A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications

In the forthcoming Smart City scenario, Service Providers will require users to authenticate themselves and authorize their mobile applications to access their remote accounts. In this scenario, OAuth 2.0 has been widely adopted as a de facto authentication and authorization protocol. However, the c...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2018-05, Vol.74, p.258-274
Main Authors: Sucasas, Victor, Mantas, Georgios, Althunibat, Saud, Oliveira, Leonardo, Antonopoulos, Angelos, Otung, Ifiok, Rodriguez, Jonathan
Format: Article
Language:English
Subjects:
Applications programs
Authentication
Authentication protocols
Mobile communication systems
Mobile computing
OAuth 2.0
Privacy
Privacy-preserving
Pseudonym-based signatures
Right of privacy
Smart cities
Smart City
Software
Software utilities
Studies
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c328t-993c511f052e556a36da200f53f51da0ea918bbdf6e82b7ea9b226800f4346443
cites cdi_FETCH-LOGICAL-c328t-993c511f052e556a36da200f53f51da0ea918bbdf6e82b7ea9b226800f4346443
container_end_page 274
container_issue
container_start_page 258
container_title Computers & security
container_volume 74
creator Sucasas, Victor
Mantas, Georgios
Althunibat, Saud
Oliveira, Leonardo
Antonopoulos, Angelos
Otung, Ifiok
Rodriguez, Jonathan
description In the forthcoming Smart City scenario, Service Providers will require users to authenticate themselves and authorize their mobile applications to access their remote accounts. In this scenario, OAuth 2.0 has been widely adopted as a de facto authentication and authorization protocol. However, the current OAuth 2.0 protocol specification does not consider the user privacy issue and presents several vulnerabilities that can jeopardize users' privacy rights. Therefore, in this paper we propose an OAuth 2.0 based protocol for Smart City mobile applications that addresses the user privacy issue by integrating a pseudonym-based signature scheme and a signature delegation scheme into the OAuth 2.0 protocol flow. The proposed solution allows users to self-generate user-specific and app-specific pseudonyms on-demand and ensure privacy-enhanced user authentication at the Service Provider side. The proposed protocol has been validated with Proverif and its performance has been evaluated in terms of time and space complexity. Results show that the proposed protocol can provide users with efficient and effective means to authenticate towards service providers while preventing user tracking and impersonation from malicious entities located in the network side or in the users' mobile device.
doi_str_mv 10.1016/j.cose.2018.01.014
format article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2068029523</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167404818300361</els_id><sourcerecordid>2068029523</sourcerecordid><originalsourceid>FETCH-LOGICAL-c328t-993c511f052e556a36da200f53f51da0ea918bbdf6e82b7ea9b226800f4346443</originalsourceid><addsrcrecordid>eNp9kE9LxDAQxYMouK5-AU8Bz62TpE1T8LIs_oPFPajnkKYpm9JtapJd2G9vynoWBoaB35t58xC6J5ATIPyxz7ULJqdARA4kVXGBFkRUNOMUxCVaJKjKCijENboJoQcgFRdigT5WePL2qPQpM-NOjdq0eLs6xB2mOeBGhTRP3kWn3YA75_HnXvmI1zae8N41djBYTdNgtYrWjeEWXXVqCObury_R98vz1_ot22xf39erTaYZFTGra6ZLQjooqSlLrhhvFQXoStaVpFVgVE1E07QdN4I2VRobSrlIRMEKXhRsiR7Oe5O3n4MJUfbu4Md0UlJIIK1LyhJFz5T2LgRvOpl-Tf5PkoCcc5O9nHOTc24SSKp59dNZZJL_ozVeBm3NHIz1RkfZOvuf_BcQeHTe</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2068029523</pqid></control><display><type>article</type><title>A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications</title><source>ScienceDirect Freedom Collection 2022-2024</source><creator>Sucasas, Victor ; Mantas, Georgios ; Althunibat, Saud ; Oliveira, Leonardo ; Antonopoulos, Angelos ; Otung, Ifiok ; Rodriguez, Jonathan</creator><creatorcontrib>Sucasas, Victor ; Mantas, Georgios ; Althunibat, Saud ; Oliveira, Leonardo ; Antonopoulos, Angelos ; Otung, Ifiok ; Rodriguez, Jonathan</creatorcontrib><description>In the forthcoming Smart City scenario, Service Providers will require users to authenticate themselves and authorize their mobile applications to access their remote accounts. In this scenario, OAuth 2.0 has been widely adopted as a de facto authentication and authorization protocol. However, the current OAuth 2.0 protocol specification does not consider the user privacy issue and presents several vulnerabilities that can jeopardize users' privacy rights. Therefore, in this paper we propose an OAuth 2.0 based protocol for Smart City mobile applications that