国科大密码学院博士生何俊霖,针对身份管理中的隐私保护技术开展研究。在29th European Symposium on Research in Computer Security (ESORICS 2024)会议发表了题为“ARPSSO: An OIDC-Compatible Privacy-Preserving SSO Scheme Based on RP Anonymization”的研究论文。2024年9月,何俊霖参加了ESORICS 2024国际会议,在会议上对该项研究工作做全英文报告。
Abstract:OpenID Connect (OIDC) is one of the most widely used single sign-on (SSO) protocols today. However, like all other popular SSO protocols, it does not take user privacy into account, which means that Identity Providers (IdPs) and colluding Relying Parties (RPs) may carve a user’s behavior through protocol interaction easily. Many studies have attempted to address these privacy issues, but none of them support the most commonly adopted OIDC code flow very well because of their insufficient consideration of the IdP-to-RP authentication, which is the key mechanism to enhance the security of OIDC. In this paper, we propose a privacy-preserving SSO scheme named ARPSSO that may be adapted to OIDC code flow very well. We first realize RP anonymous authentication by issuing anonymous credentials to the RP, thus preventing the user’s login behavior from being tracked by the IdP. We also design a two-party secure computation scheme based on anonymous credentials, which implements user identity mix-up and thus prevents the user identity from being linked by colluding RPs. In addition, we introduce a user-imperceptible trusted in-browser data forwarding mechanism to ensure that the entire SSO process is transparent to the user, allowing users to seamlessly use conventional authentication mechanisms and standard browsers for a great user experience. The security analysis shows that ARPSSO achieves the privacy goals without compromising the intrinsic security properties of the OIDC protocol. Performance evaluation on the prototype implementation shows that ARPSSO may work with acceptable overhead compared to original SSO systems.
论文信息:Junlin He, Lingguang Lei, Yuewu Wang, Pingjian Wang and Jiwu Jing: "ARPSSO: An OIDC-Compatible Privacy-Preserving SSO Scheme Based on RP Anonymization," in European Symposium on Research in Computer Security (ESORICS 2024), ISBN: 978-3-031-70890-9.(CCF-B)