• Title/Summary/Keyword: OAuth Vulnerability

Search Result 3, Processing Time 0.016 seconds

Secure User Authority Authentication Method in the Open Authorization (Open Authorization에서의 안전한 사용자 권한 인증 방법에 관한 연구)

  • Chae, Cheol-Joo;Lee, June-Hwan;Cho, Han-Jin
    • Journal of Digital Convergence
    • /
    • v.12 no.8
    • /
    • pp.289-294
    • /
    • 2014
  • Recently, the various web service and applications are provided to the user. As to these service, because of providing the service to the authenticated user, the user undergoes the inconvenience of performing the authentication with the service especially every time. The OAuth(Open Authorization) protocol which acquires the access privilege in which 3rd Party application is limited on the web service in order to resolve this inconvenience appeared. This OAuth protocol provides the service which is convenient and flexible to the user but has the security vulnerability about the authorization acquisition. Therefore, we propose the method that analyze the security vulnerability which it can be generated in the OAuth 2.0 protocol and secure user authority authentication method.

Utilization of Cloud and Biometrics to improve Vulnerability of OAuth Framework (OAuth 프레임워크의 취약점 개선을 위한 클라우드 및 생체인증 기술 활용 방안)

  • Park, Jin-Seong;Lee, Chang-Hoon
    • Proceedings of the Korea Information Processing Society Conference
    • /
    • 2018.10a
    • /
    • pp.292-295
    • /
    • 2018
  • Open API의 사용이 대중화되면서 대형 포털사이트 및 대형 소셜 네트워크 서비스에 입력한 개인정보를 바탕으로 사용자들이 원하는 서비스를 제공하는 외부 서비스(Third-party application)의 수가 계속 증가하고 있다. 이러한 외부 서비스들이 정보 제공자에게 개인정보를 요청할 때, 외부 서비스가 권한 부여를 받은 정당한 요청을 하는지 여부를 확인하기 위해 OAuth 인증 프레임워크를 사용한다. 그러나 외부 서비스가 유효한 요청을 하고 있음을 판단하기 위해 사용하는 엑세스 토큰을 탈취하면 이를 이용하여 로그인 과정을 우회할 수 있으며, 개인정보 또한 쉽게 취득 가능하다. 본 논문에서는 이러한 취약점을 해결하기 위해 OAuth 인증 프레임워크에 2차적인 인증과정을 추가하여 엑세스 토큰의 탈취를 방지하여 사용자의 계정정보와 개인정보를 보호하는 프레임워크를 제시한다.

A Study on Vulnerability Prevention Mechanism Due to Logout Problem Using OAuth (OAuth를 이용한 로그아웃 문제로 인한 취약점 방지 기법에 대한 연구)

  • Kim, Jinouk;Park, Jungsoo;Nguyen-Vu, Long;Jung, Souhwan
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.1
    • /
    • pp.5-14
    • /
    • 2017
  • Many web services which use OAuth Protocol offer users to log in using their personal profile information given by resource servers. This method reduces the inconvenience of the users to register for new membership. However, at the time a user finishes using OAuth client web service, even if he logs out of the client web service, the resource server remained in the login state may cause the problem of leaking personal information. In this paper, we propose a solution to mitigate the threat by providing an additional security behavior check: when a user requests to log out of the Web Client service, he or she can make decision whether or not to log out of the resource server via confirmation notification regarding the state of the resource server. By utilizing the proposed method, users who log in through the OAuth Protocol in the public PC environment like department stores, libraries, printing companies, etc. can prevent the leakage of personal information issues that may arise from forgetting to check the other OAuth related services. To verify our study, we implement a Client Web Service that uses OAuth 2.0 protocol and integrate it with our security behavior check. The result shows that with this additional function, users will have a better security when dealing with resource authorization in OAuth 2.0 implementation.