Cryptology ePrint Archive: Report 2005/127
Browser Model for Security Analysis of Browser-Based Protocols
Thomas Groß and Birgit Pfitzmann and Ahmad-Reza Sadeghi
Abstract: Currently, many industrial initiatives focus on web-based applications. In this context an important requirement is that the user should only rely on a standard web browser. Hence the underlying security services also rely solely on a browser for interaction with the user.
Browser-based identity federation is a prominent example of such
a protocol. Unfortunately, very little is still known about the security of browser-based protocols, and they seem at least as error-prone as standard security protocols. In particular, standard web browsers have limited cryptographic capabilities and thus new protocols are used. Furthermore, these protocols require certain care by the user in person, which must be modeled. In addition, browsers, unlike normal protocol principals, cannot be assumed to do nothing but execute the given security protocol.
In this paper, we lay the theoretical basis for the rigorous analysis and security proofs of browser-based security protocols. We formally model web browsers, secure browser channels, and the security-relevant browsing behavior of a user as automata. As a first rigorous security proof of a browser-based protocol we prove the security of password-based user authentication in our model. This is not only the most common stand-alone type of browser authentication, but also a fundamental building block for more complex protocols like identity federation.
Category / Keywords: foundations / identification protocols web browser
Date: received 2 May 2005
Contact author: tgr at zurich ibm com
Available formats: PDF | BibTeX Citation
Note: Formal browser-model in the Pfitzmann/Waidner model for reactive systems, developed for rigorous security proofs of browser-based protocols, such as in the prominent area of identity federation.
Version: 20050502:182156 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]