摘要
为保证OAuth2.0协议的安全性,防止实施过程中出现令牌泄露、钓鱼攻击及中间人攻击等威胁,对原有的协议框架进行优化。通过在Authorization Server和Resource Server之间建立信任机制,同步信任信息,在Authorization Server中引入"安全节点"增强安全检查、提高系统的安全性。使用Sycther工具对OAuth2.0协议进行形式化的安全性分析,验证协议存在令牌泄露等安全威胁。协议优化前后的形式化分析及实际应用场景的对比验证结果表明,该方法能够有效抵御令牌泄露、钓鱼攻击等安全威胁,提升协议的安全性。
To improve the security of protocol OAuth2.0,and prevent fishing attack,man-in-the-middle attack and other forms of token steal,the protocol was optimized by introducing a trust channel between authorization server and resource server and setting a security endpoint in authorization server to improve the security of system.Sycther was used to do formal verification on the new model and OAuth2.0.Experimental results show that the proposed model can improve the OAuth2.0protocol security on resisting against fishing attack,man-in-the-middle attack and other forms of token steal.
作者
魏成坤
刘向东
石兆军
WEI Cheng-kun LIU Xiang-dong SHI Zhao-jun(Institute 706, Second Academy of China Aerospace Science and Industry Corporation, Beijing 100854, China)
出处
《计算机工程与设计》
北大核心
2016年第11期2949-2955,共7页
Computer Engineering and Design