LI Jian-jun,GUO Wei-qing,XU Duan-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.15.056

2006-01-01

Abstract:Authentication is the core and the first gateway to computer security system. With mentality of middleware and the tokencard authentication system, the improved project of GINA and extensional technology on Windows are introduced and a more flexible mecha- nism for the two-factor authentication module is provided. With the virtual tokencard technology, the Tokencard make the multi-role logon authentication possible and it proves to be more flexible and reliable.

Liang Kou,Yiqi Shi,Liguo Zhang,Duo Liu,Qing Yang

DOI: https://doi.org/10.32604/cmc.2019.03760

2019-01-01

Abstract:With the development of computer hardware technology and network technology, the Internet of Things as the extension and expansion of traditional computing network has played an increasingly important role in all professions and trades and has had a tremendous impact on people lifestyle. The information perception of the Internet of Things plays a key role as a link between the computer world and the real world. However, there are potential security threats in the Perceptual Layer Network applied for information perception because Perceptual Layer Network consists of a large number of sensor nodes with weak computing power, limited power supply, and open communication links. We proposed a novel lightweight authentication protocol based on password, smart card and biometric identification that achieves mutual authentication among User, GWN and sensor node. Biometric identification can increase the non-repudiation feature that increases security. After security analysis and logical proof, the proposed protocol is proven to have a higher reliability and practicality.

Rong Fan,Dao-jing He,Xue-zeng Pan,Ling-di Ping

DOI: https://doi.org/10.1631/jzus.c1000377

2011-01-01

Abstract:Wireless sensor networks (WSNs) are vulnerable to security attacks due to their deployment and resource constraints. Considering that most large-scale WSNs follow a two-tiered architecture, we propose an efficient and denial-of-service (DoS)-resistant user authentication scheme for two-tiered WSNs. The proposed approach reduces the computational load, since it performs only simple operations, such as exclusive-OR and a one-way hash function. This feature is more suitable for the resource-limited sensor nodes and mobile devices. And it is unnecessary for master nodes to forward login request messages to the base station, or maintain a long user list. In addition, pseudonym identity is introduced to preserve user anonymity. Through clever design, our proposed scheme can prevent smart card breaches. Finally, security and performance analysis demonstrates the effectiveness and robustness of the proposed scheme.

Rong Fan,Lingdi Ping,JianQing Fu,Xuezeng Pan

DOI: https://doi.org/10.1109/PACCS.2010.5626600

2010-01-01

Abstract:As wireless sensor networks (WSNs) are susceptible to attacks and sensor nodes have limited resources, designing a secure and efficient user authentication protocol for WSNs is a difficult task. Considering that most future large-scale WSNs follow a two-tiered architecture, we propose an efficient and Denial-of-Service resistant user authentication scheme for two-tiered WSNs, which imposes very light computational load and requires simple operations such as one-way hash function and exclusive-OR operations. In addition, there is a growing requirement for preserving user anonymity recently. Thus we introduce pseudonym identity for each user which is concealed in login messages. And through clever design, our proposed scheme can prevent from smart card breach. Moreover, the security analysis on this scheme demonstrates that our proposed scheme enjoys security attributes such as preventing the various kinds of attacks and user anonymity. Finally, performance analysis shows that our proposed scheme is simple and efficient.

Hao Kong,Li Lu,Jiadi Yu,Yingying Chen,Xiangyu Xu,Feilong Tang,Yi-Chao Chen

DOI: https://doi.org/10.1145/3466772.3467032

2021-01-01

Abstract:ABSTRACTWith the increasing integration of humans and the cyber world, user authentication becomes critical to support various emerging application scenarios requiring security guarantees. Existing works utilize Channel State Information (CSI) of WiFi signals to capture single human activities for non-intrusive and device-free user authentication, but multi-user authentication remains a challenging task. In this paper, we present a multi-user authentication system, MultiAuth, which can authenticate multiple users with a single commodity WiFi device. The key idea is to profile multipath components of WiFi signals induced by multiple users, and construct individual CSI from the multipath components to solely characterize each user for user authentication. Specifically, we propose a MUltipath Time-of-Arrival measurement algorithm (MUTA) to profile multipath components of WiFi signals in high resolution. Then, after aggregating and separating the multipath components related to users, MultiAuth constructs individual CSI based on the multipath components to solely characterize each user. To identify users, MultiAuth further extracts user behavior profiles based on the individual CSI of each user through time-frequency analysis, and leverages a dual-task neural network for robust user authentication. Extensive experiments involving 3 simultaneously present users demonstrate that MultiAuth is accurate and reliable for multi-user authentication with 87.6% average accuracy and 8.8% average false accept rate.

