Audit based privacy preservation for the OpenID authentication protocol

Philip J. Riesch, Xiaojiang Du

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

6 Scopus citations

Abstract

This paper studies a privacy vulnerability within OpenID, a distributed single sign on protocol. An OpenID system consists of three components: User Agent (UA); Relying Party - A web application that a UA would like to authenticate with using their unique identifier; and Identity Provider - A web server that provides a globally unique identifier for the UA and validates the identity of UAs on behalf of Relying Parties. The privacy vulnerability has been identified in existing literatures. However, no effective solution has been proposed to date. In this paper, we present an effective scheme to mitigate this vulnerability. In order for OpenID to gain wider acceptance, this vulnerability must be addressed with a solution that is convenient to the users of single sign on. We propose a method for mitigating this vulnerability by creating vertical levels of trust between constituents of an OpenID network through expanding the role of OpenID Identity Providers to include auditing OpenID Relying Parties for privacy vulnerabilities. In addition, Identity Providers may keep records of audits that identify Relying Parties that do not protect the privacy of OpenID users. The primary issue with this privacy vulnerability is that it is completely transparent - it occurs without the user ever being aware that it is happening. We cannot force Relying Parties to guarantee the privacy of OpenID users, nor would we like to burden individual users with browser level solutions that are often overly technical and difficult to understand. We have designed an audit solution at the level of the Identity Provider, which can accurately inform users when Relying Parties may be sharing information with third parties, therefore giving OpenID users the ability to make a conscious choice to share that information. We have performed real network experiments to validate our scheme, and the experimental results show that our scheme is effective.

Original languageEnglish
Title of host publication2012 IEEE International Conference on Technologies for Homeland Security, HST 2012
Pages348-352
Number of pages5
DOIs
StatePublished - 2012
Event2012 12th IEEE International Conference on Technologies for Homeland Security, HST 2012 - Waltham, MA, United States
Duration: 13 Nov 201215 Nov 2012

Publication series

Name2012 IEEE International Conference on Technologies for Homeland Security, HST 2012

Conference

Conference2012 12th IEEE International Conference on Technologies for Homeland Security, HST 2012
Country/TerritoryUnited States
CityWaltham, MA
Period13/11/1215/11/12

Keywords

  • OpenID
  • authentication
  • distributed systems
  • privacy
  • security

Fingerprint

Dive into the research topics of 'Audit based privacy preservation for the OpenID authentication protocol'. Together they form a unique fingerprint.

Cite this