UPPRESSO: Untraceable and Unlinkable Privacy-PREserving Single Sign-On Services
This addresses privacy risks for users of SSO services, offering a practical solution compatible with existing protocols, though it is incremental as it builds on prior privacy-preserving SSO methods.
The paper tackles privacy threats in single sign-on (SSO) systems, where identity providers can track users and colluding relying parties can link identities, by proposing UPPRESSO, a scheme that generates untraceable and unlinkable pseudo-identities, with evaluations showing it meets security and privacy requirements with reasonable overheads.
Single sign-on (SSO) allows a user to maintain only the credential for an identity provider (IdP) to log into multiple relying parties (RPs). However, SSO introduces privacy threats, as (a) a curious IdP could track a user's all visits to RPs, and (b) colluding RPs could learn a user's online profile by linking her identities across these RPs. This paper presents a privacypreserving SSO scheme, called UPPRESSO, to protect an honest user's online profile against (a) an honest-but-curious IdP and (b) malicious RPs colluding with other users. UPPRESSO proposes an identity-transformation approach to generate untraceable ephemeral pseudo-identities for an RP and a user from which the target RP derives a permanent account for the user, while the transformations also provide unlinkability. This approach protects the identities of the user and the target RPs in a login flow, while working compatibly with widely-deployed SSO protocols and providing services accessed from a commercial-off-the-shelf browser without plug-ins or extensions. We built a prototype of UPPRESSO on top of MITREid Connect, an open-source SSO system. The extensive evaluations show that it fulfills the security and privacy requirements of SSO with reasonable overheads.