{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,20]],"date-time":"2026-03-20T16:03:41Z","timestamp":1774022621529,"version":"3.50.1"},"publisher-location":"Cham","reference-count":36,"publisher":"Springer International Publishing","isbn-type":[{"value":"9783319113784","type":"print"},{"value":"9783319113791","type":"electronic"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014]]},"DOI":"10.1007\/978-3-319-11379-1_14","type":"book-chapter","created":{"date-parts":[[2014,8,20]],"date-time":"2014-08-20T03:14:54Z","timestamp":1408504494000},"page":"276-298","source":"Crossref","is-referenced-by-count":15,"title":["Protecting Web-Based Single Sign-on Protocols against Relying Party Impersonation Attacks through a Dedicated Bi-directional Authenticated Secure Channel"],"prefix":"10.1007","author":[{"given":"Yinzhi","family":"Cao","sequence":"first","affiliation":[]},{"given":"Yan","family":"Shoshitaishvili","sequence":"additional","affiliation":[]},{"given":"Kevin","family":"Borgolte","sequence":"additional","affiliation":[]},{"given":"Christopher","family":"Kruegel","sequence":"additional","affiliation":[]},{"given":"Giovanni","family":"Vigna","sequence":"additional","affiliation":[]},{"given":"Yan","family":"Chen","sequence":"additional","affiliation":[]}],"member":"297","reference":[{"key":"14_CR1","unstructured":"Getting started with the facebook sdk for php, \n                    \n                      https:\/\/developers.facebook.com\/docs\/php\/gettingstarted\/"},{"key":"14_CR2","unstructured":"JanRain Engage, \n                    \n                      http:\/\/janrain.com\/products\/engage\/"},{"key":"14_CR3","unstructured":"JavaScript Cryptography Toolkit, \n                    \n                      http:\/\/ats.oka.nu\/titaniumcore\/js\/crypto\/readme.txt"},{"key":"14_CR4","unstructured":"LocalConnection, \n                    \n                      http:\/\/help.adobe.com\/en_US\/FlashPlatform\/reference\/actionscript\/3\/flash\/net\/LocalConnection.html"},{"key":"14_CR5","unstructured":"OpenID, \n                    \n                      http:\/\/openid.net\/"},{"key":"14_CR6","unstructured":"ProVerif: Cryptographic protocol verifier in the formal model, \n                    \n                      http:\/\/prosecco.gforge.inria.fr\/personal\/bblanche\/proverif\/"},{"key":"14_CR7","unstructured":"Sandbox mode of facebook application, \n                    \n                      https:\/\/developers.facebook.com\/docs\/ApplicationSecurity\/"},{"key":"14_CR8","unstructured":"Secure electronic transaction, \n                    \n                      http:\/\/goo.gl\/2SpMbF"},{"key":"14_CR9","unstructured":"Security assertion markup language, \n                    \n                      http:\/\/en.wikipedia.org\/wiki\/Security_Assertion_Markup_Language"},{"key":"14_CR10","unstructured":"The Stanford Javascript Crypto Library, \n                    \n                      http:\/\/crypto.stanford.edu\/sjcl\/"},{"key":"14_CR11","doi-asserted-by":"crossref","unstructured":"Akhawe, D., Barth, A., Lam, P.E., Mitchell, J.C., Song, D.: Towards a formal foundation of web security. In: CSF (2010)","DOI":"10.1109\/CSF.2010.27"},{"key":"14_CR12","doi-asserted-by":"crossref","unstructured":"Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of saml 2.0 web browser single sign-on: Breaking the saml-based single sign-on for google apps. In: FMSE: The ACM Workshop on Formal Methods in Security Engineering (2008)","DOI":"10.1145\/1456396.1456397"},{"key":"14_CR13","unstructured":"Bai, G., Lei, J., Meng, G., Venkatraman, S.S., Saxena, P., Sun, J., Liu, Y., Dong, J.S.: AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations. In: NDSS (2013)"},{"key":"14_CR14","doi-asserted-by":"crossref","unstructured":"Barth, A., Jackson, C., Mitchell, J.C.: Securing frame communication in browsers. In: USENIX Security Symposium (2008)","DOI":"10.1145\/1516046.1516066"},{"key":"14_CR15","unstructured":"Bhargavan, K., Delignat-Lavaud, A., Maffeis, S.: Language-based defenses against untrusted browser origins. In: USENIX Security Symposium (2013)"},{"key":"14_CR16","unstructured":"Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: CSFW (2001)"},{"key":"14_CR17","doi-asserted-by":"crossref","unstructured":"Cao, Y., Rastogi, V., Li, Z., Chen, Y., Moshchuk, A.: Redefining web browser principals with a configurable origin policy. In: DSN (2013)","DOI":"10.1109\/DSN.2013.6575317"},{"key":"14_CR18","doi-asserted-by":"crossref","unstructured":"Dolev, D., Yao, A.C.: On the security of public key protocols. Tech. rep., Stanford, CA, USA (1981)","DOI":"10.1109\/SFCS.1981.32"},{"key":"14_CR19","unstructured":"Facebook. Facebook connect, \n                    \n                      http:\/\/goo.gl\/ZUyBXF"},{"key":"14_CR20","unstructured":"Gro, T.: Security Analysis of the SAML Single Sign-on Browser\/Artifact Profile. In: ACSAC (2003)"},{"key":"14_CR21","unstructured":"Hanna, S., Shin, R., Akhawe, D., Saxena, P., Boehm, A., Song, D.: The emperor\u2019s new APIs: On the (in)secure usage of new client-side primitives. In: W2SP (2010)"},{"key":"14_CR22","doi-asserted-by":"crossref","unstructured":"Hansen, S.M., Skriver, J., Nielson, H.R.: Using static analysis to validate the saml single sign-on protocol. In: WITS: The Workshop on Issues in the Theory of Security (2005)","DOI":"10.1145\/1045405.1045409"},{"key":"14_CR23","unstructured":"Miculan, M., Urban, C.: Formal Analysis of Facebook Connect Single Sign-On Authentication Protocol. In: SOFSEM (2011)"},{"key":"14_CR24","doi-asserted-by":"crossref","unstructured":"Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Singh, S.: Formal verification of oauth 2.0 using alloy framework. In: CSNT: The International Conference on Communication Systems and Network Technologies (2011)","DOI":"10.1109\/CSNT.2011.141"},{"issue":"6","key":"14_CR25","doi-asserted-by":"publisher","first-page":"38","DOI":"10.1109\/MIC.2003.1250582","volume":"7","author":"B. Pfitzmann","year":"2003","unstructured":"Pfitzmann, B., Waidner, M.: Analysis of liberty single-sign-on with enabled clients. IEEE Internet Computing\u00a07(6), 38\u201344 (2003)","journal-title":"IEEE Internet Computing"},{"key":"14_CR26","doi-asserted-by":"crossref","unstructured":"Singh, K., Moshchuk, A., Wang, H., Lee, W.: On the Incoherencies in Web Browser Access Control Policies. In: SP: IEEE Symposium on Security and Privacy (2010)","DOI":"10.1109\/SP.2010.35"},{"key":"14_CR27","unstructured":"Son, S., Shmatikov, V.: The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites. In: NDSS (2013)"},{"key":"14_CR28","doi-asserted-by":"crossref","unstructured":"Sun, S.-T., Beznosov, K.: The devil is in the (implementation) details: An empirical analysis of oauth sso systems. In: CCS (2012)","DOI":"10.1145\/2382196.2382238"},{"key":"14_CR29","doi-asserted-by":"crossref","unstructured":"Sun, S.-T., Hawkey, K., Beznosov, K.: OpenIDemail enabled browser: towards fixing the broken web single sign-on triangle. In: DIM (2010)","DOI":"10.1145\/1866855.1866868"},{"key":"14_CR30","doi-asserted-by":"crossref","unstructured":"Sun, S.-T., Pospisil, E., Muslukhov, I., Dindar, N., Hawkey, K., Beznosov, K.: What makes users refuse web single sign-on?: An empirical investigation of openid. In: SOUPS (2011)","DOI":"10.1145\/2078827.2078833"},{"key":"14_CR31","doi-asserted-by":"crossref","unstructured":"Tassanaviboon, A., Gong, G.: Oauth and abe based authorization in semi-trusted cloud computing: aauth. In: DataCloud-SC: The International Workshop on Data Intensive Computing in the Clouds (2011)","DOI":"10.1145\/2087522.2087531"},{"key":"14_CR32","doi-asserted-by":"crossref","unstructured":"Urue\u00f1a, M., Mu\u00f1oz, A., Larrabeiti, D.: Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools and Applications (2012)","DOI":"10.1007\/s11042-012-1155-4"},{"key":"14_CR33","doi-asserted-by":"crossref","unstructured":"Wang, R., Chen, S., Wang, X.: Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In: IEEE Symposium on Security and Privacy (2012)","DOI":"10.1109\/SP.2012.30"},{"key":"14_CR34","unstructured":"Wang, R., Zhou, Y., Chen, S., Qadeer, S., Evans, D., Gurevich, Y.: Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In: USENIX Security Symposium (2013)"},{"key":"14_CR35","unstructured":"Xing, L., Chen, Y., Wang, X., Chen, S.: InteGuard: Toward Automatic Protection of Third-party web service integrations. In: NDSS (2013)"},{"key":"14_CR36","unstructured":"Yang, E.Z., Stefan, D., Mitchell, J., Mazieres, D., Marchenko, P., Karp, B.: Toward principled browser security. In: HotOS (2013)"}],"container-title":["Lecture Notes in Computer Science","Research in Attacks, Intrusions and Defenses"],"original-title":[],"link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-319-11379-1_14","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,5,27]],"date-time":"2019-05-27T16:44:43Z","timestamp":1558975483000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-319-11379-1_14"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2014]]},"ISBN":["9783319113784","9783319113791"],"references-count":36,"URL":"https:\/\/doi.org\/10.1007\/978-3-319-11379-1_14","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2014]]}}}