Rethinking Single Sign-On: A Reliable and Privacy-Preserving Alternative with Verifiable Credentials
Pages 25 - 28
Abstract
Single sign-on (SSO) has provided convenience to users in the web domain as it can authorize a user to access various resource providers (RPs) using the identity provider (IdP)'s unified authentication portal. However, SSO also faces security problems including IdP single-point failure and the privacy associated with identity linkage. In this paper, we present the initial design of an alternative SSO solution called VC-SSO to address the security and privacy problems while preserving SSO's usability. VC-SSO leverages the recently emerged decentralized identifier (DID) and verifiable credential (VC) framework in that a user only needs to authenticate with the IdP once to obtain a VC and then may generate multiple verifiable presentations (VPs) from the VC to access different RPs. This is based on the design that each RP has established a smart contract with the IdP specifying the service agreement and the VP schema for user authorization. We hope the proposed VC-SSO design marks the first step toward a future SSO system that provides strong reliability and privacy to users under adversarial conditions.
References
[1]
Man Ho Au, Willy Susilo, and Yi Mu. 2006. Constant-size dynamic k-TAA. In Security and Cryptography for Networks: 5th International Conference, SCN 2006, Maiori, Italy, September 6--8, 2006. Proceedings 5. Springer, 111--125.
[2]
Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. 2002. Universally composable two-party and multi-party secure computation. In Proceedings of the thiry-fourth annual ACM symposium on Theory of computing. 494--503.
[3]
Md Sadek Ferdous, Andrei Ionita, and Wolfgang Prinz. 2022. SSI4Web: A Self-sovereign Identity (SSI) Framework for the Web. In International Congress on Blockchain and Applications. Springer, 366--379.
[4]
Daniel Fett, Ralf Küsters, and Guido Schmitz. 2015. Spresso: A secure, privacy-respecting single sign-on system for the web. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1358--1369.
[5]
Jens Groth, Rafail Ostrovsky, and Amit Sahai. 2006. Perfect non-interactive zero knowledge for NP. In Advances in Cryptology-EUROCRYPT 2006: 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, May 28-June 1, 2006. Proceedings 25. Springer, 339--358.
[6]
Chengqian Guo, Jingqiang Lin, Quanwei Cai, Wei Wang, Fengjun Li, Qiongxiao Wang, Jiwu Jing, and Bin Zhao. 2021. UPPRESSO: Untraceable and Unlinkable Privacy-PREserving Single Sign-On Services. arXiv preprint arXiv:2110.10396 (2021).
[7]
Dick Hardt. 2012. The OAuth 2.0 authorization framework. Technical Report.
[8]
Tzu-Wei Lin, Chien-Lung Hsu, Tuan-Vinh Le, Chung-Fu Lu, and Bo-Yu Huang. 2021. A smartcard-based user-controlled single sign-on for privacy preservation in 5G-IoT telemedicine systems. Sensors, Vol. 21, 8 (2021), 2880.
[9]
Zoltán András Lux, Dirk Thatmann, Sebastian Zickau, and Felix Beierle. 2020. Distributed-ledger-based authentication with decentralized identifiers and verifiable credentials. In 2020 2nd Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS). IEEE, 71--78.
[10]
Christian Mainka, Vladislav Mladenov, Jörg Schwenk, and Tobias Wich. 2017. SoK: single sign-on security-an evaluation of openID connect. In 2017 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 251--266.
[11]
Eve Maler and Drummond Reed. 2008. The venn of identity: Options and issues in federated identity management. IEEE security & privacy, Vol. 6, 2 (2008), 16--23.
[12]
Srivathsan G Morkonda, Sonia Chiasson, and Paul C van Oorschot. 2021. Empirical analysis and privacy implications in OAuth-based single sign-on systems. In Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. 195--208.
[13]
Torben Pryds Pedersen. 1991. Non-interactive and information-theoretic secure verifiable secret sharing. In Annual international cryptology conference. Springer, 129--140.
