EL PASSO: Efficient and Lightweight Privacy-preserving Single Sign On

Abstract Anonymous credentials are a solid foundation for privacy-preserving Single Sign-On (SSO). They enable unlinkable authentication across domains and allow users to prove their identity without revealing more than necessary. Unfortunately, anonymous credentials schemes remain difficult to use and complex to deploy. They require installation and use of complex software at the user side, suffer from poor performance, and do not support security features that are now common, such as two-factor authentication, secret recovery, or support for multiple devices. In contrast, Open ID Connect (OIDC), the de facto standard for SSO is widely deployed and used despite its lack of concern for users’ privacy. We present EL PASSO, a privacy-preserving SSO system based on anonymous credentials that does not trade security for usability, and can be incrementally deployed at scale alongside Open ID Connect with no significant changes to end-user operations. EL PASSO client-side operations leverage a WebAssembly module that can be downloaded on the fly and cached by users’ browsers, requiring no prior software installation or specific hardware. We develop automated procedures for managing cryptographic material, supporting multi-device support, secret recovery, and privacy-preserving two-factor authentication using only the built-in features of common Web browsers. Our implementation using PS Signatures achieves 39x to 180x lower computational cost than previous anonymous credentials schemes, similar or lower sign-on latency than Open ID Connect and is amenable for use on mobile devices.

[1]  Dawn Xiaodong Song,et al.  The Emperor's New Password Manager: Security Analysis of Web-based Password Managers , 2014, USENIX Security Symposium.

[2]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[3]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[4]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[5]  Alon Zakai,et al.  Bringing the web up to speed with WebAssembly , 2017, PLDI.

[6]  Feng Hao,et al.  Schnorr Non-interactive Zero-Knowledge Proof , 2017, RFC.

[7]  Harry Halpin NEXTLEAP: Decentralizing Identity with Privacy for Secure Messaging , 2017, ARES.

[8]  Jan Camenisch,et al.  Concepts and languages for privacy-preserving attribute-based authentication , 2013, J. Inf. Secur. Appl..

[9]  Jörg Schwenk,et al.  SoK: Single Sign-On Security — An Evaluation of OpenID Connect , 2017, 2017 IEEE European Symposium on Security and Privacy (EuroS&P).

[10]  Thomas S. Heydt-Benjamin,et al.  Cryptographic Protocols of the Identity Mixer Library , 2009 .

[11]  David Pointcheval,et al.  Short Randomizable Signatures , 2016, CT-RSA.

[12]  Anna Lysyanskaya,et al.  Anonymous credentials light , 2013, IACR Cryptol. ePrint Arch..

[13]  Christian Paquin,et al.  U-Prove Cryptographic Specification V1.1 (Revision 3) , 2013 .

[14]  Bart Jacobs,et al.  IRMA : practical , decentralized and privacy-friendly identity management using smartphones , 2017 .

[15]  Helmut Schneider,et al.  The domino effect of password reuse , 2004, CACM.

[16]  Balachander Krishnamurthy,et al.  Measuring privacy loss and the impact of privacy protection in web browsing , 2007, SOUPS '07.

[17]  Ralf Küsters,et al.  A Comprehensive Formal Security Analysis of OAuth 2.0 , 2016, CCS.

[18]  Christian Paquin,et al.  U-Prove Technology Overview V1.1 (Revision 2) , 2013 .

[19]  Ralf Küsters,et al.  An Extensive Formal Security Analysis of the OpenID Financial-Grade API , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[20]  Ralf Küsters,et al.  The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[21]  Bart De Decker,et al.  A Practical System for Globally Revoking the Unlinkable Pseudonyms of Unknown Users , 2007, ACISP.

[22]  Kirstie Hawkey,et al.  What makes users refuse web single sign-on?: an empirical investigation of OpenID , 2011, SOUPS.

[23]  Melissa Chase,et al.  Algebraic MACs and Keyed-Verification Anonymous Credentials , 2014, CCS.

[24]  Dan Boneh,et al.  Password Managers: Attacks and Defenses , 2014, USENIX Security Symposium.

[25]  Aleksandr Ometov,et al.  Multi-Factor Authentication: A Survey , 2018, Cryptogr..

[26]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[27]  David Pointcheval,et al.  Divisible e-cash made practical , 2015, IET Inf. Secur..

[28]  David Pointcheval,et al.  Reassessing Security of Randomizable Signatures , 2018, IACR Cryptol. ePrint Arch..

[29]  Ernest F. Brickell,et al.  Direct anonymous attestation , 2004, CCS '04.

[30]  Emin Gün Sirer,et al.  Peer-to-Peer Authentication with a Distributed Single Sign-On Service , 2004, IPTPS.

[31]  Ralf Küsters,et al.  SPRESSO: A Secure, Privacy-Respecting Single Sign-On System for the Web , 2015, CCS.

[32]  Liqun Chen,et al.  On the Design and Implementation of an Efficient DAA Scheme , 2010, IACR Cryptol. ePrint Arch..

[33]  Dong Hoon Lee,et al.  Aggregating CL-Signatures Revisited: Extended Functionality and Better Efficiency , 2013, Financial Cryptography.

[34]  Ruti Gafni,et al.  To Social Login or not Login? Exploring Factors Affecting the Decision , 2014 .

[35]  Jason Goode The importance of identity security , 2012 .

[36]  Jörg Schwenk,et al.  Do Not Trust Me: Using Malicious IdPs for Analyzing and Attacking Single Sign-on , 2014, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[37]  William Denniss,et al.  OAuth 2.0 Token Binding , 2018 .

[38]  Jeremy Clark,et al.  Tapas: design, implementation, and usability evaluation of a password manager , 2012, ACSAC '12.

[39]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[40]  John Hughes,et al.  Security Assertion Markup Language (SAML) 2.0 Technical Overview , 2004 .

[41]  Chris Kanich,et al.  The Long "Taile" of Typosquatting Domain Names , 2014, USENIX Security Symposium.

[42]  Scott Ruoti,et al.  Confused Johnny: when automatic encryption leads to confusion and mistakes , 2013, SOUPS.

[43]  CamenischJan,et al.  Concepts and languages for privacy-preserving attribute-based authentication , 2014, WISA 2014.

[44]  Sean W. Smith,et al.  Blacklistable anonymous credentials: blocking misbehaving users without ttps , 2007, CCS '07.

[45]  Drummond Reed,et al.  OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[46]  Michael Jones,et al.  OAuth 2.0 Mix-Up Mitigation , 2016 .

[47]  Shipeng Li,et al.  ThresPassport - A Distributed Single Sign-On Service , 2005, ICIC.

[48]  Peter Druschel,et al.  Oblivion: Mitigating Privacy Leaks by Controlling the Discoverability of Online Information , 2015, ACNS.

[49]  Georg Fuchsbauer,et al.  Anonymous attestation with user-controlled linkability , 2013, International Journal of Information Security.

[50]  George Danezis,et al.  UnlimitID: Privacy-Preserving Federated Identity Management using Algebraic MACs , 2016, WPES@CCS.

[51]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[52]  Michael Backes,et al.  PRIMA: Privacy-Preserving Identity and Access Management at Internet-Scale , 2016, 2018 IEEE International Conference on Communications (ICC).

[53]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[54]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[55]  Ian Goldberg,et al.  Formalizing Anonymous Blacklisting Systems , 2011, 2011 IEEE Symposium on Security and Privacy.

[56]  Christian Huitema,et al.  Considerations on Internet Consolidation and the Internet Architecture , 2019 .

[57]  Kenneth G. Paterson,et al.  Pairings for Cryptographers , 2008, IACR Cryptol. ePrint Arch..