Single sign-on (SSO) allows a user to maintain only the credential at the identity provider (IdP), to login to numerous RPs. However, SSO introduces extra privacy threats, compared with traditional authentication mechanisms, as (a) the IdP could track all RPs which a user is visiting, and (b) collusive RPs could learn a user's online profile by linking his identities across these RPs. This paper proposes a privacypreserving SSO system, called UPPRESSO, to protect a user's login activities against both the curious IdP and collusive RPs. We analyze the identity dilemma between the security requirements and these privacy concerns, and convert the SSO privacy problems into an identity transformation challenge. In each login instance, an ephemeral pseudo-identity (denoted as PID_RP ) of the RP, is firstly negotiated between the user and the RP. PID_RP is sent to the IdP and designated in the identity token, so the IdP is not aware of the visited RP. Meanwhile, PID_RP is used by the IdP to transform the permanent user identity ID_U into an ephemeral user pseudo-identity (denoted as PID_U ) in the identity token. On receiving the identity token, the RP transforms PID_U into a permanent account (denoted as Acct) of the user, by an ephemeral trapdoor in the negotiation. Given a user, the account at each RP is unique and different from ID_U, so collusive RPs cannot link his identities across these RPs. We build the UPPRESSO prototype on top of MITREid Connect, an open-source implementation of OIDC. The extensive evaluation shows that UPPRESSO fulfills the requirements of both security and privacy and introduces reasonable overheads.
翻译:单一符号( SSO) 允许用户仅保留身份提供者( IdP) 的身份证明( IdP), 以登录多个 RP 。 然而, SSO 引入了额外的隐私威胁, 与传统认证机制相比, 因为 (a) IdP 可以跟踪用户访问的所有 RP, 并且 (b) 串通性 RP 可以通过在这些 RP 中连接他的身份来学习用户的在线配置。 本文提议了一个名为 UPBPSO 的隐私保存 SSO 系统, 以保护用户的登录活动, 防止好奇的 IdPP 和 串联 RP 。 我们分析安全要求与这些用户之间的身份困境, 我们无法将SOSO的隐私问题转换成身份转换挑战。 在每次日志中, 用户的默认伪身份证明( PID_ RPD ) 和 RP 的公开身份证明账户由用户之间首先谈判。