UPPRESSO: Untraceable and Unlinkable Privacy-PREserving Single Sign-On Services

Single sign-on (SSO) allows a user to maintain only the credential at the identity provider (IdP), to login to numerous RPs. However, SSO introduces extra privacy threats, compared with traditional authentication mechanisms, as (a) the IdP could track all RPs which a user is visiting, and (b) collusive RPs could learn a user's online profile by linking his identities across these RPs. This paper proposes a privacypreserving SSO system, called UPPRESSO, to protect a user's login activities against both the curious IdP and collusive RPs. We analyze the identity dilemma between the security requirements and these privacy concerns, and convert the SSO privacy problems into an identity transformation challenge. In each login instance, an ephemeral pseudo-identity (denoted as PID_RP ) of the RP, is firstly negotiated between the user and the RP. PID_RP is sent to the IdP and designated in the identity token, so the IdP is not aware of the visited RP. Meanwhile, PID_RP is used by the IdP to transform the permanent user identity ID_U into an ephemeral user pseudo-identity (denoted as PID_U ) in the identity token. On receiving the identity token, the RP transforms PID_U into a permanent account (denoted as Acct) of the user, by an ephemeral trapdoor in the negotiation. Given a user, the account at each RP is unique and different from ID_U, so collusive RPs cannot link his identities across these RPs. We build the UPPRESSO prototype on top of MITREid Connect, an open-source implementation of OIDC. The extensive evaluation shows that UPPRESSO fulfills the requirements of both security and privacy and introduces reasonable overheads.