干旱区生态环境知识资源中心

Information Card (InfoCard) is a user-centric identity management metasystem. It has been accepted as a standard of OASIS Identity Metasystem Interoperability Technical Committee. However, there is currently a lack of security analysis to InfoCard protocol, especially, with formal methods. In this paper, we accommodate such a requirement by analyzing security properties of InfoCard protocol adopting a formal protocol analysis tool. Our analysis result discovers that current InfoCard protocol is vulnerable against the session replay attack. Furthermore, we reveal the importance of two optional elements in InfoCard metasystem, token scope and proof key, and found that InfoCard protocol will be susceptible to man-in-the-middle attack and token replay attack if these two optional elements lack.