Formal Analysis of Information Card Federated Identity-Management Protocol

Information Card (InfoCard) is a usercentric identity management metasystem. It has been accepted as a standard of OASIS Identity Metasystem Interoperability Technical Committee. However, there is currently a lack of security analysis to InfoCard protocol, especially, with formal methods. In this paper, we accommodate such a requirement by analyzing security properties of InfoCard protocol adopting a formal protocol analysis tool. Our analysis result discovers that current InfoCard protocol is vulnerable against the session replay attack. Furthermore, we reveal the importance of two optional elements in InfoCard metasystem, token scope and proof key, and found that InfoCard protocol will be susceptible to manin- the-middle attack and token replay attack if these two optional elements lack.