addresses the user privacy issue by integrating a pseudonym-based signature scheme and a signature delegation scheme into the OAuth 2.0 protocol flow. The proposed solution allows users to self-generate user-specific and app-specific pseudonyms on-demand and ensure privacy-enhanced user authentication at the Service Provider side. The proposed protocol has been validated with Proverif and its performance has been evaluated in terms of time and space complexity. Results show that the proposed protocol can provide users with efficient and effective means to authenticate towards service providers while preventing user tracking and impersonation from malicious entities located in the network side or in the users' mobile device.</description><identifier>ISSN: 0167-4048</identifier><identifier>EISSN: 1872-6208</identifier><identifier>DOI: 10.1016/j.cose.2018.01.014</identifier><language>eng</language><publisher>Amsterdam: Elsevier Ltd</publisher><subject>Applications programs ; Authentication ; Authentication protocols ; Mobile communication systems ; Mobile computing ; OAuth 2.0 ; Privacy ; Privacy-preserving ; Pseudonym-based signatures ; Right of privacy ; Smart cities ; Smart City ; Software ; Software utilities ; Studies</subject><ispartof>Computers &amp; security, 2018-05, Vol.74, p.258-274</ispartof><rights>2018 Elsevier Ltd</rights><rights>Copyright Elsevier Sequoia S.A. May 2018</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c328t-993c511f052e556a36da200f53f51da0ea918bbdf6e82b7ea9b226800f4346443</citedby><cites>FETCH-LOGICAL-c328t-993c511f052e556a36da200f53f51da0ea918bbdf6e82b7ea9b226800f4346443</cites></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,776,780,27901,27902</link.rule.ids></links><search><creatorcontrib>Sucasas, Victor</creatorcontrib><creatorcontrib>Mantas, Georgios</creatorcontrib><creatorcontrib>Althunibat, Saud</creatorcontrib><creatorcontrib>Oliveira, Leonardo</creatorcontrib><creatorcontrib>Antonopoulos, Angelos</creatorcontrib><creatorcontrib>Otung, Ifiok</creatorcontrib><creatorcontrib>Rodriguez, Jonathan</creatorcontrib><title>A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications</title><title>Computers &amp; security</title><description>In the forthcoming Smart City scenario, Service Providers will require users to authenticate themselves and authorize their mobile applications to access their remote accounts. In this scenario, OAuth 2.0 has been widely adopted as a de facto authentication and authorization protocol. However, the current OAuth 2.0 protocol specification does not consider the user privacy issue and presents several vulnerabilities that can jeopardize users' privacy rights. Therefore, in this paper we propose an OAuth 2.0 based protocol for Smart City mobile applications that addresses the user privacy issue by integrating a pseudonym-based signature scheme and a signature delegation scheme into the OAuth 2.0 protocol flow. The proposed solution allows users to self-generate user-specific and app-specific pseudonyms on-demand and ensure privacy-enhanced user authentication at the Service Provider side. The proposed protocol has been validated with Proverif and its performance has been evaluated in terms of time and space complexity. Results show that the proposed protocol can provide users with efficient and effective means to authenticate towards service providers while preventing user tracking and impersonation from malicious entities located in the network side or in the users' mobile device.</description><subject>Applications programs</subject><subject>Authentication</subject><subject>Authentication protocols</subject><subject>Mobile communication systems</subject><subject>Mobile computing</subject><subject>OAuth 2.0</subject><subject>Privacy</subject><subject>Privacy-preserving</subject><subject>Pseudonym-based signatures</subject><subject>Right of privacy</subject><subject>Smart cities</subject><subject>Smart City</subject><subject>Software</subject><subject>Software utilities</subject><subject>Studies</subject><issn>0167-4048</issn><issn>1872-6208</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><recordid>eNp9kE9LxDAQxYMouK5-AU8Bz62TpE1T8LIs_oPFPajnkKYpm9JtapJd2G9vynoWBoaB35t58xC6J5ATIPyxz7ULJqdARA4kVXGBFkRUNOMUxCVaJKjKCijENboJoQcgFRdigT5WePL2qPQpM-NOjdq0eLs6xB2mOeBGhTRP3kWn3YA75_HnXvmI1zae8N41djBYTdNgtYrWjeEWXXVqCObury_R98vz1_ot22xf39erTaYZFTGra6ZLQjooqSlLrhhvFQXoStaVpFVgVE1E07QdN4I2VRobSrlIRMEKXhRsiR7Oe5O3n4MJUfbu4Md0UlJIIK1LyhJFz5T2LgRvOpl-Tf5PkoCcc5O9nHOTc24SSKp59dNZZJL_ozVeBm3NHIz1RkfZOvuf_BcQeHTe</recordid><startdate>201805</startdate><enddate>201805</enddate><creator>Sucasas, Victor</creator><creator>Mantas, Georgios</creator><creator>Althunibat, Saud</creator><creator>Oliveira, Leonardo</creator><creator>Antonopoulos, Angelos</creator><creator>Otung, Ifiok</creator><creator>Rodriguez, Jonathan</creator><general>Elsevier Ltd</general><general>Elsevier Sequoia S.A</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>K7.