TY - GEN
T1 - Audit based privacy preservation for the OpenID authentication protocol
AU - Riesch, Philip J.
AU - Du, Xiaojiang
PY - 2012
Y1 - 2012
N2 - This paper studies a privacy vulnerability within OpenID, a distributed single sign on protocol. An OpenID system consists of three components: User Agent (UA); Relying Party - A web application that a UA would like to authenticate with using their unique identifier; and Identity Provider - A web server that provides a globally unique identifier for the UA and validates the identity of UAs on behalf of Relying Parties. The privacy vulnerability has been identified in existing literatures. However, no effective solution has been proposed to date. In this paper, we present an effective scheme to mitigate this vulnerability. In order for OpenID to gain wider acceptance, this vulnerability must be addressed with a solution that is convenient to the users of single sign on. We propose a method for mitigating this vulnerability by creating vertical levels of trust between constituents of an OpenID network through expanding the role of OpenID Identity Providers to include auditing OpenID Relying Parties for privacy vulnerabilities. In addition, Identity Providers may keep records of audits that identify Relying Parties that do not protect the privacy of OpenID users. The primary issue with this privacy vulnerability is that it is completely transparent - it occurs without the user ever being aware that it is happening. We cannot force Relying Parties to guarantee the privacy of OpenID users, nor would we like to burden individual users with browser level solutions that are often overly technical and difficult to understand. We have designed an audit solution at the level of the Identity Provider, which can accurately inform users when Relying Parties may be sharing information with third parties, therefore giving OpenID users the ability to make a conscious choice to share that information. We have performed real network experiments to validate our scheme, and the experimental results show that our scheme is effective.
AB - This paper studies a privacy vulnerability within OpenID, a distributed single sign on protocol. An OpenID system consists of three components: User Agent (UA); Relying Party - A web application that a UA would like to authenticate with using their unique identifier; and Identity Provider - A web server that provides a globally unique identifier for the UA and validates the identity of UAs on behalf of Relying Parties. The privacy vulnerability has been identified in existing literatures. However, no effective solution has been proposed to date. In this paper, we present an effective scheme to mitigate this vulnerability. In order for OpenID to gain wider acceptance, this vulnerability must be addressed with a solution that is convenient to the users of single sign on. We propose a method for mitigating this vulnerability by creating vertical levels of trust between constituents of an OpenID network through expanding the role of OpenID Identity Providers to include auditing OpenID Relying Parties for privacy vulnerabilities. In addition, Identity Providers may keep records of audits that identify Relying Parties that do not protect the privacy of OpenID users. The primary issue with this privacy vulnerability is that it is completely transparent - it occurs without the user ever being aware that it is happening. We cannot force Relying Parties to guarantee the privacy of OpenID users, nor would we like to burden individual users with browser level solutions that are often overly technical and difficult to understand. We have designed an audit solution at the level of the Identity Provider, which can accurately inform users when Relying Parties may be sharing information with third parties, therefore giving OpenID users the ability to make a conscious choice to share that information. We have performed real network experiments to validate our scheme, and the experimental results show that our scheme is effective.
KW - OpenID
KW - authentication
KW - distributed systems
KW - privacy
KW - security
UR - http://www.scopus.com/inward/record.url?scp=84874578684&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84874578684&partnerID=8YFLogxK
U2 - 10.1109/THS.2012.6459873
DO - 10.1109/THS.2012.6459873
M3 - Conference contribution
AN - SCOPUS:84874578684
SN - 9781467327084
T3 - 2012 IEEE International Conference on Technologies for Homeland Security, HST 2012
SP - 348
EP - 352
BT - 2012 IEEE International Conference on Technologies for Homeland Security, HST 2012
T2 - 2012 12th IEEE International Conference on Technologies for Homeland Security, HST 2012
Y2 - 13 November 2012 through 15 November 2012
ER -