Internet usage is higher than ever and it seems like it will only rise further. In this context, users need to access many services protected by different entities, which demand some form of authentication. What is more, it is quite common that users need to prove some information about themselves, like being over a specific age. Current Identity Management (IdM) systems still fail to truly fulfil security and privacy management requirements, such as unlinkability of users across service providers (SP), hiding SPs from Identity Providers (IdP), selective disclosure of personal data, usability and performance.
User and password systems remain the most accepted and widespread way to authenticate users. In this regard, users are experiencing an explosion of usernames and passwords making it difficult for them to remember all the credentials they have. In most cases, this leads to the use of low quality passwords, and the reuse of passwords (or slight modifications) in different services.
So far, the most successful identity federation systems available are online Single Sign-On solutions. This is convenient for users who do not have to establish separate accounts with separate passwords and are presented with a consistent interface for logging into services. Nevertheless, it is detrimental for security and privacy. Traditional solutions introduce a single-point-of-failure in the system, since the IdP is involved in every authentication to a service provider. The IdP is able to impersonate its users if it acts maliciously. Furthermore, it may act as a “Big Brother” that can track the browsing behaviour of its users and link their accounts across different services. If the IdP is compromised by an attacker, the attacker gains similar privileges, making the IdP a high value target for attacks.
This project implements the core infrastructure for deploying an Single Sign-On service using an OAuth flow using standard JWTs, but offering stronger security guarantees than previous solutions through distributed security and optional cryptographic proofs.
The latest version of this document can always be found here.
OLYMPUS is a project funded by EU under the H2020 programme, whose main objective is establishing an oblivious identity management framework that ensures secure and privacy-friendly virtual identity management interactions for citizens accessing services in Europe, based on novel cryptographic mechanisms. In particular, OLYMPUS employs distributed cryptographic techniques to split up the role of the online IdP over multiple authorities, so that no single authority can impersonate or track its users.
More information can be found on the project website.
The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement No. 786725 (OLYMPUS).