Abstract
OpenID is a lightweight, easy to implement and deploy approach to Single Sign-On (SSO) and Identity Management (IdM), and has great potential for large scale user adoption especially for mobile applications. At the same time, Mobile Network Operators are increasingly interested in leveraging their existing infrastructure and assets for SSO and IdM. In this paper, we present the concept of Smart OpenID, an enhancement to OpenID which moves part of the OpenID authentication server functionality to the smart card of the user’s device. This seamless, OpenID-conformant protocol allows for scaling security properties, and generally improves the security of OpenID by avoiding the need to send user credentials over the Internet and thus avoid phishing attacks. We also describe our implementation of the Smart OpenID protocol based on an Android phone, which interacts with OpenID-enabled web services.
Chapter PDF
Similar content being viewed by others
References
Windley, P.: Digital Identity. O’Reilly Media, Inc. (2005)
Liberty Alliance Project. Web page at (2002), http://www.projectliberty.org
Chappell, D., et al.: Introducing windows cardspace. MSDN (April 2006)
Bertocci, V., Serack, G., Baker, C.: Understanding windows cardspace. Addison-Wesley Professional (2007)
Higgins Personal Data Service, http://www.eclipse.org/higgins/
Telco 2.0: Telco 2.0 Manifesto - Business Model Innovation for the Digital Economy, http://www.stlpartners.com/manifesto.php
Camenisch, J., Fischer-Huebner, S., Rannenberg, K.: Privacy and Identity Management for Life. Springer (2011)
Koschinat, S., Bal, G., Rannenberg, K.: Economic Valuation of Identity Management Enablers. PrimeLife Deliverable D6.1.2 (May 2011)
Koschinat, S., Bal, G., Weber, C., Rannenberg, K.: Privacy by sustainable identity management enablers. Privacy and Identity Management for Life, 431–452 (2011)
OpenID.net: OpenID Specifications, http://openid.net/developers/specs/
Uruena, M., Busquiel, C.: Analysis of a Privacy Vulnerability in the OpenID Authentication Protocol. In: IEEE Multimedia Communications, Services and Security (MCSS 2010), Krakow, Poland (2010)
van Thanh, D., Jonvik, T., Feng, B., Van Thuan, D., Jorstad, I.: Simple strong authentication for internet applications using mobile phones. In: IEEE GLOBECOM Global Telecommunications Conference 2008 (2008)
Urien, P.: Convergent identity: Seamless OpenID services for 3G dongles using SSL enabled USIM smart cards. In: Consumer Communications and Networking Conference (CCNC), pp. 830–831. IEEE (2011)
Leicher, A., Schmidt, A.U., Shah, Y., Cha, I.: Trusted Computing enhanced OpenID. In: 2010 International Conference for Internet Technology and Secured Transactions (ICITST), pp. 1–8 (2010)
Jorstad, I., Johansen, T., Bakken, E., Eliasson, C., Fiedler, M., et al.: Releasing the potential of openid & sim. In: 13th International Conference on Intelligence in Next Generation Networks, ICIN 2009, pp. 1–6. IEEE (2009)
3GPP: Identity management and 3GPP security interworking; Identity management and Generic Authentication Architecture (GAA) interworking. TR 33.924, 3GPP (June 2011)
Chen, Z.: Java Card Technology for Smart Cards. Prentice Hall (2000)
ISO : ISO 7816-4: Identification cards - Integrated circuit cards - Organisation, security and commands for interchange (2005)
SIM Alliance: OpenMobile API Specification v2.0.2 (2011), http://www.simalliance.org
Tsyrklevich, E., Tsyrklevich, V.: Single Sign-On for the Internet: A Security Story. In: BlackHat Conference Las Vegas 2007 (2007)
3GPP: 3G Security; Generic Authentication Architecture (GAA); System description. TR 33.919, 3GPP (June 2010)
Holtmanns, S., Niemi, V., Ginzboorg, P., Laitinen, P., Asokan, N.: Cellular Authentication for Mobile and Internet Services. Wiley (2009)
3GPP: 3G security; Security architecture. TS 33.102, 3rd Generation Partnership Project (3GPP) (December 2010)
Weik, P., Wahle, S.: Towards a generic identity enabler for telco networks. In: Proc. 12th Internat. Conf. on Intelligence in Networks (ICIN 2008), Bordeaux, pp. 20–23 (2008)
Ahmed, A.S.: A User Friendly and Secure OpenID Solution for Smart Phone Platforms. Master’s thesis, Aalto University, School of Science and Technology, Faculty of Information and Natural Sciences (2010)
Urien, P.: An OpenID provider based on SSL smart cards. In: 7th IEEE Consumer Communications and Networking Conference, CCNC (2010)
Liberty Alliance: ID-WSF Advanced Client 1.0 Specifications. Technical report, (2007)
Liberty Alliance: ID-WSF Advanced Client Implementation and Deployment guidelines for SIM/UICC Card environment. Technical report (2007)
3GPP: Remote APDU Structure for (U)SIM Toolkit applications. TS 31.115, 3GPP (December 2009)
3GPP: Remote APDU Structure for (Universal) Subscriber Identity Module (U)SIM Toolkit applications. TS 31.116, 3GPP (December 2009)
Janrain: Python OpenID libraries, http://www.janrain.com/openid-enabled
Scripting Layer for Android, http://code.google.com/p/android-scripting/
Schmidt, A.U., Leicher, A., Shah, Y., Cha, I.: Efficient Application SSO for Evolved Mobile Networks. In: Proceedings of the Wireless World Research Forum Meeting 25 (WWRF 25), London, UK (2010)
OpenID Foundation: OpenID security best practices, http://wiki.openid.net/OpenID-Security-Best-Practices
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Leicher, A., Schmidt, A.U., Shah, Y. (2012). Smart OpenID: A Smart Card Based OpenID Protocol. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)