SPRESSO : A Secure, Privacy-Respecting Single Sign-On System for the Web

Fett, Daniel and Küsters, Ralf and Schmitz, Guido (2015) SPRESSO : A Secure, Privacy-Respecting Single Sign-On System for the Web. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security - CCS '15 :. ACM, New York, pp. 1358-1369. ISBN 9781450338325

Full text not available from this repository.

Abstract

Single sign-on (SSO) systems, such as OpenID and OAuth, allow web sites, so-called relying parties (RPs), to delegate user authentication to identity providers (IdPs), such as Facebook or Google. These systems are very popular, as they provide a convenient means for users to log in at RPs and move much of the burden of user authentication from RPs to IdPs. There is, however, a downside to current systems, as they do not respect users' privacy: IdPs learn at which RP a user logs in. With one exception, namely Mozilla's BrowserID system (a.k.a. Mozilla Persona), current SSO systems were not even designed with user privacy in mind. Unfortunately, recently discovered attacks, which exploit design flaws of BrowserID, show that BrowserID does not provide user privacy either. In this paper, we therefore propose the first privacy-respecting SSO system for the web, called SPRESSO (for Secure Privacy-REspecting Single Sign-On). The system is easy to use, decentralized, and platform independent. It is based solely on standard HTML5 and web features and uses no browser extensions, plug-ins, or other executables. Existing SSO systems and the numerous attacks on such systems illustrate that the design of secure SSO systems is highly non-trivial. We therefore also carry out a formal analysis of SPRESSO based on an expressive model of the web in order to formally prove that SPRESSO enjoys strong authentication and privacy properties.

Item Type:
Contribution in Book/Report/Proceedings
ID Code:
213507
Deposited By:
Deposited On:
30 Jan 2024 09:50
Refereed?:
Yes
Published?:
Published
Last Modified:
16 Jul 2024 05:24