Google Researchers Outline Pseudonym Sign-On - InformationWeek
IoT
IoT
Software // Operating Systems
News
8/3/2010
01:35 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Google Researchers Outline Pseudonym Sign-On

Privacy worries about single sign-on identity providers could fade if Google's PseudoID system gets implemented.

Google researchers have proposed a way to prevent online identity providers from amassing information about Internet users that could harm user privacy if exposed.

In a paper presented last month at the 10th Privacy Enhancing Technologies Symposium in Berlin, Germany, Google associate product manager intern Arkajit Dey and software engineer Stephen Weis describe a system called PseudoID that uses blind cryptographic signatures to generate a pseudonym to log into Web sites through a federated identity system without revealing the user’s identity.

Single sign-on (SSO) identity systems for the Internet rely either on a centralized identity provider (Windows ID or Facebook Connect) or on a federation of identity providers (OpenID).

Web sites that participate in these systems become what’s know as relaying parties, because they relay logins to the identity provider for authentication.

The problem with both centralized and federated SSO systems, observe Dey and Weis, is that all user logins to relaying parties’ Web sites pass through an identity provider. This presents a potential privacy risk.

"A user's identity provider can easily link together the various Web sites that the user visits," the researchers state in their paper.

Were the identity provider to be breached or compelled through legal process to reveal this information, the entirety of users’ Web histories could be disclosed.

PseudoID, which is backwards compatible with OpenID, addresses this risk by preventing SSO credentials from being linked to user accounts on relaying party’s Web sites.

Through a cryptographic mechanism known as a blind signature, a user is able to present pseudonymous login credentials -- a token -- to an identity provider so that the user can be authenticated but not identified.

"The identity provider relies on the blindly signed tokens to be able to authenticate users without forcing them to reveal their identity," the paper explains. "When a user is redirected to her identity provider by a relying party, the provider checks whether the user has an access token that has been signed by the blind signer."

The PseudoID source code has been made available on Google Code and the researchers have set up a prototype identity provider that uses blind signatures at pseudoid.net.

A Google spokesperson didn’t immediately respond to a request to comment on whether the company had any plans to implement the PseudoID system.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll