Proceedings on Privacy Enhancing Technologies ; 2021 (2):70–87 Zhiyi Zhang, Michał Król, Alberto Sonnino, Lixia Zhang, and Etienne Rivière EL PASSO: Efficient and Lightweight Privacy-preserving Single Sign On Abstract: Anonymous credentials are a solid founda- 1 Introduction tion for privacy-preserving Single Sign-On (SSO). They enable unlinkable authentication across domains and al- Single Sign-On (SSO) is an answer to the complexity low users to prove their identity without revealing more and fragility of using individual passwords on the web, than necessary. Unfortunately, anonymous credentials i.e., leading to reuse and leaks [1]. SSO enables the use schemes remain difficult to use and complex to deploy. of a unique identity provided by an Identity Provider They require installation and use of complex software at (IdP). Users authenticate themselves to services (called the user side, suffer from poor performance, and do not Relying Parties–RP) with tokens provided by their IdP. support security features that are now common, such SSO improves overall web security [2] and enables the as two-factor authentication, secret recovery, or sup- generalization of good security practices such as the use port for multiple devices. In contrast, Open ID Con- of 2-factor authentication (2FA) [3]. nect (OIDC), the de facto standard for SSO is widely deployed and used despite its lack of concern for users’ Limitations of OpenID Connect. OpenID Connect privacy. We present EL PASSO, a privacy-preserving (OIDC) is a dominant SSO solution used by over a mil- SSO system based on anonymous credentials that does lion websites in 2020 [4]. Major web players such as not trade security for usability, and can be incrementally Google or Facebook play the role of IdPs, offering so- deployed at scale alongside Open ID Connect with no called social login features to RPs previously registered significant changes to end-user operations. EL PASSO with their services. However, while facilitating identity client-side operations leverage a WebAssembly mod- management, the wide adoption of OIDC raises con- ule that can be downloaded on the fly and cached by cerns on users’ privacy [5, 6]. These concerns are direct users’ browsers, requiring no prior software installation consequences of the synchronous and coupled mode of or specific hardware. We develop automated procedures operation of OIDC, illustrated in Figure 1. Each login for managing cryptographic material, supporting multi- request to an RP requires first an interaction between device support, secret recovery, and privacy-preserving the user and the IdP for authentication and then an- two-factor authentication using only the built-in fea- other interaction between the RP and the IdP to vali- tures of common Web browsers. Our implementation date credentials. An IdP is, therefore, aware of its users’ using PS Signatures achieves 39x to 180x lower com- every sign-on attempt and can infer private information putational cost than previous anonymous credentials from the nature of visited websites [7]. Similarly, RPs schemes, similar or lower sign-on latency than Open ID learn users’ identifiers at IdPs systematically, enabling Connect and is amenable for use on mobile devices. to aggregate identity elements shared to different RPs and violate purpose limitation (e.g., as defined in the Keywords: Single Sign-On, Privacy EU GDPR [8]). OIDC extensions have been proposed to DOI 10.2478/popets-2021-0018 Received 2020-08-31; revised 2020-12-15; accepted 2020-12-16. OpenID Connect (OIDC) EL PASSO IdP RP IdP RP 1 RP 2 token generator Zhiyi Zhang: UCLA, CA, USA. E-mail: [email protected] Michał Król: City, University of London, United Kingdom. E-mail: [email protected] derives Alberto Sonnino: Facebook Calibra and University College User User London, United Kingdom. E-mail: [email protected] Synchronous Privacy-breaking Lixia Zhang: UCLA, CA, USA. E-mail: [email protected] Etienne Rivière: ICTEAM, UCLouvain, Belgium. E-mail: Asynchronous Identity token [email protected] Fig. 1. Sign-on in OIDC and in EL PASSO. EL PASSO: Efficient and Lightweight Privacy-preserving Single Sign On 71 increase users’ privacy but only partially address these integrated system for privacy-preserving SSO that does problems, as they either still leak users’ global identifiers not compromise performance or ease of use in favor of to the RPs [9] or do not prevent the IdP from logging security. visited websites [10]. We note, finally, that in addition Contributions. We present the design, security anal- to privacy concerns, the synchronicity in OIDC impacts ysis, and evaluation of EL PASSO, a practical privacy- availability: Users simply cannot connect to an RP if preserving SSO system, illustrated in Figure 1. their IdP is offline. This requirement of high availabil- EL PASSO is asynchronous and offers unlinkable ity can prevent small organizations (e.g., digital rights authentication and the strong privacy guarantees of NGOs) from offering an alternative to tech giants’ IdPs