• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Making OpenID mobile and privacy-friendly
 

Making OpenID mobile and privacy-friendly

on

  • 99 views

OpenID is a widely used single sign-on standard that allows users to access different services using the same authentication. However, its usage poses a number of issues regarding privacy and ...

OpenID is a widely used single sign-on standard that allows users to access different services using the same authentication. However, its usage poses a number of issues regarding privacy and security.
This paper evaluates the OpenID standard and introduces three mobile strategies, two of which are validated using a prototype implementation. Significant privacy and trust improvements are attained through the use of an identity management architecture that leverages the properties of a tamperproof module. Furthermore, our approach makes OpenID more suitable for omnipresent mobile use. We remain interoperable with the OpenID standard and no modifications to the mobile platform are required.

Statistics

Views

Total Views
99
Views on SlideShare
99
Embed Views
0

Actions

Likes
0
Downloads
3
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Making OpenID mobile and privacy-friendly Making OpenID mobile and privacy-friendly Presentation Transcript

    • Making OpenID mobile and privacy-friendly ECUMICT Ghent, March 27th 2014 Faysal Boukayoua MSEC, KU Leuven
    • Overview • Introduction • OpenID o What is it? o How does it work? • MSEC’s IdM architecture • OpenID shortcomings • Approach • Implementation • Evaluation
    • The advent of today’s Web • A myriad of services • Countless logins • Unreliable user information I’m a banana
    • The emergence of Web single sign-on • OpenID • SAML-based setups o Shibboleth o Belgian eGov Login • Proprietary infrastructures o Google o Facebook o Twitter Identity provider Service providers User
    • OpenID: what is it? • Single sign-on standard • Origins: blogosphere, 2005 • 2007: version 2.0 • 2009: > 1 billion OpenID-enabled accounts • Many identity providers: Google, Yahoo, Paypal, AOL, Wordpress,…
    • OpenID: how does it work? User User’s browser Identity provider (IdP) Service provider 1. Request resource 5. Prompt for authentication 6. Authenticate 4. Redirect to IdP 7. Assert attributes and redirect 8. Return resource 2. Prompt for IdP URI 3. Provide IdP URI IdP discovery step
    • MSEC’s IdM architecture • Tamper-resistant module is mediator between o identity providers o service providers • Access to attributes controlled by o external authorities: certificates o user: personalized policies on the card SPi IdPX
    • OpenID shortcomings: trust Before OpenID With OpenID Hi, I’m a banana. Trust me, this is a banana Identity provider Okay. Come on in. Service provider Service provider User I’m a banana. Pass it on. User Okay Okay. Come on in.
    • OpenID vs. IdM architecture OpenID IdM architecture Interoperability Must modify workstation? Typically not Yes Based on a standard? Yes No Security Credentials Passwords: weak ECDH: strong Prone to theft by malware Protected by tamper- resistant card Prone to phishing by SP • Feedback about URI • Certificate checks Communication security Data authentication not required (MITM attacks) Secure, authenticated channels Identity provider Centralised: high-value attack target Decentralised Transaction monitoring, linking, profiling Mediation by card Privacy Can impersonate user Mediation by card Anonimity level towards service provider Global user ID (URI) • Identifiabile • Pseudonymous • (Accountably) anonymous Selective attribute disclosure? Typically not Yes User consent? Typically not Yes
    • Approach: current trends and opportunities More mobility & more computers Smartphones omnipresent Mobile Internet adoption
    • Approach: a mobile identity provider IdPX IdPY IdPZ User Mobile identity provider OpenID service provider
    • 7. Retrieve attributes from secure element Approach: protocol flow User User’s browser Service provider 1. Request resource 4. Redirect to IdP 7. Assert attributes and redirect 8. Return resource 2. Prompt for IdP URI 3. Provide IdP URI Mobile IdP 5. Show feedback and ask for consent 6. Give consent and enter PIN
    • Implementation Mobile device • Acer Liquid Glow E330 • Android 4.0.4 • I-Jetty webserver • Secure element middleware Secure element • Giesecke & Devrient Mobile Security Card 1.0 • Java Card 2.2.2 • MSEC’s IdM architecture Service provider
    • Evaluation • Better privacy • Better security • Better interoperability • Mobile IdP is personal server… o Network anonymity important! o Tor • Hidden service (*.onion pseudo top-level domain) • Tor2web proxy to get a non-Tor URI
    • Q&A