DOI QR코드

DOI QR Code

Open Authorization에서의 안전한 사용자 권한 인증 방법에 관한 연구

Secure User Authority Authentication Method in the Open Authorization

  • 채철주 (한국과학기술정보연구원 R&D시스템개발실) ;
  • 이준환 (극동대학교 스마트모바일학과) ;
  • 조한진 (극동대학교 스마트모바일학과)
  • Chae, Cheol-Joo (Dept. of R&D System Development, Korea Institute of Science and Technology Information) ;
  • Lee, June-Hwan (Dept. of Smart Mobile, Far East University) ;
  • Cho, Han-Jin (Dept. of Smart Mobile, Far East University)
  • 투고 : 2014.06.10
  • 심사 : 2014.08.20
  • 발행 : 2014.08.28

초록

최근 다양한 웹 서비스와 어플리케이션들이 사용자에게 제공되고 있다. 이러한 서비스들은 인증된 사용자에 한해서 서비스를 제공하기 때문에 사용자는 매번 서비스 별로 인증을 수행해야 하는 불편함을 겪고 있다. 이러한 불편함을 해결하기 위해 3rd Party 어플리케이션이 웹 서비스에 대하여 제한된 접근 권한을 얻을 수 있게 해주는 OAuth(Open Authorization) 프로토콜이 등장하게 되었다. 이러한 OAuth 프로토콜은 사용자에게 편리하고 유연한 서비스를 제공하지만 권한 획득에 대한 보안 취약점을 가지고 있다. 그러므로 본 논문에서는 OAuth 2.0 프로토콜에서 발생할 수 있는 보안 취약점을 분석하고 이러한 보안 취약점을 보완한 방안을 제시한다.

Recently, the various web service and applications are provided to the user. As to these service, because of providing the service to the authenticated user, the user undergoes the inconvenience of performing the authentication with the service especially every time. The OAuth(Open Authorization) protocol which acquires the access privilege in which 3rd Party application is limited on the web service in order to resolve this inconvenience appeared. This OAuth protocol provides the service which is convenient and flexible to the user but has the security vulnerability about the authorization acquisition. Therefore, we propose the method that analyze the security vulnerability which it can be generated in the OAuth 2.0 protocol and secure user authority authentication method.

키워드

참고문헌

  1. Seon-Joo Kim, An Efficient Access Control Mechanism for Application Software using the OAuth in the SaaS Cloud System, Graduate School of PaiChai University, 2013.
  2. Jeong-Kyung Moon, A Delegator for Authentication Management System using OAuth in Cloud Computing Environment, Graduate School of Kongju National University, 2013.
  3. Myung Hyun Han, Research on the extended OAuth protocol for real-name authentication, Graduate of School of Information Technology Chung-Ang University, 2013.
  4. E. Hammer-Lahav, The Oauth 1.0 Protocol. Internet Engineering Task Force(IETF) RFC 5849, 2010.
  5. Mohamed Shehab, Said Marouf, Recommendation Models for Open Authorization. IEEE transactions on dependable and secure computing, Vol. 9, No. 4, 583-595, 2012. https://doi.org/10.1109/TDSC.2012.34
  6. D. Hardt, The OAuth 2.0 Authorization Framework. Internet Engineering Task Force(IETF) RFC 6749, 2012.
  7. M. Jones, The OAuth 2.0 Authorization Framework: Bear Token Usage. Internet Engineering Task Force(IETF) RFC 6750, 2012.
  8. M. Noureddine, R. Bashroush, A Provisioning Model towards OAuth 2.0 Performance Optimization. Proceedings of the 2011 10th IEEE International Conference On Cybernetic Intelligent Systems, pp. 76-80, 2011.
  9. Sooyoung Lee, Jonguk Kim, Sukin Kang, Manpyo Hong, Improving the Security of OAuth Client using Obfuscation Techniques, Proceedings of the 2013 KSII Conference, Vol. 14, No. 1, pp. 159-60, 2013.
  10. Young Gon Jung, Sanf Rea Lee, Gi Hun JANG, Heung Youl YOUM, Security Problems for Secure OAuth authentication protocol, Proceesings of the 2011 KICS Conference, pp. 952-953, 2011.
  11. Feng Yang, Sathiamoorthy Manoharan, A security analysis of the OAuth protocol. In Proc. Of Communications, Computers and Signal Processing, pp. 271-276, 2013