Single-sign-on Authentication with Anonymous Token and Restricted Covert Channel

Single-sign-on authentication (SSO) enables a user to obtain a token from an identity server, and access multiple service providers with the token. In conventional SSO, the identity server can identify the user through the token, which compromises the user’s privacy. Anonymous SSO is proposed to solve this problem. However, the unconditional anonymity precludes identification of fraudulent users and leads to increase in illegitimate activities. In this paper, we propose SONAR, an anonymous single-sign-on authentication protocol that supports fraud detection. The identity server first accesses a user’s trustworthiness using fraud detection. We observe that directly refusing to issue tokens to an untrustworthy user allows the user to immediately realize that he have been detected, which poses security problems. Instead, we postpone the moment the user realizes he has been detected until he attempts to access a service provider. We also illustrate the benefits of this postponement using denial of service attacks as an example. In the proposed SONAR, the identity server issues the user (regardless of his trustworthiness) with a token that contains a covert channel, which is restricted to conveying only a 0/1 bit that is hidden from the user. The restriction of the channel prevents the identity server from tracking the user by embedding specific information in the channel, and meanwhile the 0/1 bit indicates whether the user is trustworthy or not. The token is actually a randomizable signature and can be randomized by the user, while the embedded bit remains unchanged. The user accesses a service provider with a randomized token, which protects the user from being identified as well as informs the service provider whether the user’s access should be permitted. We provide a formal security proof to demonstrate that SONAR is secure, and conduct a performance evaluation to show efficiency of SONAR.