UP-SSO: Enhancing the User Privacy of SSO by Integrating PPID and SGX

Single sign-on (SSO) services are widely deployed on the Internet as the identity management and authentication infrastructure. In an SSO system, after authenticated by the identity providers (IdPs), a user is allowed to log into relying parties (RPs) by submitting an identity proof. However, SSO introduces the potential leakage of user privacy, which is indicated by NIST. That is (a) a curious IdP could track a user's all visits to any RPs and (b) collusive RPs could link the user's identities across different RPs, to learn the user's activity profile. NIST suggests that the Pairwise Pseudonymous Identifier (PPID) should be adopted to prevent collusive RPs from linking the same user, as PPID mechanism enables an IdP to provide a user with multiple individual IDs for different RPs. However, PPID mechanism cannot protect users from IdP's tracking, as it still exposes RP identity to IdP. In this paper, we propose an SSO system, named UP-SSO, providing the enhanced PPID mechanism to protect a user's profile of RP visits from both the curious IdP and the collusive RPs by integrating PPID and SGX. It separates an IdP service into two parts, the server-side service and user-side service. The generation of PPID is shifted from IdP server to user client, so that IdP server no longer needs to learn RP ID. The integrity of user client can be verified by IdP through remote attestation. The detailed design of UP-SSO is described in this paper, and the systemic analysis is provided to guarantee its security. We implemented the prototype system of UP-SSO, and the evaluation of the prototype system shows the overhead is modest.