Mobile Personal Identity Provider Based on OpenID Connect

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10442)

Abstract

In our digital society managing identities and according access credentials is as painful as needed. This is mainly due to the demand for a unique password for each service a user makes use of. Various approaches have been proposed for solving this issue amongst which Identity Provider (IDP) based systems gained most traction for Web services. An obvious disadvantage of these IDPs is, however, the level of trust a user requires to place into them. After all, an IDP stores a lot of sensitive information about its users and is able to impersonate each of them.

In the present paper we therefore propose an architecture that enables to operate a personal IDP (PIDP) on a mobile device owned by the user. To evaluate the properties of our introduced mobile PIDP (MoPIDP) we analyzed it by means of a prototype. Our MoPIDP architecture provides clear advantages in comparison to classical IDP approaches in terms of required trust and common threats like phishing and additionally regarding the usability for the end user.

References

  1. 1.
    Abe, T., Itoh, H., Takahashi, K.: Implementing identity provider on mobile phone. In: Proceedings of the 2007 ACM Workshop on Digital Identity Management, DIM 2007, pp. 46–52. ACM, New York (2007). http://doi.acm.org/10.1145/1314403.1314412
  2. 2.
  3. 3.
    Barnes, R., Mozilla: Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) (2014). https://tools.ietf.org/html/rfc7165
  4. 4.
    Bennett, A.: Jose library for ruby. https://github.com/potatosalad/ruby-jose
  5. 5.
    Bradley, J., Sakimura, N., Jones, M.: JSON Web Token (JWT) (2015). https://tools.ietf.org/html/rfc7519
  6. 6.
    Cisco Systems: cjose - jose library for c/c++. https://github.com/cisco/cjose
  7. 7.
    Connect2id: JOSE + JWT library for Java. https://connect2id.com/products/nimbus-jose-jwt
  8. 8.
    Dhamija, R., Dusseault, L.: The seven flaws of identity management: usability and security challenges. IEEE Secur. Priv. 6(2), 24–29 (2008)CrossRefGoogle Scholar
  9. 9.
    Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2 (2008). https://tools.ietf.org/html/rfc5246
  10. 10.
    Facebook: Access Tokens - Facebook Login - Documentation (2017). https://developers.facebook.com/docs/facebook-login/access-tokens/
  11. 11.
    Ferdous, M.S., Poet, R.: Portable personal identity provider in mobile phones. In: 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 736–745. IEEE (2013). http://ieeexplore.ieee.org/abstract/document/6680909/
  12. 12.
    Foundation, O.: OpenID Authentication 2.0 (2007). http://openid.net/specs/openid-authentication-2_0.html
  13. 13.
    Google: Google Authenticator (2016). https://github.com/google/google-authenticator
  14. 14.
    Google: Using OAuth 2.0 to Access Google APIs \(|\) Google Identity Platform (2016). https://developers.google.com/identity/protocols/OAuth2
  15. 15.
    Haller, N.: The S/KEY One-Time Password System (1995). https://tools.ietf.org/html/rfc1760
  16. 16.
    Hardt, D.: The OAuth 2.0 authorization framework (2012). https://tools.ietf.org/html/rfc6749.txt
  17. 17.
    Jain, A.K., Ross, A., Prabhakar, S.: An introduction to biometric recognition. IEEE Trans. Circuits Syst. Video Technol. 14(1), 4–20 (2004)CrossRefGoogle Scholar
  18. 18.
    Jones, R., Microsoft: JSON Web Key (JWK) (2015). https://tools.ietf.org/html/rfc7517
  19. 19.
    Lockhart, H., Campbell, B.: Security assertion markup language (SAML) V2.0 technical overview. OASIS Comm. Draft 2, 94–106 (2008). https://www.oasis-open.org/committees/download.php/14360/sstc-saml-tech-overview-2.0-draft-08-diff.pdf Google Scholar
  20. 20.
    Lopez, G., Canovas, O., Gomez-Skarmeta, A.F., Girao, J.: A SWIFT take on identity management. Computer 42(5), 58–65 (2009)CrossRefGoogle Scholar
  21. 21.
    Morgan, R.L., Cantor, S., Carmody, S., Hoehn, W., Klingenstein, K.: Federated security: the shibboleth approach. Educ. Q. 27(4), 12–17 (2004). http://eric.ed.gov/?id=EJ854029 Google Scholar
  22. 22.
    Rydell, J., M’Raihi, D., Pei, M., Machani, S.: TOTP: Time-based One-time Password Algorithm (2011). https://tools.ietf.org/html/rfc6238
  23. 23.
    Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., Mortimore, C.: Openid connect core 1.0. The OpenID Foundation p. S3 (2014). http://openid.net/specs/openid-connect-core-1_0-final.html
  24. 24.
    Sun, S.T., Beznosov, K.: The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 378–390. ACM (2012). http://dl.acm.org/citation.cfm?id=2382238
  25. 25.
    Thomas, I., Meinel, C.: An identity provider to manage reliable digital identities for SOA and the web. In: Proceedings of the 9th Symposium on Identity and Trust on the Internet, IDTRUST 2010, pp. 26–36. ACM, New York (2010). http://doi.acm.org/10.1145/1750389.1750393
  26. 26.
    Twitter: OAuth Twitter Developers (2017). https://dev.twitter.com/oauth

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Cologne University of Applied SciencesCologneGermany
  2. 2.Kiel University of Applied SciencesKielGermany

Personalised recommendations