CS 4401 (A11): Software Security Engineering
Project 3: Encryption-based Protocols

Pairs Permitted: If you are working with a partner, let Professor Guttman know (so we can configure Turnin and grading on the staff end).

DUE Friday, Sept 23, start of class via web-turnin.

You work for a startup that is developing a new platform for location-aware social-network applications. Concerned by the media attacks on social-network providers who fail to protect privacy, your company decides to rely on other companies to manage user passwords and profile data.

In particular, you've heard about two protocols, OpenID and OAuth, that authorize users across sites without requiring password sharing. You need to understand these protocols and determine whether they fit your needs.

You'll need to gather information to determine how the protocols work. For instance, for OAuth, consider Wikipedia, the OAuth guide at Hueniverse, and the IETF site, which has both version 1 draft version 2 materials.


  1. For each of the OpenID and OAuth protocols, provide a brief (sentence or two) description of what the protocol is designed to do.

  2. For each of the OpenID and OAuth protocols, provide a concrete list of confidentiality, authorization, and integrity guarantees that these protocols are designed to provide. Each guarantee should be a single, concise English sentence such as "No user should have multiple active sessions at any one time".

  3. For each of the OpenID and OAuth protocols, provide a brief description of what each datum in the protocol is designed to achieve. Each description should be a single, concise English phrase such as "Establishes the identity of the server".

  4. Briefly, in a sentence or two, say why HTTPS is an important ingredient in making this protocol work. For each of the messages of the protocol, summarize in a sentence what cryptographic technique such as digital signatures, encryption, or message authentication codes are used to allow it to achieve its purpose in the protocol.

  5. Your startup considered these protocols as a way to mitigate its responsibility for protecting user passwords. Does using either or both of these protocols achieve this goal? Does the responsibility shift somewhere else? Briefly explain your reasoning as if you were reporting back to the rest of the development team (ie, be technical and concrete, but don't assume the reader knows either protocol).

  6. A recent case study described flaws in Twitter's implementation of OAuth. Did your answers to questions 2 and 3 cover the Twitter flaw? If so, where? If not, where should it have been? Positive and negative answers are equally points-worthy. The goal is for you to reflect on your summaries of the protocols, not to have you patch them retroactively to be able to say "yes" to a question.

What to submit

Submit your answers in a plain text file with column width no more than 80 characters per line (standard for editors--we just don't want long wrapping lines).

At the end, include a list of the sources you ultimately used for understanding the two protocols (don't list everything you found, just the ones that you used the most).

Put the names of all students who worked on the answers at the top of the file. If you worked as a pair, include a brief statement of how you collaborated on this (ie, both read both protocols, each focused on one, one wrote it up, etc).


In grading this assignment, we will be looking for:

Course homepage