身份认证与授权方案[J]. 信息网络安全. 2012(8) : 7-10).
[14] 胡可欣.FIDO UAF认证协议的安全性研究[D]. 合肥：中国科学技术大学,2016.
[15] 邱登峰.基于Hadoop可公共审计云存储的设计与实现[D].大连：大连理工大学,2015.
[16] 曹晔.基于校园网的单点登录系统的研究与设计[D].北京：首都经济贸易大学,2009.
[17] 王耀龙.基于FIDO架构在线指纹识别系统客户端的设计与实现[D]. 北京：北京交通大学, 2015.
[18] 林晓锋, 房牧, 李强,等.一种基于指纹识别的Windows系统登录方法设计与实现[J].信息网络安全, 2016(9): 130-133.