Security Validation of Information Card Protocol with AVISPA
Information Card (InfoCard), as an OASIS standard, is a federated identity management metasystem based on visual cards. Users can collect information cards issued by various identity providers, such as web portals, governments, or companies, and use these cards to log on various relying parties. InfoCard protocol is as the foundation of the InfoCard system and its security properties should undergo rigorous analysis. However, there is currently a lack of security analysis to InfoCard protocol, especially, with formal methods. In this paper, we analyze security properties of InfoCard protocol adopting a formal protocol analysis tool AVISPA. Our analysis result discovers that current InfoCard protocol is vulnerable against the reply attack, where an intruder can intercept the message in one session and reply it in another session. We further propose a countermeasure to effectively prevent such an attack. Our security analysis provides better guidance for correctly implementing and making use of InfoCard protocol.
Information card Security Formal AVISPA
Juan Wang Hongxin Hu
Computer School, Wuhan University Wuhan, China Laboratory of Security Engineering for Future Computing Arizona State University, Tempe, AZ, USA
国际会议
成都
英文
856-860
2010-12-17(万方平台首次上网日期,不代表论文的发表时间)