Hao Kong,Li Lu,Jiadi Yu,Yingying Chen,Xiangyu Xu,Feng Lyu

DOI: https://doi.org/10.1109/tnet.2023.3237686

2023-01-01

Abstract:User authentication nowadays has become an important support for not only security guarantees but also emerging novel applications. Although WiFi signal-based user authentication has achieved initial success, it works in single-user scenarios while multi-user authentication remains a challenging task. In this paper, we present MultiAuth, a multi-user authentication system that can authenticate multiple users with a single pair of commodity WiFi devices. The basic idea is to profile multipath components of WiFi signals, and leverage the multipath components to characterize each user individually for multi-user authentication. MultiAuth first profiles multipath components of WiFi signals through a proposed MUltipath Time-of-Arrival estimation algorithm (MUTA). Then, after matching corresponding multipath components to each user in complex multi-user scenarios, MultiAuth constructs individual CSI based on the multipath components to characterize each user individually. An AoA-based approach is exploited to further separate individual CSI constructed by the users with same ToA. To identify users through their activities, MultiAuth extracts user behavior profiles based on the individual CSI, and leverages a dual-task neural network for robust user authentication. Extensive experiments involving 3 simultaneously present users demonstrate that MultiAuth is effective in multi-user authentication with 86.2% average accuracy and 9.5% average false accept rate.

Hui Wang,Yuanyuan Zhang,Juanru Li,Dawu Gu

DOI: https://doi.org/10.1145/2991079.2991105

2016-01-01

Abstract:Websites and mobile applications today increasingly utilize OAuth for authorization and authentication. Major companies such as Facebook, Google and Twitter all provide OAuth services. The usage of OAuth for authorization is well documented and has been studied by many researchers. However, little work has been done to specify or analyze the usage of OAuth for authentication. Given that many developers have employed OAuth for authentication on multiple platforms, we believe it is imperative to conduct a study to understand how developers customize OAuth for authentication on different platforms. In this paper, we analyze how popular applications on the Web, Android and iOS platform authenticate users with OAuth. Our approach is to dissect the traffic from an attacker's perspective to recover the authentication mechanisms employed by the apps and identify exploitable vulnerabilities. The results show that OAuth-based authentication mechanisms employed by these applications lack sufficient verification and suffer from many vulnerabilities. Closer examination reveals that developers have different tendencies to authenticate users with OAuth on different platforms, and 32.9%, 47.1% and 41.6% of the analyzed mechanisms on the three platforms are vulnerable. We then categorize the root causes of these vulnerabilities and make practical recommendations for developers to help design and implement robust authentication mechanisms with OAuth.

Wanpeng Li,Chris J Mitchell,Thomas Chen

DOI: https://doi.org/10.48550/arXiv.1801.07983

2018-01-24

Abstract:Many millions of users routinely use their Google, Facebook and Microsoft accounts to log in to websites supporting OAuth 2.0 and/or OpenID Connect-based single sign on. The security of OAuth 2.0 and OpenID Connect is therefore of critical importance, and it has been widely examined both in theory and in practice. Unfortunately, as these studies have shown, real-world implementations of both schemes are often vulnerable to attack, and in particular to cross-site request forgery (CSRF) attacks. In this paper we propose a new technique which can be used to mitigate CSRF attacks against both OAuth 2.0 and OpenID Connect.