anonymous credentials. The generation of authentica- and counter Internet consolidation [11]. tion material by the IdP is decoupled in time from its State of the Art: Anonymous Credentials. Pre- use by the client to sign on at some RP. It enables min- serving privacy in SSO requires to decouple the gen- imal disclosure of information: Users may share only eration of authentication material by the IdP from its elements necessary for a specific RP or provide authen- use at some RP (i.e., to make it asynchronous), and to ticatable personal properties to an RP, such as being guarantee that the use of authentication material by the above a minimum age or coming from a certain geo- same user across RPs cannot be correlated. graphical area, without sharing their exact age or loca- Anonymous credentials [12–16] have been identified tion. The design of EL PASSO acknowledges the prac- in previous work as the foundational building block for tical consideration that unbreakable anonymity is not enabling privacy-preserving SSO. Anonymous creden- desirable for many online services. EL PASSO offers tials can be generated ahead of authentication time and guardrails to the risk of digital impunity associated stored by the user, allowing to decouple the generation of with minimal disclosure of information, by providing authentication material by an IdP and its use at some optional support for accountability guarantees to RPs RP, i.e., to make it asynchronous. Authentication by about users signing on their services. Users convicted the same user to different RPs is unlinkable, preventing of fraudulent behaviors (e.g., authors of hate speech or correlation of identity information shared with different harassment in an online forum, or publishers of illegal RPs. content) can be eventually identified. This identifica- Several authentication schemes already build on tion obeys a strict cooperation process involving sev- anonymous credentials [17–20]. These works suffer, how- eral authorities, whose number and identity must be ever, from a number of limitations that prevent their announced a priori by RPs using the feature. adoption as drop-in replacements of OIDC for privacy- EL PASSO aims for ease of deployment by RPs and preserving SSO at a large scale. First, they suffer from IdPs, and simplicity for its users. User-side operations poor performance [12, 17] or overheads increasing with are supported by a client module in WebAssembly [25] the number of unlinkable uses and therefore with the received on the fly from the IdP and cached in the user’s number of RPs [14, 15]. Second, they require users to browser. The module automatically manages crypto- pre-install specific software and manage manually cryp- graphic material, storing it using the browser built-in tographic material [18, 21, 22]. The tasks are too com- password manager. As a result, our platform does not plicated for most Web users [23, 24], hindering the de- require prior software installation or specific hardware ployment of those systems at a large scale. Finally, they and exposes user interactions similar to OIDC. lack support for features that are now considered com- EL PASSO provides support for features that are pulsory by many clients and websites relying on SSO: typically expected from non-privacy-preserving SSO. they do not easily allow the user to use multiple devices We develop a double-secret scheme to enable IdP- (e.g., their laptop and their smartphone) or are vulner- backed, multi-device deployments. EL PASSO is robust able in case of the theft of one of these devices, and they against the theft or loss of a device and the secrets it do not support two-factor authentication (2FA), i.e., the contains and exposes simple recovery procedures at the possibility for an RP to require a joint sign-on operation IdP. The usage of device-specific secrets naturally sup- by the same user but from two different devices. ports 2FA without disclosing the user’s phone or email Objective. Our objective in this paper is to bridge address. In addition, we provide guidelines for incremen- the gap between the simplicity, ease of deployment and tal deployment and show how EL PASSO can operate practicality of OIDC, and privacy-preserving SSO based alongside OIDC. on anonymous credentials. We target a complete and EL PASSO: Efficient and Lightweight Privacy-preserving Single Sign On 72 EL PASSO is built using PS signatures [26, 27] and Authentication designed to limit the amount of heavy cryptographic personal authentication only legitimate IdPs users can authenticate operations required for all parties. Our evaluation us- intra-RP linkability prevent creation of Sybils within a domain ing representative user devices and RP and IdP services Privacy Protection hosted on Amazon EC2 indicates that EL PASSO per- formance, costs, and scalability make it amenable for selective attribute disclosure user only discloses necessary attributes large-scale deployments.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages18 Page
-
File Size-