Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Mobile Information and Communication Systems

MobiSec 2011: Security and Privacy in Mobile Information and Communication Systems pp 113–124Cite as

Formal Security Analysis of OpenID with GBA Protocol

  • Conference paper

Abstract

The paper presents the formal security analysis of 3GPP standardized OpenID with Generic Bootstrapping Architecture protocol which allows phone users to use OpenID services based on SIM credentials. We have used an automatic protocol analyzer to prove key security properties of the protocol. Additionally, we have analyzed robustness of the protocol under several network attacks and different threat models (e.g., compromised OP, user entity). The result shows the protocol is secure against key security properties under specific security settings and trust assumptions.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 3GPP TS 33.220 - Technical Specification Group Services and System Aspects; Generic Authentication Architecture (GAA); Generic bootstrapping architecture (2007), http://www.3gpp.org/ftp/Specs/html-info/33220.htm

  2. 3GPP TR 33.924 - Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture (GAA) interworking (2009), http://www.3gpp.org/ftp/Specs/html-info/33924.htm

  3. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL, pp. 104–115 (2001)

    Google Scholar 

  4. Ahmed, A.S., Laud, P.: ProVerif model files for the OpenID with GBA protocol (2011), http://research.cyber.ee (last accessed March 30, 2011)

  5. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  6. Bellare, M., Canetti, R., Krawczyk, H.: Keying Hash Functions for Message Authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)

    Google Scholar 

  7. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001, Washington, DC, USA, pp. 82–96. IEEE Computer Society (2001)

    Google Scholar 

  8. Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), Cape Breton, Nova Scotia, Canada (2001)

    Google Scholar 

  9. Dhamija, R., Dusseault, L.: 7 Flaws of Identity Management: Usability and Security Challenges. In: IEEE Security & Privacy, vol. 6, p. 24 (March 2008)

    Google Scholar 

  10. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (August 2008)

    Google Scholar 

  11. Dolev, D., Yao, A.C.: On the security of public key protocols. Tech. rep., Stanford, CA, USA (1981)

    Google Scholar 

  12. Feld, S., Pohlmann, N.: Security analysis of OpenID, followed by a reference implementation of an nPA-based OpenID provider. In: Information Security Solutions Europe (ISSE) Conference, Madrid, Spain (2008)

    Google Scholar 

  13. Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: Http authentication: Basic and digest access authentication (1999)

    Google Scholar 

  14. Gajek, S., Manulis, M., Pereira, O., Sadeghi, A.-R., Schwenk, J.: Universally Composable Security Analysis of TLS. In: Baek, J., Bao, F., Chen, K., Lai, X. (eds.) ProvSec 2008. LNCS, vol. 5324, pp. 313–327. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  15. Holtmanns, S., Niemi, V., Ginzboorg, P., Laitinen, P., Asokan, N.: Cellular Authentication for Mobile and Internet Services., 1st edn. Wiley Publishing Inc. (2008)

    Google Scholar 

  16. Laud, P., Roos, M.: Formal Analysis of the Estonian Mobile-ID Protocol. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 271–286. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  17. Lindholm, A.: Security Evaluation of the OpenID Protocol. Master’s thesis, Royal Institute of Technology (KTH), Stockholm, Sweden (2009)

    Google Scholar 

  18. Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography, 5th edn., vol. 1, ch.10. CRC Press (2001)

    Google Scholar 

  19. Morrissey, P., Smart, N.P., Warinschi, B.: A Modular Security Analysis of the TLS Handshake Protocol. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 55–73. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  20. Niemi, A., Arkko, J., Torvinen, V.: Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA). RFC 3310 (September 2002)

    Google Scholar 

  21. Niemi, V., Nyberg, K.: UMTS Security, 1st edn., ch.8. Wiley Publishing Inc. (2003)

    Google Scholar 

  22. OpenID Authentication 2.0 - Final (2010), http://openid.net/specs/openid-authentication-2_0.html (last accessed March 30, 2011)

  23. Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM (2006)

    Google Scholar 

  24. Sovis, P., Kohlar, F., Schwenk, J.: Security Analysis of OpenID. In: Freiling, F.C. (ed.) Sicherheit, GI. LNI, vol. 170, pp. 329–340 (2010)

    Google Scholar 

  25. Urueña, M., Busquiel, C.: Analysis of a Privacy Vulnerability in the OpenID Authentication Protocol. In: IEEE Multimedia Communications, Services and Security (MCSS 2010), Krakow, Poland (2010)

    Google Scholar 

  26. Windley, P.J.: Digital Identity - Ebook edition. O’Reilly Media (2008)

    Google Scholar 

  27. Zhang, J., Warkentin, P., Sankhla, V.: AVISPA model for EAP: Extensible Authentication Protocol, http://www.avispa-project.org/library/EAP_AKA.html (last accessed March 30, 2011)

Download references

Author information

Authors and Affiliations

  1. Ericsson Research, Finland

    Abu Shohel Ahmed

  2. Cybernetica AS, Estonia

    Peeter Laud

  3. Tartu University, Estonia

    Peeter Laud

Authors
  1. Abu Shohel Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peeter Laud
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Aalborg University, Niels Jernes Vej 10, 9220, Aalborg, Denmark

    Ramjee Prasad

  2. University of West Hungary, Sopron, and Budapest University of Technology and Economics, 1117, Budapest, Hungary

    Károly Farkas

  3. Novalyst IT AG, Robert-Bosch Str. 38, 61184, Karben, Germany

    Andreas U. Schmidt

  4. Dipartimento di Automatica e Informatica, Politecnico di Torino, 10129, Torino, Italy

    Antonio Lioy

  5. CREATE-NET Research Consortium, via alla Cascata 56D, 38121, Trento, Italy

    Giovanni Russello

  6. Dipartimento di Informatica, Università Ca’ Foscari di Venezia, via Torino 155, 30172, Mestre, VE, Italy

    Flaminia L. Luccio

Rights and permissions

Reprints and permissions

Copyright information

© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Ahmed, A.S., Laud, P. (2012). Formal Security Analysis of OpenID with GBA Protocol. In: Prasad, R., Farkas, K., Schmidt, A.U., Lioy, A., Russello, G., Luccio, F.L. (eds) Security and Privacy in Mobile Information and Communication Systems. MobiSec 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 94. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30244-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-30244-2_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-30243-5

  • Online ISBN: 978-3-642-30244-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation