via Future of Privacy Forum
Researchers develop cryptographic scheme that completely hides your personal information from third parties when using single sign-on systems.
Single sign-on systems (SSOs) allow us to login to multiple websites and applications using a single username and password combination. But these are third party systems usually handled by Big Tech companies who have been reported to gather and leak personal information without user consent. Now, researchers from Tokyo University of Science, Japan, have developed a new and secure single sign-on algorithm that eliminates all these problems.
Over the last few decades, as the information era has matured, it has shaped the world of cryptography and made it a varied landscape. Amongst the myriad of encoding methods and cryptosystems currently available for ensuring secure data transfers and user identification, some have become quite popular because of their safety or practicality. For example, if you have ever been given the option to log onto a website using your Facebook or Gmail ID and password, you have encountered a single sign-on (SSO) system at work. The same goes for most smartphones, where signing in with a single username and password combination allows access to many different services and applications.
SSO schemes give users the option to access multiple systems by signing in to just one specific system. This specific system is called the “identity provider” and is regarded as a trusted entity that can verify and store the identity of the user. When the user attempts to access a service via the SSO, the “service provider” asks this identity provider to authenticate the user.
The advantages of SSO systems are many. For one, users need not remember several username and password combinations for each website or application. This translates into fewer people forgetting their passwords and, in turn, fewer telephone calls to IT support centers. Moreover, SSO reduces the hassle of logging in, which can, for example, encourage employees to use their company’s security-oriented tools for tasks such as secure file transfer.
But with these advantages come some grave concerns. SSO systems are often run by Big Tech companies, who have, in the past, been reported to gather people’s personal information from apps and websites (service providers) without their consent, for targeted advertising and other marketing purposes. Some people are also concerned that their ID and password could be stored locally by third parties when they provide them to the SSO mechanism.
In an effort to address these problems, Associate Professor Satoshi Iriyama from Tokyo University of Science and his colleague Dr Maki Kihara have recently developed a new SSO algorithm that on principle prevents such holistic information exchange. In their paper, published in Cryptography, they describe the new algorithm in great detail after going over their motivations for developing it. Dr Iriyama states: “We aimed to develop an SSO algorithm that does not disclose the user’s identity and sensitive personal information to the service provider. In this way, our SSO algorithm uses personal information only for authentication of the user, as originally intended when SSO systems were introduced.”
Because of the way this SSO algorithm is designed, it is impossible in essence for user information to be disclosed without authorization. This is achieved, as explained by Dr Iriyama, by applying the principle of “handling information while it is still encrypted.” In their SSO algorithm, all parties exchange encrypted messages but never exchange decryption keys, and no one is ever in possession of all the pieces of the puzzle because no one has the keys to all the information. While the service provider (not the identity provider) gets to know whether a user was successfully authenticated, they do not get access to the user’s identity and any of their sensitive personal information. This in turn breaks the link that allows identity providers to draw specific user information from service providers.
The proposed scheme offers many other advantages. In terms of security, it is impervious by design to all typical forms of attack by which information or passwords are stolen. For instance, as Dr Iriyama explains, “Our algorithm can be used not only with an ID and a password, but also with any other type of identity information, such as biometrics, credit card data, and unique numbers known by the user.” This also means that users can only provide identity information that they wish to disclose, reducing the risk of Big Tech companies or other third parties siphoning off personal information. In addition, the algorithm runs remarkably fast, an essential quality to ensure that the computational burden does not hinder its implementation.
This study will hopefully bring about positive changes in current SSO systems, so that more users are encouraged to use them and reap their many benefits.
The Latest Updates from Bing News & Google News
Go deeper with Bing News on:
Single sign-on system
- Texas’s war on drop-off votes gets almost everything wrongon October 6, 2020 at 1:45 pm
Texas governor Greg Abbott became the latest Republican to attack America’s vote-by-mail system. A proclamation he issued claimed that the threat of “illegal voting” justifies a dramatic decrease in ...
- Novant gets approval on $5.3 billion New Hanover hospital deal. State AG still has to sign off.on October 5, 2020 at 5:00 pm
Novant Health Inc.'s $5.3 billion offer to purchase New Hanover Regional Medical Center received final approval Monday from the New Hanover Board of Commissioners.
- Bank of Thailand Launches World's First Government Savings Bond on IBM Blockchain Technologyon October 4, 2020 at 10:15 pm
IBM today announced that Bank of Thailand, the central bank, has successfully launched the world's first blockchain-based platform for government savings bonds issuing a total of $1.6 B USD within two ...
- The Latest: India's new virus totals still on downward trendon October 3, 2020 at 10:00 pm
NEW DELHI — India has registered a single-day spike of 74,442 new coronavirus cases, driving the country’s overall tally since the pandemic began to 6.6 million.
- One KC-46 delivery has been halted due to electrical system problemson October 2, 2020 at 6:23 am
WASHINGTON — The U.S. Air Force halted a delivery of the KC-46 yet again after problems with the electrical system were found on one new tanker slated to make its way to the service. The issue was ...
Go deeper with Google Headlines on:
Single sign-on system
Go deeper with Bing News on:
- What is Telegram?on October 1, 2020 at 10:55 am
The scheme is known as MTProto and is based on ... When dealing with security, you always want to leave room for scrutiny, and a few cryptography experts have criticized the system.
- NTT Research, UCLA and University of Washington Applaud Cryptographers for Indistinguishability Obfuscation Breakthroughon September 30, 2020 at 6:19 am
Despite extensive efforts, all previously known iO schemes required tailored and ... in many previous works for realizing a variety of cryptographic goals that have nothing to do with iO.
- NTT Research, UCLA and University of Washington Applaud Cryptographers for Indistinguishability Obfuscation Breakthroughon September 30, 2020 at 5:07 am
NTT Research, Inc., a division of NTT (TYO:9432), along with UCLA and the University of Washington, today announced that a paper co-authored by cryptographers affiliated with their respective ...
- This Week In Security: DNSSEC Temporarily Lost Their Keys, FIDO, And One Weird Windows Trickon September 28, 2020 at 5:00 pm
This scheme is great for security ... The massive story that came across the desk this week is about Crypto AG, a cryptography company based in Switzerland. It was founded by [Boris Hagelin ...
- Understanding Elliptic Curve Cryptography And Embedded Securityon September 28, 2020 at 5:00 pm
That’s why a much much computationally expensive key exchange scheme using an asymmetric (or public-key) cryptography scheme is generally used to set up the second part of the communications ...