Attribute-based Single Sign-On: Secure, Private, and Efficient

IACR Cryptol. ePrint Arch. Pub Date : 2023-10-01 DOI:10.56553/popets-2023-0097

T. Frederiksen, Julia Hesse, Bertram Poettering, Patrick Towa

{"title":"Attribute-based Single Sign-On: Secure, Private, and Efficient","authors":"T. Frederiksen, Julia Hesse, Bertram Poettering, Patrick Towa","doi":"10.56553/popets-2023-0097","DOIUrl":null,"url":null,"abstract":"A Single Sign-On (SSO) system allows users to access different remote services while authenticating only once. SSO can greatly improve the usability and security of online activities by dispensing with the need to securely remember or store tens or hundreds of authentication secrets. On the downside, today's SSO providers can track users' online behavior, and collect personal data that service providers want to see asserted before letting a user access their resources. In this work, we propose a new policy-based Single Sign-On service, i.e., a system that produces access tokens that are conditioned on the user's attributes fulfilling a specified policy. Our solution is based on multi-party computation and threshold cryptography, and generates access tokens of standardized format. The central idea is to distribute the role of the SSO provider among several entities, in order to shield user attributes and access patterns from each individual entity. We provide a formal security model and analysis in the Universal Composability framework, against proactive adversaries. Our implementation and benchmarking show the practicality of our system for many real-world use cases.","PeriodicalId":13158,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"30 1","pages":"915"},"PeriodicalIF":0.0000,"publicationDate":"2023-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IACR Cryptol. ePrint Arch.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.56553/popets-2023-0097","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

A Single Sign-On (SSO) system allows users to access different remote services while authenticating only once. SSO can greatly improve the usability and security of online activities by dispensing with the need to securely remember or store tens or hundreds of authentication secrets. On the downside, today's SSO providers can track users' online behavior, and collect personal data that service providers want to see asserted before letting a user access their resources. In this work, we propose a new policy-based Single Sign-On service, i.e., a system that produces access tokens that are conditioned on the user's attributes fulfilling a specified policy. Our solution is based on multi-party computation and threshold cryptography, and generates access tokens of standardized format. The central idea is to distribute the role of the SSO provider among several entities, in order to shield user attributes and access patterns from each individual entity. We provide a formal security model and analysis in the Universal Composability framework, against proactive adversaries. Our implementation and benchmarking show the practicality of our system for many real-world use cases.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

基于属性的单点登录:安全、私有和高效

单点登录(SSO)系统允许用户访问不同的远程服务，而只需进行一次身份验证。SSO可以大大提高在线活动的可用性和安全性，因为无需安全地记住或存储数十或数百个身份验证秘密。缺点是，今天的SSO提供程序可以跟踪用户的在线行为，并收集服务提供程序希望在允许用户访问其资源之前看到的个人数据。在这项工作中，我们提出了一种新的基于策略的单点登录服务，即一个系统，该系统产生访问令牌，该令牌以用户的属性满足指定策略为条件。我们的解决方案基于多方计算和阈值加密，并生成标准化格式的访问令牌。其核心思想是在多个实体之间分配SSO提供者的角色，以便对每个单独的实体保护用户属性和访问模式。我们在通用可组合性框架中提供了正式的安全模型和分析，以应对主动攻击者。我们的实现和基准测试显示了我们的系统对于许多实际用例的实用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IACR Cryptol. ePrint Arch.

自引率

0.00%

发文量