Paper 2023/915
Attribute-based Single Sign-On: Secure, Private, and Efficient
Abstract
A Single Sign-On (SSO) system allows users to access different remote services while authenticating only once. SSO can greatly improve the usability and security of online activities by dispensing with the need to securely remember or store tens or hundreds of authentication secrets. On the downside, today's SSO providers can track users' online behavior, and collect personal data that service providers want to see asserted before letting a user access their resources. In this work, we propose a new policy-based Single Sign-On service, i.e., a system that produces access tokens that are conditioned on the user's attributes fulfilling a specified policy. Our solution is based on multi-party computation and threshold cryptography, and generates access tokens of standardized format. The central idea is to distribute the role of the SSO provider among several entities, in order to shield user attributes and access patterns from each individual entity. We provide a formal security model and analysis in the Universal Composability framework, against proactive adversaries. Our implementation and benchmarking show the practicality of our system for many real-world use cases.
Metadata
- Available format(s)
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. PoPETS 2023
- Keywords
- SSOMPCthreshold cryptographyidentity management
- Contact author(s)
-
tore frederiksen @ zama ai
JHS @ zurich ibm com
POE @ zurich ibm com
patrick towa @ gmail com - History
- 2023-06-14: approved
- 2023-06-12: received
- See all versions
- Short URL
- https://ia.cr/2023/915
- License
-
CC BY-NC-ND
BibTeX
@misc{cryptoeprint:2023/915, author = {Tore Kasper Frederiksen and Julia Hesse and Bertram Poettering and Patrick Towa}, title = {Attribute-based Single Sign-On: Secure, Private, and Efficient}, howpublished = {Cryptology {ePrint} Archive, Paper 2023/915}, year = {2023}, url = {https://eprint.iacr.org/2023/915} }