[14]
Natsuhiko Sakimura, John Bradley, Mike Jones, Breno De Medeiros, and Chuck Mortimore. 2014. Openid connect core 1.0. The OpenID Foundation (2014), S3.
[15]
San-Tsai Sun and Konstantin Beznosov. 2012. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In Proceedings of the 2012 ACM conference on Computer and communications security. 378--390.
[16]
San-Tsai Sun, Eric Pospisil, Ildar Muslukhov, Nuray Dindar, Kirstie Hawkey, and Konstantin Beznosov. 2011. What makes users refuse web single sign-on? An empirical investigation of OpenID. In Proceedings of the seventh symposium on usable privacy and security. 1--20.
[17]
Manuel Urue na, Alfonso Mu noz, and David Larrabeiti. 2014. Analysis of privacy vulnerabilities in single sign-on mechanisms for multimedia websites. Multimedia Tools and Applications, Vol. 68 (2014), 159--176.
[18]
W3C. 2023 a. Decentralized Identifiers (DIDs) v1.0. https://www.w3.org/TR/did-core/. Accessed Online: 2023-08--23.
[19]
W3C. 2023 b. Verifiable Credentials Data Model v2.0. https://www.w3.org/TR/vc-data-model-2.0/. Accessed Online: 2023-08--22.
[20]
Rui Wang, Shuo Chen, and XiaoFeng Wang. 2012. Signing me onto your accounts through facebook and google: A traffic-guided security study of commercially deployed single-sign-on web services. In 2012 IEEE Symposium on Security and Privacy. IEEE, 365--379.
[21]
Yang Xiao, Ning Zhang, Wenjing Lou, and Y Thomas Hou. 2020. A survey of distributed consensus protocols for blockchain networks. IEEE Communications Surveys & Tutorials, Vol. 22, 2 (2020), 1432--1465.
[22]
Hakan Yildiz, Christopher Ritter, Lan Thao Nguyen, Berit Frech, Maria Mora Martinez, and Axel Küpper. 2021. Connecting self-sovereign identity with federated and user-centric identities via saml integration. In 2021 IEEE Symposium on Computers and Communications (ISCC). IEEE, 1--7.
[23]
Yuchen Zhou and David Evans. 2014. SSOScan: Automated Testing of Web Applications for Single $$Sign-On$$ Vulnerabilities. In 23rd USENIX Security Symposium (USENIX Security 14). 495--510. io
Index Terms
- Rethinking Single Sign-On: A Reliable and Privacy-Preserving Alternative with Verifiable Credentials
Recommendations
Privacy-Enhancing Proxy Signatures from Non-interactive Anonymous Credentials
DBSec 2014: Proceedings of the 28th Annual IFIP WG 11.3 Working Conference on Data and Applications Security and Privacy XXVIII - Volume 8566Proxy signatures enable an originator to delegate the signing rights for a restricted set of messages to a proxy. The proxy is then able to produce valid signatures only for messages from this delegated set on behalf of the originator. Recently, two ...
Building Privacy-Preserving Cryptographic Credentials from Federated Online Identities
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyFederated identity providers, e.g., Facebook and PayPal, offer a convenient means for authenticating users to third-party applications. Unfortunately such cross-site authentications carry privacy and tracking risks. For example, federated identity ...
A user-centric federated single sign-on system
Current identity management systems are not concerned with user privacy. Users must assume that identity providers and service providers will ensure their privacy, which is not always the case. This paper proposes an extension of the existing federated ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 November 2023
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- The US National Science Foundation
Conference
CCS '23
Sponsor:
CCS '23: ACM SIGSAC Conference on Computer and Communications Security
November 26, 2023
Copenhagen, Denmark
Acceptance Rates
Overall Acceptance Rate 40 of 92 submissions, 43%
Upcoming Conference
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 325Total Downloads
- Downloads (Last 12 months)325
- Downloads (Last 6 weeks)40
Reflects downloads up to 09 Aug 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in