Skip to main content
SpringerLink
Log in

Post-Quantum Electronic Identity: Adapting OpenID Connect and OAuth 2.0 to the Post-Quantum Era

  • Conference paper
  • First Online:
Cryptology and Network Security (CANS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13641))

Included in the following conference series:

Abstract

The quantum threat affects a multitude of network protocols, frameworks, and systems that use public-key cryptography. OpenID Connect (OIDC) and OAuth 2.0 are no exception, which means they must transition to Post-Quantum Cryptography (PQC). However, the long lifetime of access tokens necessitates this shift, if we consider the possibility of a record-now-decrypt-later attacker retrieving and subsequently impersonating users with these tokens. In this research, we conduct a thorough literature review to identify existing solutions to this problem, suggest modifications to OAuth 2.0 and OIDC and their underlying protocols to make them quantum-safe, then implement and evaluate the effects of PQC on a realistic OIDC study case. Our findings reveal that PQC-based OIDC has the same or better performance in low-latency settings, but the handshake of PQC-based TLS accounts for fifty percent of the overall duration in high-latency scenarios.

This study was supported by the Federal Institute of Rio Grande do Sul (IFRS) and by the Federal University of Technology - Parana (UTFPR).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/OpenIDC/pyoidc.

  2. 2.

    https://github.com/IdentityPython/pyjwkest.

  3. 3.

    https://github.com/fredericoschardong/post-quantum-oidc-oauth2.

References

  1. Alkhulaifi, A., El-Alfy, E.S.M.: Exploring lattice-based post-quantum signature for JWT authentication: review and case study. In: 2020 IEEE 91st Vehicular Technology Conference (VTC2020-Spring), pp. 1–5 (2020). https://doi.org/10.1109/VTC2020-Spring48590.2020.9129505

  2. Aumasson, J.P., et al.: Sphincs+: submission to the NIST post-quantum project (2021). https://sphincs.org/data/sphincs+-r3.1-specification.pdf

  3. Berbecaru, D., Lioy, A.: On the robustness of applications based on the SSL and TLS security protocols. In: Lopez, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 248–264. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73408-6_18

    Chapter  MATH  Google Scholar 

  4. Bertocci, V.: JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens. RFC 9068 (2021)

    Google Scholar 

  5. Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Proceedings of the 28th ACM Symposium on Theory of Computing, pp. 212–219 (1996)

    Google Scholar 

  6. Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749 (2012)

    Google Scholar 

  7. Howe, J., Prest, T., Apon, D.: Sok: How (not) to design and implement post-quantum cryptography. Cryptology ePrint Archive, report 2021/462 (2021). https://ia.cr/2021/462

  8. (IANA), I.A.N.A.: Transport layer security (TLS) parameters (2022)

    Google Scholar 

  9. Johansson, L.: An IANA Registry for Level of Assurance (LoA) Profiles. RFC 6711 (2012)

    Google Scholar 

  10. Jones, M.: JSON Web Algorithms (JWA). RFC 7518 (2015)

    Google Scholar 

  11. Jones, M.: JSON Web Key (JWK). RFC 7517 (2015)

    Google Scholar 

  12. Jones, M., Bradley, J., Sakimura, N.: JSON Web Signature (JWS). RFC 7515 (2015)

    Google Scholar 

  13. Jones, M., Bradley, J., Sakimura, N.: JSON Web Token (JWT). RFC 7519 (2015)

    Google Scholar 

  14. Jones, M., De Medeiros, B., Agarwal, N., Sakimura, N., Bradley, J.: Openid connect RP-initiated logout 1.0. The OpenID Foundation, p. S3 (2022)

    Google Scholar 

  15. Jones, M., Hildebrand, J.: JSON Web Encryption (JWE). RFC 7516 (2015)

    Google Scholar 

  16. Jones, M., Sakimura, N., Bradley, J.: OAuth 2.0 Authorization Server Metadata. RFC 8414 (2018)

    Google Scholar 

  17. Keele, S., et al.: Guidelines for performing systematic literature reviews in software engineering. Technical report (2007)

    Google Scholar 

  18. Laurie, B., Langley, A., Kasper, E., Messeri, E., Stradling, R.: Certificate Transparency Version 2.0. RFC 9162 (2021)

