Your SlideShare is downloading. ×
Making OpenID mobile and privacy-friendly
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Making OpenID mobile and privacy-friendly

120
views

Published on

OpenID is a widely used single sign-on standard that allows users to access different services using the same authentication. However, its usage poses a number of issues regarding privacy and …

OpenID is a widely used single sign-on standard that allows users to access different services using the same authentication. However, its usage poses a number of issues regarding privacy and security.
This paper evaluates the OpenID standard and introduces three mobile strategies, two of which are validated using a prototype implementation. Significant privacy and trust improvements are attained through the use of an identity management architecture that leverages the properties of a tamperproof module. Furthermore, our approach makes OpenID more suitable for omnipresent mobile use. We remain interoperable with the OpenID standard and no modifications to the mobile platform are required.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
120
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Making OpenID mobile and privacy-friendly ECUMICT Ghent, March 27th 2014 Faysal Boukayoua MSEC, KU Leuven
  • 2. Overview • Introduction • OpenID o What is it? o How does it work? • MSEC’s IdM architecture • OpenID shortcomings • Approach • Implementation • Evaluation
  • 3. The advent of today’s Web • A myriad of services • Countless logins • Unreliable user information I’m a banana
  • 4. The emergence of Web single sign-on • OpenID • SAML-based setups o Shibboleth o Belgian eGov Login • Proprietary infrastructures o Google o Facebook o Twitter Identity provider Service providers User
  • 5. OpenID: what is it? • Single sign-on standard • Origins: blogosphere, 2005 • 2007: version 2.0 • 2009: > 1 billion OpenID-enabled accounts • Many identity providers: Google, Yahoo, Paypal, AOL, Wordpress,…
  • 6. OpenID: how does it work? User User’s browser Identity provider (IdP) Service provider 1. Request resource 5. Prompt for authentication 6. Authenticate 4. Redirect to IdP 7. Assert attributes and redirect 8. Return resource 2. Prompt for IdP URI 3. Provide IdP URI IdP discovery step
  • 7. MSEC’s IdM architecture • Tamper-resistant module is mediator between o identity providers o service providers • Access to attributes controlled by o external authorities: certificates o user: personalized policies on the card SPi IdPX
  • 8. OpenID shortcomings: trust Before OpenID With OpenID Hi, I’m a banana. Trust me, this is a banana Identity provider Okay. Come on in. Service provider Service provider User I’m a banana. Pass it on. User Okay Okay. Come on in.
  • 9. OpenID vs. IdM architecture OpenID IdM architecture Interoperability Must modify workstation? Typically not Yes Based on a standard? Yes No Security Credentials Passwords: weak ECDH: strong Prone to theft by malware Protected by tamper- resistant card Prone to phishing by SP • Feedback about URI • Certificate checks Communication security Data authentication not required (MITM attacks) Secure, authenticated channels Identity provider Centralised: high-value attack target Decentralised Transaction monitoring, linking, profiling Mediation by card Privacy Can impersonate user Mediation by card Anonimity level towards service provider Global user ID (URI) • Identifiabile • Pseudonymous • (Accountably) anonymous Selective attribute disclosure? Typically not Yes User consent? Typically not Yes
  • 10. Approach: current trends and opportunities More mobility & more computers Smartphones omnipresent Mobile Internet adoption
  • 11. Approach: a mobile identity provider IdPX IdPY IdPZ User Mobile identity provider OpenID service provider
  • 12. 7. Retrieve attributes from secure element Approach: protocol flow User User’s browser Service provider 1. Request resource 4. Redirect to IdP 7. Assert attributes and redirect 8. Return resource 2. Prompt for IdP URI 3. Provide IdP URI Mobile IdP 5. Show feedback and ask for consent 6. Give consent and enter PIN
  • 13. Implementation Mobile device • Acer Liquid Glow E330 • Android 4.0.4 • I-Jetty webserver • Secure element middleware Secure element • Giesecke & Devrient Mobile Security Card 1.0 • Java Card 2.2.2 • MSEC’s IdM architecture Service provider
  • 14. Evaluation • Better privacy • Better security • Better interoperability • Mobile IdP is personal server… o Network anonymity important! o Tor • Hidden service (*.onion pseudo top-level domain) • Tor2web proxy to get a non-Tor URI
  • 15. Q&A