making openid mobile and privacy-friendly
DESCRIPTION
OpenID is a widely used single sign-on standard that allows users to access different services using the same authentication. However, its usage poses a number of issues regarding privacy and security. This paper evaluates the OpenID standard and introduces three mobile strategies, two of which are validated using a prototype implementation. Significant privacy and trust improvements are attained through the use of an identity management architecture that leverages the properties of a tamperproof module. Furthermore, our approach makes OpenID more suitable for omnipresent mobile use. We remain interoperable with the OpenID standard and no modifications to the mobile platform are required.TRANSCRIPT
![Page 1: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/1.jpg)
Making OpenID mobile
and privacy-friendly
ECUMICT
Ghent, March 27th 2014
Faysal Boukayoua
MSEC, KU Leuven
![Page 2: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/2.jpg)
Overview • Introduction
• OpenID
o What is it?
o How does it work?
• MSEC’s IdM architecture
• OpenID shortcomings
• Approach
• Implementation
• Evaluation
![Page 3: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/3.jpg)
The advent of today’s Web
• A myriad of services
• Countless logins
• Unreliable user information I’m a banana
![Page 4: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/4.jpg)
The emergence of Web single sign-on
• OpenID
• SAML-based setups
o Shibboleth
o Belgian eGov Login
• Proprietary infrastructures
o Google
o Facebook
o Twitter
Identity
provider Service
providers
User
![Page 5: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/5.jpg)
OpenID: what is it?
• Single sign-on standard
• Origins: blogosphere, 2005
• 2007: version 2.0
• 2009: > 1 billion OpenID-enabled
accounts
• Many identity providers: Google,
Yahoo, Paypal, AOL, Wordpress,…
![Page 6: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/6.jpg)
OpenID: how does it work?
User User’s browser Identity provider (IdP) Service provider
1. Request
resource
5. Prompt for authentication
6. Authenticate
4. Redirect to IdP
7. Assert attributes
and redirect
8. Return resource
2. Prompt for IdP URI
3. Provide IdP URI
IdP discovery step
![Page 7: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/7.jpg)
MSEC’s IdM architecture
• Tamper-resistant module is mediator between
o identity providers
o service providers
• Access to attributes controlled by
o external authorities: certificates
o user: personalized policies on the card
SPi IdPX
![Page 8: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/8.jpg)
OpenID shortcomings: trust Before OpenID
With OpenID
Hi, I’m a
banana.
Trust me, this
is a banana
Identity provider
Okay.
Come on in.
Service provider
Service provider
User
I’m a banana.
Pass it on.
User
Okay
Okay.
Come on in.
![Page 9: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/9.jpg)
OpenID vs. IdM architecture OpenID IdM architecture
Interoperability Must modify workstation? Typically not Yes
Based on a standard? Yes No
Security
Credentials
Passwords: weak ECDH: strong
Prone to theft by
malware
Protected by tamper-
resistant card
Prone to phishing by SP • Feedback about URI
• Certificate checks
Communication security Data authentication not
required (MITM attacks)
Secure, authenticated
channels
Identity provider
Centralised: high-value
attack target Decentralised
Transaction monitoring,
linking, profiling Mediation by card
Privacy
Can impersonate user Mediation by card
Anonimity level towards
service provider Global user ID (URI)
• Identifiabile
• Pseudonymous
• (Accountably) anonymous
Selective attribute
disclosure? Typically not Yes
User consent? Typically not Yes
![Page 10: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/10.jpg)
Approach: current trends and opportunities
More mobility &
more computers
Smartphones
omnipresent
Mobile Internet
adoption
![Page 11: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/11.jpg)
Approach: a mobile identity provider
IdPX
IdPY
IdPZ
User
Mobile identity provider
OpenID service
provider
![Page 12: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/12.jpg)
7. Retrieve attributes
from secure element
Approach: protocol flow
User User’s browser Service provider
1. Request resource
4. Redirect to IdP
7. Assert attributes
and redirect
8. Return resource
2. Prompt for IdP URI
3. Provide IdP URI
Mobile IdP
5. Show feedback and ask for consent
6. Give consent and enter PIN
![Page 13: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/13.jpg)
Implementation
Mobile device
• Acer Liquid Glow E330
• Android 4.0.4
• I-Jetty webserver
• Secure element middleware
Secure element
• Giesecke & Devrient Mobile Security Card 1.0
• Java Card 2.2.2
• MSEC’s IdM architecture
Service provider
![Page 14: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/14.jpg)
Evaluation
• Better privacy
• Better security
• Better interoperability
• Mobile IdP is personal server…
o Network anonymity important!
o Tor
• Hidden service (*.onion pseudo top-level domain)
• Tor2web proxy to get a non-Tor URI
![Page 15: Making OpenID mobile and privacy-friendly](https://reader033.vdocuments.site/reader033/viewer/2022060117/55856ef5d8b42a472c8b497a/html5/thumbnails/15.jpg)
Q&A