Cryptography and Security

Swarag Sharma,Jevitha Kp

DOI: https://doi.org/10.1109/i-PACT58649.2023.10434479

2023-12-08

Abstract:Many users all over the world routinely use open authentication and authorization providers based on OAuth 2.0 framework such as Google, Facebook etc. to sign in to third-party websites (relying party). The authentication (OpenID connect) and authorization (OAuth) protocol based on OAuth 2.0 framework enables the relying party application to authenticate its users and gain access to their protected resources without storing any of the sensitive user credentials such as usernames and passwords. Hence, the implementation of these protocols by the relying parties and identity providers play an important role in security of the user information and their privacy. The risk of attacks on improper implementation of these protocols can cause unauthorized access to the user accounts. In this work, we focused on testing the OAuth implementations done by the relying parties. For the secure implementation of OAuth 2.0 we found that following parameters must be present while generating OAuth request: client_id, state, response_type, redirect_uri and scope. We have analyzed our work with around 75 websites that were using Google as an identity provider to provide access to its users. Out of 75 relying parties, 30% were found vulnerable to CSRF attack due to missing state parameter, 13% used implicit flow which reveals id_token or access_token in the OAuth URL and 2% had secret parameters in OAuth URL. We developed a browser extension which successfully identify and alert its user on these issues.

Computer Science

Hui Wang,Yuanyuan Zhang,Juanru Li,Hui Liu,Wenbo Yang,Bodong Li,Dawu Gu

DOI: https://doi.org/10.1145/2818000.2818024

2015-01-01

Abstract:Enforcing security on various implementations of OAuth in Android apps should consider a wide range of issues comprehensively. OAuth implementations in Android apps differ from the recommended specification due to the provider and platform factors, and the varied implementations often become vulnerable. Current vulnerability assessments on these OAuth implementations are ad hoc and lack a systematic manner. As a result, insecure OAuth implementations are still widely used and the situation is far from optimistic in many mobile app ecosystems. To address this problem, we propose a systematic vulnerability assessment framework for OAuth implementations on Android platform. Different from traditional OAuth security analyses that are experiential with a restrictive three-party model, our proposed framework utilizes an systematic security assessing methodology that adopts a five-party, three-stage model to detect typical vulnerabilities of popular OAuth implementations in Android apps. Based on this framework, a comprehensive investigation on vulnerable OAuth implementations is conducted at the level of an entire mobile app ecosystem. The investigation studies the Chinese mainland mobile app markets (e.g., Baidu App Store, Tencent, Anzhi) that covers 15 mainstream OAuth service providers. Top 100 relevant relying party apps (RP apps) are thoroughly assessed to detect vulnerable OAuth implementations, and we further perform an empirical study of over 4,000 apps to validate how frequently developers misuse the OAuth protocol. The results demonstrate that 86.2% of the apps incorporating OAuth services are vulnerable, and this ratio of Chinese mainland Android app market is much higher than that (58.7%) of Google Play.

Caimei Wang,Yan Xiong,Wenchao Huang,Huihua Xia,Jianmeng Huang,Cheng Su

DOI: https://doi.org/10.1109/bigcom.2017.50

2017-01-01

Abstract:OAuth dynamic client registration protocol (ODCRP) is designed to implement the dynamic registration process between a third-party site and an authorization server (AS). When a third-party site has completed the registration on an AS, a user can authorize the third-party site by the AS to access the protected resource on a resource server. After the user has completed the authorization, the AS redirects the user to a designated site based on the registration information. However, if an AS was attacked by an attacker after completed the register, the attacker may modify or forge registration information, then a user may be redirected to a malicious site.To solve the problem above, we propose a verified secure protocol model of OAuth dynamic client registration (VSPM ODCR) which can be used to ensure the security of the registration information. Our approach is to separate the registration function from the AS by introducing a security registry center. All the sensitive parameters about the registration process will be protected by the security registry center. The protected registration information is designed to be verifiable. That is, at the time of authorization, the AS provides the registration information of the third-party site to be verified by the user. As a result, the AS attacked by an attacker can not complete the authorization function without the help of the security registration center. To prove the reliability of the model, we give an abstract formal description of the model, and a formal definition of the security properties needed to be satisfied. At last, we verify the authenticity property and the integrity of the registration information about two concrete configurations in model by ProVerif.

