Jean Snyman

OAuth 2.0 is a well-known protocol suite whereby customers of a web service can grant third-party applications access to their information (or resources) on said web service, all without handing over their long-term credentials. But what if the resources are encrypted? Should third parties get rights to decrypt them?We propose APEX: an OAuth-grounded suite of protocols which systematically augment delegated authorisation to allow refined third-party access to encrypted resources, while maintaining OAuth’s behaviour for any unencrypted resources. We also provide an implementation of APEX, showing its seamless integration with OAuth.On the formal side, we propose a generalisation of APEX (and OAuth) into a paradigm which we call restricted authorisation delegation (RAD). RAD is a model that lifts formal treatment from protocol to suites; and, it also stipulates the desirable requirements that delegated authorisation schemes should attain (including to enable access over encrypted resources). We also give a formal, cryptographic model that augments existing models in multi-party authorisation, authenticated key exchange and access control.Finally, we use this model to prove that APEX formally attains all the properties of a restricted authorisation delegation (RAD) scheme, and discuss that OAuth 2.0 does not.

We define and formalise a generic cryptographic construction that underpins coupling of companion devices, e.g., biometrics-enabled devices, with main devices (e.g., PCs), in a user-aware manner, mainly for on-demand authentication and secure storage for applications running on the main device. We define the security requirements of such constructions, provide a full instantiation in a protocol-suite and prove its computational as well as Dolev-Yao security. Finally, we implement our protocol suite and one password-manager use-case.