You are looking at a specific version 20050502:182156 of this paper. See the latest version.

Paper 2005/127

Browser Model for Security Analysis of Browser-Based Protocols

Thomas Groß and Birgit Pfitzmann and Ahmad-Reza Sadeghi

Abstract

Currently, many industrial initiatives focus on web-based applications. In this context an important requirement is that the user should only rely on a standard web browser. Hence the underlying security services also rely solely on a browser for interaction with the user. Browser-based identity federation is a prominent example of such a protocol. Unfortunately, very little is still known about the security of browser-based protocols, and they seem at least as error-prone as standard security protocols. In particular, standard web browsers have limited cryptographic capabilities and thus new protocols are used. Furthermore, these protocols require certain care by the user in person, which must be modeled. In addition, browsers, unlike normal protocol principals, cannot be assumed to do nothing but execute the given security protocol. In this paper, we lay the theoretical basis for the rigorous analysis and security proofs of browser-based security protocols. We formally model web browsers, secure browser channels, and the security-relevant browsing behavior of a user as automata. As a first rigorous security proof of a browser-based protocol we prove the security of password-based user authentication in our model. This is not only the most common stand-alone type of browser authentication, but also a fundamental building block for more complex protocols like identity federation.

Note: Formal browser-model in the Pfitzmann/Waidner model for reactive systems, developed for rigorous security proofs of browser-based protocols, such as in the prominent area of identity federation.

Metadata
Available format(s)
PDF
Category
Foundations
Publication info
Published elsewhere. Unknown where it was published
Keywords
identification protocols web browser
Contact author(s)
tgr @ zurich ibm com
History
2005-05-02: received
Short URL
https://ia.cr/2005/127
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.