ACE Seminar: Real-world security analyses of OAuth 2.0 and OpenID Connect

Speaker: Prof Chris Mitchell

Date/Time: 01-Oct-2015, 15:00 UTC

Venue: Birbeck B30



In the last few years, Internet Single Sign-On (SSO) has gone from being a topic of research and speculation to a practical reality.  Many users worldwide employ Internet SSO services, in particular those supported by Facebook and Google.  These services rely on OAuth 2.0 and OpenID Connect (itself based on OAuth 2.0).  Whilst theoretical analyses of these systems have been conducted, less is known about how secure these systems are in practice (particularly OpenID Connect, given how recently the specifications were published).  In this talk I will report on a series of serious vulnerabilities discovered by my PhD student Wanpeng Li in real world implementations of both these systems.  I will then go on to consider why these have arisen and what can be done to address the identified problems. 


Chris Mitchell received his BSc (1975) and PhD (1979) degrees in Mathematics from Westfield College, University of London. Prior to his appointment in 1990 as Professor of Computer Science at Royal Holloway, he was a Project Manager in the Networks and Communications Laboratory of HP Labs in Bristol, which he joined in 1985. Between 1979 and 1985 he was at Racal-Comsec Ltd (Salisbury, UK), latterly as Chief Mathematician. Soon after joining Royal Holloway in 1990 he co-founded the Information Security Group, and also played a leading role in launching the MSc in Information Security in 1992. His research interests mainly relate to information security and applications of cryptography. He has played an active role in a large number of international collaborative research projects. For 25 years he has been
convenor of Technical Panel 2 of BSI IST/33, dealing with security mechanisms and providing input to ISO/IEC JTC1/SC27, on which he has served as a UK Expert since 1992. He has edited over twenty international security standards and, in recognition of his contributions to international standards, in 2011 he received the prestigious IEC 1906 award. He has published around 250 research papers. He is co-editor-in-chief of Designs, Codes and Cryptography, section editor for Section D (Security in Computer
Systems and Networks) of The Computer Journal, and a senior editor of IEEE Communications Letters. He was a member of Microsoft's Trustworthy Computing Academic Advisory Board between 2003 and 2014, he served as a member of the DoCoMo Euro-Labs Advisory Board between 2005 and 2009, and he continues to
act as a consultant on a variety of topics in information security.

Add to Calendar

This page was last modified on 27 Mar 2014.