    Google Scholar 

  19. Lodderstedt, T., Bradley, J., Labunets, A., Fett, D.: OAuth 2.0 Security Best Current Practice. Internet-Draft 20, Internet Engineering Task Force (2022)

    Google Scholar 

  20. Lodderstedt, T., McGloin, M., Hunt, P.: OAuth 2.0 Threat Model and Security Considerations. RFC 6819 (2013)

    Google Scholar 

  21. NIST: Post-quantum cryptography (2016). https://csrc.nist.gov/Projects/Post-Quantum-Cryptography. Accessed 26 June 2021

  22. Paquin, C., Stebila, D., Tamvada, G.: Benchmarking post-quantum cryptography in TLS. In: Ding, J., Tillich, J.-P. (eds.) PQCrypto 2020. LNCS, vol. 12100, pp. 72–91. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-44223-1_5

    Chapter  MATH  Google Scholar 

  23. Petersen, K., Vakkalanka, S., Kuzniarz, L.: Guidelines for conducting systematic mapping studies in software engineering: an update. Inf. Softw. Technol. 64, 1–18 (2015)

    Article  Google Scholar 

  24. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://doi.org/10.17487/RFC8446

  25. Sakimura, N., Bradley, J., Agarwal, N.: Proof Key for Code Exchange by OAuth Public Clients. RFC 7636 (2015)

    Google Scholar 

  26. Sakimura, N., Bradley, J., Jones, M.: OpenID connect dynamic client registration. The OpenID Foundation, p. S3 (2014)

    Google Scholar 

  27. Sakimura, N., Bradley, J., Jones, M., De Medeiros, B., Mortimore, C.: OpenID connect core 1.0. The OpenID Foundation, p. S3 (2014)

    Google Scholar 

  28. Sakimura, N., Bradley, J., Jones, M., Jay, E.: OpenID connect discovery. The OpenID Foundation, p. S3 (2014)

    Google Scholar 

  29. Schwabe, P., Stebila, D., Wiggers, T.: Post-Quantum TLS Without Handshake Signatures, pp. 1461–1480. Association for Computing Machinery, New York, NY, USA (2020). https://doi.org/10.1145/3372297.3423350

  30. Schwabe, P., Stebila, D., Wiggers, T.: More efficient post-quantum KEMTLS with pre-distributed public keys. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12972, pp. 3–22. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88418-5_1

    Chapter  Google Scholar 

  31. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings 35th Annual Symposium on Foundations of Computer Science, pp. 124–134. IEEE, Santa Fe, NM, USA (1994). https://doi.org/10.1109/SFCS.1994.365700

  32. Sikeridis, D., Kampanakis, P., Devetsikiotis, M.: Assessing the overhead of post-quantum cryptography in TLS 1.3 and SSH. In: Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies, pp. 149–156. Association for Computing Machinery, New York, NY, USA (2020)

    Google Scholar 

  33. Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-69453-5_2

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Federal Institute of Rio Grande do Sul, Rolante, Brazil

    Frederico Schardong

  2. Federal University of Santa Catarina, Florianópolis, Brazil

    Frederico Schardong, Alexandre Augusto Giron, Fernanda Larisa Müller & Ricardo Custódio

  3. Federal University of Technology-Parana, Toledo, Brazil

    Alexandre Augusto Giron

Authors
  1. Frederico Schardong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexandre Augusto Giron
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Fernanda Larisa Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ricardo Custódio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Frederico Schardong .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Alastair R. Beresford

  2. Indian Institute of Science, Bangalore, India

    Arpita Patra

  3. Cryptography Research Center, Technology Innovation Institute, Abu Dhabi, United Arab Emirates

    Emanuele Bellini

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Schardong, F., Giron, A.A., Müller, F.L., Custódio, R. (2022). Post-Quantum Electronic Identity: Adapting OpenID Connect and OAuth 2.0 to the Post-Quantum Era. In: Beresford, A.R., Patra, A., Bellini, E. (eds) Cryptology and Network Security. CANS 2022. Lecture Notes in Computer Science, vol 13641. Springer, Cham. https://doi.org/10.1007/978-3-031-20974-1_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-20974-1_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-20973-4

  • Online ISBN: 978-3-031-20974-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation