Abstract
The quantum threat affects a multitude of network protocols, frameworks, and systems that use public-key cryptography. OpenID Connect (OIDC) and OAuth 2.0 are no exception, which means they must transition to Post-Quantum Cryptography (PQC). However, the long lifetime of access tokens necessitates this shift, if we consider the possibility of a record-now-decrypt-later attacker retrieving and subsequently impersonating users with these tokens. In this research, we conduct a thorough literature review to identify existing solutions to this problem, suggest modifications to OAuth 2.0 and OIDC and their underlying protocols to make them quantum-safe, then implement and evaluate the effects of PQC on a realistic OIDC study case. Our findings reveal that PQC-based OIDC has the same or better performance in low-latency settings, but the handshake of PQC-based TLS accounts for fifty percent of the overall duration in high-latency scenarios.
This study was supported by the Federal Institute of Rio Grande do Sul (IFRS) and by the Federal University of Technology - Parana (UTFPR).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alkhulaifi, A., El-Alfy, E.S.M.: Exploring lattice-based post-quantum signature for JWT authentication: review and case study. In: 2020 IEEE 91st Vehicular Technology Conference (VTC2020-Spring), pp. 1–5 (2020). https://doi.org/10.1109/VTC2020-Spring48590.2020.9129505
Aumasson, J.P., et al.: Sphincs+: submission to the NIST post-quantum project (2021). https://sphincs.org/data/sphincs+-r3.1-specification.pdf
Berbecaru, D., Lioy, A.: On the robustness of applications based on the SSL and TLS security protocols. In: Lopez, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 248–264. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73408-6_18
Bertocci, V.: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens. RFC 9068 (2021)
Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the 28th ACM Symposium on Theory of Computing, pp. 212–219 (1996)
Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749 (2012)
Howe, J., Prest, T., Apon, D.: Sok: How (not) to design and implement post-quantum cryptography. Cryptology ePrint Archive, report 2021/462 (2021). https://ia.cr/2021/462
(IANA), I.A.N.A.: Transport layer security (TLS) parameters (2022)
Johansson, L.: An IANA Registry for Level of Assurance (LoA) Profiles. RFC 6711 (2012)
Jones, M.: JSON Web Algorithms (JWA). RFC 7518 (2015)
Jones, M.: JSON Web Key (JWK). RFC 7517 (2015)
Jones, M., Bradley, J., Sakimura, N.: JSON Web Signature (JWS). RFC 7515 (2015)
Jones, M., Bradley, J., Sakimura, N.: JSON Web Token (JWT). RFC 7519 (2015)
Jones, M., De Medeiros, B., Agarwal, N., Sakimura, N., Bradley, J.: Openid connect RP-initiated logout 1.0. The OpenID Foundation, p. S3 (2022)
Jones, M., Hildebrand, J.: JSON Web Encryption (JWE). RFC 7516 (2015)
Jones, M., Sakimura, N., Bradley, J.: OAuth 2.0 Authorization Server Metadata. RFC 8414 (2018)
Keele, S., et al.: Guidelines for performing systematic literature reviews in software engineering. Technical report (2007)
Laurie, B., Langley, A., Kasper, E., Messeri, E., Stradling, R.: Certificate Transparency Version 2.0. RFC 9162 (2021)
Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 Security Best Current Practice. Internet-Draft 20, Internet Engineering Task Force (2022)
Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations. RFC 6819 (2013)
NIST: Post-quantum cryptography (2016). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography. Accessed 26 June 2021
Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 72–91. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_5
Petersen, K., Vakkalanka, S., Kuzniarz, L.: Guidelines for conducting systematic mapping studies in software engineering: an update. Inf. Softw. Technol. 64, 1–18 (2015)
Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://doi.org/10.17487/RFC8446
Sakimura, N., Bradley, J., Agarwal, N.: Proof Key for Code Exchange by OAuth Public Clients. RFC 7636 (2015)
Sakimura, N., Bradley, J., Jones, M.: OpenID connect dynamic client registration. The OpenID Foundation, p. S3 (2014)
Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: OpenID connect core 1.0. The OpenID Foundation, p. S3 (2014)
Sakimura, N., Bradley, J., Jones, M., Jay, E.: OpenID connect discovery. The OpenID Foundation, p. S3 (2014)
Schwabe, P., Stebila, D., Wiggers, T.: Post-Quantum TLS Without Handshake Signatures, pp. 1461–1480. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3372297.3423350
Schwabe, P., Stebila, D., Wiggers, T.: More efficient post-quantum KEMTLS with pre-distributed public keys. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12972, pp. 3–22. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88418-5_1
Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE, Santa Fe, NM, USA (1994). https://doi.org/10.1109/SFCS.1994.365700
Sikeridis, D., Kampanakis, P., Devetsikiotis, M.: Assessing the overhead of post-quantum cryptography in TLS 1.3 and SSH. In: Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies, pp. 149–156. Association for Computing Machinery, New York, NY, USA (2020)
Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_2
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Schardong, F., Giron, A.A., Müller, F.L., Custódio, R. (2022). Post-Quantum Electronic Identity: Adapting OpenID Connect and OAuth 2.0 to the Post-Quantum Era. In: Beresford, A.R., Patra, A., Bellini, E. (eds) Cryptology and Network Security. CANS 2022. Lecture Notes in Computer Science, vol 13641. Springer, Cham. https://doi.org/10.1007/978-3-031-20974-1_20
Download citation
DOI: https://doi.org/10.1007/978-3-031-20974-1_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-20973-4
Online ISBN: 978-3-031-20974-1
eBook Packages: Computer ScienceComputer Science (R0)