Single sign-on (SSO) allows a user to maintain only the credential at the
identity provider (IdP), to login to numerous RPs. However, SSO introduces
extra privacy threats, compared with traditional authentication mechanisms, as
(a) the IdP could track all RPs which a user is visiting, and (b) collusive RPs
could learn a user's online profile by linking his identities across these RPs.
This paper proposes a privacypreserving SSO system, called UPPRESSO, to protect
a user's login activities against both the curious IdP and collusive RPs. We
analyze the identity dilemma between the security requirements and these
privacy concerns, and convert the SSO privacy problems into an identity
transformation challenge. In each login instance, an ephemeral pseudo-identity
(denoted as PID_RP ) of the RP, is firstly negotiated between the user and the
RP. PID_RP is sent to the IdP and designated in the identity token, so the IdP
is not aware of the visited RP. Meanwhile, PID_RP is used by the IdP to
transform the permanent user identity ID_U into an ephemeral user
pseudo-identity (denoted as PID_U ) in the identity token. On receiving the
identity token, the RP transforms PID_U into a permanent account (denoted as
Acct) of the user, by an ephemeral trapdoor in the negotiation. Given a user,
the account at each RP is unique and different from ID_U, so collusive RPs
cannot link his identities across these RPs. We build the UPPRESSO prototype on
top of MITREid Connect, an open-source implementation of OIDC. The extensive
evaluation shows that UPPRESSO fulfills the requirements of both security and
privacy and introduces reasonable overheads