Wanpeng Li,Chris J Mitchell,Thomas Chen

DOI: https://doi.org/10.48550/arXiv.1901.08960

2019-01-25

Abstract:Millions of users routinely use Google to log in to websites supporting OAuth 2.0 or OpenID Connect; the security of OAuth 2.0 and OpenID Connect is therefore of critical importance. As revealed in previous studies, in practice RPs often implement OAuth 2.0 incorrectly, and so many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. However, users of such flawed systems are typically unaware of these issues, and so are at risk of attacks which could result in unauthorised access to the victim user's account at an RP. In order to address this threat, we have developed OAuthGuard, an OAuth 2.0 and OpenID Connect vulnerability scanner and protector, that works with RPs using Google OAuth 2.0 and OpenID Connect services. It protects user security and privacy even when RPs do not implement OAuth 2.0 or OpenID Connect correctly. We used OAuthGuard to survey the 1000 top-ranked websites supporting Google sign-in for the possible presence of five OAuth 2.0 or OpenID Connect security and privacy vulnerabilities, of which one has not previously been described in the literature. Of the 137 sites in our study that employ Google Sign-in, 69 were found to suffer from at least one serious vulnerability. OAuthGuard was able to protect user security and privacy for 56 of these 69 RPs, and for the other 13 was able to warn users that they were using an insecure implementation.

Cryptography and Security

Xu Liao,Li Zhang,Stephen C. F. Chan

DOI: https://doi.org/10.1007/978-3-540-31979-5_15

2005-01-01

Abstract:One of the shortcomings of the Role-Based Access Control model (RBAC), used in Workflow Management Systems (WfMS), is that it cannot grant permissions to users dynamically while business processes are being executed., We propose a Take-Oriented Access Control (TOAC) model based on RBAC to remedy this problem. In TOAC, permissions are associated with tasks as well as roles. Users can get permissions through tasks that they carry out in certain processes. And when they are out of processes, permissions can be granted by the roles that they are associated with. Moreover, to facilitate delegation in WfMS, we present a task delegation model which is aim at TOAC.

Jiang Lifeng,Zhao Baohua

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.18.071

2006-01-01

Abstract:In the face of more and more problems of security of application information system,this paper analyses the disadvantage and shortage of traditional authentication authorization system.It promotes the whole structure of authentication authorization system based on the Java Authentication Authorization Service framework and model of Role-Based Access Control and its realization process are given.Some relative key techniques including the design of authentication module and authorization module are emphasized.

Ao Zhang,Xiaoying Bai

DOI: https://doi.org/10.1007/978-981-15-2777-7_22

2019-01-01

Abstract:With the development of digital society, the number of Internet platforms increases rapidly and a huge amount of personal information is stored online. It is convenient for users to log in to all platforms with a common account. Third-party authorization protocols like OAuth 2.0 allow the delegation of access control to dedicated service providers. However, OAuth protocol follows the centralized approach to manage authorization and authentication information, which relies on a centralized party and makes it a target under attack. In practice, it is vulnerable to attacks like replay attack, cross-site request forgery (CSRF) attack, and so on. Also, the centralized party cannot provide customized access control for other platforms. To solve these problems, the paper proposes a consortium blockchain architecture and designs protocols for account management and distributed consensus. The paper discusses the potentials of the proposed approach to effectively address certain vulnerabilities in current OAuth-like authorization and authentication services with tolerable performance.

Xiong Li,Jianwei Niu,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1007/978-3-319-62024-4_3

2017-01-01

Abstract:As a typical application of Internet of Things (IoT), wireless sensor networks (WSNs) have been widely used in many fields, such as remote healthcare, to gather data of monitoring area. However, due to open nature of wireless channel and limited computing and storage resource of sensor node, how to guarantee the sensitive sensed data are only be accessed by valid user becomes an important issue. Many user authentication protocols for WSNs have been proposed to address this issue, however, previous work more or less have their own weaknesses. Recently, Gope and Hwang proposed a lightweight anonymity authentication for WSNs, and they claimed that their protocol is secure against most attacks. However, our analysis indicates that their protocol still has some design and security flaws. To address the security issue for WSNs, a user authentication protocol with privacy protection for WSNs has been proposed. The analysis and comparisons results show that the proposed protocol is a robust and security one for WSNs.

San-Tsai Sun

Abstract:Social login is currently used by millions of Facebook users to sign in more than one million supporting websites. The protocol behinds this web-based single sign-on (SSO) scheme is OAuth 2.0, which is also adopted by major service providers such as Google and Microsoft. Several formal methods have been used to analyze the security of the OAuth protocol, but no novel threat is found. To understand and improve the security of OAuth 2.0 SSO systems in the real-world settings, this work investigates potential security threats by examining the implementations of three major identity providers (i.e., Facebook, Microsoft and Google) and about one hundred popular supporting websites listed on Google Top 1,000 Websites. Our analysis and evaluation found several systematic weaknesses that allow an attacker to gain unauthorized access to the victim user’s profile and social graph on the identity providers, as well as impersonating the victim on the supporting website. A further investigation found that those weaknesses are rooted from a set of simplicity features o↵ered by the design of the protocol and IdP implementations. Based on the insights from this analysis, we recommend practical countermeasures to mitigate the uncovered threats.

Computer Science

Jalaluddin Khan,Jian ping Li,Ikram Ali,Shadma Parveen,Ghufran ahmad Khan,Mudassir Khalil,Asif Khan,Amin Ul Haq,Mohammad Shahid

DOI: https://doi.org/10.1109/ICCWAMTIP.2018.8632587

2018-01-01

Abstract:Internet of Things (loT)is the fast-growing emerging technology and it is making our daily life (activities)easier and better. The loT is connecting millions of sensors and heterogeneous devices having different computation, communication, and storage capabilities which are increasing rapidly. The loT network is dissimilar and larger from the conventional network. However, different natures of the connected devices raising security concerns and challenges which affect the importance of loT technology. In this paper, we proposed an authentication scheme based on the OAuth 2.0 protocol to secure access loT network by providing authentication service. An OAuth 2.0 protocol is used to propose authentication mechanism to allow only authorized and authentic users by comparing user information and access tokens in the security manager local database and denies the access to the loT network. It also keeps safe loT network from different types of attacks like impersonation and replays attacks etc.

Jaimandeep Singh,Naveen Kumar Chaudhary

2023-08-03

Abstract:OAuth 2.0 is a popular authorization framework that allows third-party clients such as websites and mobile apps to request limited access to a user's account on another application. The specification classifies clients into different types based on their ability to keep client credentials confidential. It also describes different grant types for obtaining access to the protected resources, with the authorization code and implicit grants being the most commonly used. Each client type and associated grant type have their unique security and usability considerations. In this paper, we propose a new approach for OAuth ecosystem that combines different client and grant types into a unified singular protocol flow for OAuth (USPFO), which can be used by both confidential and public clients. This approach aims to reduce the vulnerabilities associated with implementing and configuring different client types and grant types. Additionally, it provides built-in protections against known OAuth 2.0 vulnerabilities such as client impersonation, token (or code) thefts and replay attacks through integrity, authenticity, and audience binding. The proposed USPFO is largely compatible with existing Internet Engineering Task Force (IETF) Proposed Standard Request for Comments (RFCs), OAuth 2.0 extensions and active internet drafts.

Cryptography and Security,Computers and Society

Yu Zhang,Huimei Lu,Yong Xiang

DOI: https://doi.org/10.3969/j.issn.1001-3695.2017.03.061

2017-01-01

Abstract:Federated identity was applied to achieve single-sign-on for the situation in which users were from different organizations.However,the diversity of resources brought about trouble of management.To solve the problem,this paper selected Shibboleth as a method of federated identity.System in federation provided REST API of their own resources,and released the authorization code which identified the access rights of resource by the attribute publishing policy in Shibboleth,thus it accessed multi-resouce by users from different organazations after unified authentication.Taking online experimental platform based on OpenEdX as an example,it implemented unified authentication and authorization of complex resources.It applied Shibboleth to authenticate users,coupled with REST API and authorization code,and it shared complex resources during several systems.Moreover,it developed some XBlocks on OpenEdX to share data with other systems.