Proving a WS-federation passive requestor profile with a browser model

Abstract

Web-based services are an important business area. For usability and cost-effectiveness these services require users to rely only on standard browsers. A representative class of such applications, currently in the focus of many industrial players, is Federated Identity Managent (FIM). In this context we are facing challenging probls: on the one hand, the security of the existing FIM protocols (including Microsoft Passport, OASIS SAML, and Liberty) is not yet based on rigorous proofs and has been challenged by several analyses. On the other hand, the existing formal security models and proof methods cannot be applied to browser-based protocols in a straightforward manner since they only consider protocol-aware principals: they assume that the involved principals behave according to the specification of the security protocol unless they are corrupted. Web browsers, in contrast, have predefined features and are unaware of the protocol they are involved in.Based on a generic framework for security proofs of browser-based protocols, we model an important FIM protocol, the WS-Federation Passive Requestor Interop profile. We rigorously prove that the protocol provides authenticity and secure channel establishment in a realistic trust scenario. This constitutes the first rigorous security proof for a browser-based identity federation protocol.