Paper 2011/526

Universally Composable Security Analysis of OAuth v2.0

Suresh Chari, Charanjit Jutla, and Arnab Roy

Abstract

This paper defines an ideal functionality for delegation of web access to a third-party where the authentication mechanism is password-based. We give a universally-composable (UC) realization of this ideal functionality assuming the availability of an SSL-like ideal functionality. We also show that this implementation can be further refined to give a browser based implementation whenever the browser supports https redirection. This implementation matches the 'Authorization Code' mode of the OAuth Version 2.0 Internet draft proposal, with the additional requirement that the third-party along with the Authorization Server must support an SSL-like functionality. From the universally-composable perspective, our ideal functionality definition is novel in the respect that it does not require the three parties to decide on a session identifier in advance, which is usually assumed in a UC setting. This allows us to realize the ideal functionality without any wrapper code, and thus exactly matching the desired protocol in the OAuth standard.

Note: Minor edit on page 2.

Metadata
Available format(s)
PDF PS
Publication info
Published elsewhere. Unknown where it was published
Keywords
OAuthUCSSLTLSDelegationPassword-based Key Exchange
Contact author(s)
csjutla @ us ibm com
History
2011-09-26: received
Short URL
https://ia.cr/2011/526
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2011/526,
      author = {Suresh Chari and Charanjit Jutla and Arnab Roy},
      title = {Universally Composable Security Analysis of {OAuth} v2.0},
      howpublished = {Cryptology {ePrint} Archive, Paper 2011/526},
      year = {2011},
      url = {https://eprint.iacr.org/2011/526}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.