</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope></search><sort><creationdate>201805</creationdate><title>A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications</title><author>Sucasas, Victor ; Mantas, Georgios ; Althunibat, Saud ; Oliveira, Leonardo ; Antonopoulos, Angelos ; Otung, Ifiok ; Rodriguez, Jonathan</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c328t-993c511f052e556a36da200f53f51da0ea918bbdf6e82b7ea9b226800f4346443</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Applications programs</topic><topic>Authentication</topic><topic>Authentication protocols</topic><topic>Mobile communication systems</topic><topic>Mobile computing</topic><topic>OAuth 2.0</topic><topic>Privacy</topic><topic>Privacy-preserving</topic><topic>Pseudonym-based signatures</topic><topic>Right of privacy</topic><topic>Smart cities</topic><topic>Smart City</topic><topic>Software</topic><topic>Software utilities</topic><topic>Studies</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Sucasas, Victor</creatorcontrib><creatorcontrib>Mantas, Georgios</creatorcontrib><creatorcontrib>Althunibat, Saud</creatorcontrib><creatorcontrib>Oliveira, Leonardo</creatorcontrib><creatorcontrib>Antonopoulos, Angelos</creatorcontrib><creatorcontrib>Otung, Ifiok</creatorcontrib><creatorcontrib>Rodriguez, Jonathan</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Criminal Justice (Alumni)</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>Computers &amp; security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Sucasas, Victor</au><au>Mantas, Georgios</au><au>Althunibat, Saud</au><au>Oliveira, Leonardo</au><au>Antonopoulos, Angelos</au><au>Otung, Ifiok</au><au>Rodriguez, Jonathan</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications</atitle><jtitle>Computers &amp; security</jtitle><date>2018-05</date><risdate>2018</risdate><volume>74</volume><spage>258</spage><epage>274</epage><pages>258-274</pages><issn>0167-4048</issn><eissn>1872-6208</eissn><abstract>In the forthcoming Smart City scenario, Service Providers will require users to authenticate themselves and authorize their mobile applications to access their remote accounts. In this scenario, OAuth 2.0 has been widely adopted as a de facto authentication and authorization protocol. However, the current OAuth 2.0 protocol specification does not consider the user privacy issue and presents several vulnerabilities that can jeopardize users' privacy rights. Therefore, in this paper we propose an OAuth 2.0 based protocol for Smart City mobile applications that addresses the user privacy issue by integrating a pseudonym-based signature scheme and a signature delegation scheme into the OAuth 2.0 protocol flow. The proposed solution allows users to self-generate user-specific and app-specific pseudonyms on-demand and ensure privacy-enhanced user authentication at the Service Provider side. The proposed protocol has been validated with Proverif and its performance has been evaluated in terms of time and space complexity. Results show that the proposed protocol can provide users with efficient and effective means to authenticate towards service providers while preventing user tracking and impersonation from malicious entities located in the network side or in the users' mobile device.</abstract><cop>Amsterdam</cop><pub>Elsevier Ltd</pub><doi>10.1016/j.cose.2018.01.014</doi><tpages>17</tpages></addata></record>
fulltext fulltext
identifier ISSN: 0167-4048
ispartof Computers & security, 2018-05, Vol.74, p.258-274
issn 0167-4048
1872-6208
language eng
recordid cdi_proquest_journals_2068029523
source ScienceDirect Freedom Collection 2022-2024
subjects Applications programs
Authentication
Authentication protocols
Mobile communication systems
Mobile computing
OAuth 2.0
Privacy
Privacy-preserving
Pseudonym-based signatures
Right of privacy
Smart cities
Smart City
Software
Software utilities
Studies
title A privacy-enhanced OAuth 2.0 based protocol for Smart City mobile applications
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-29T12%3A06%3A50IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=A%20privacy-enhanced%20OAuth%202.0%20based%20protocol%20for%20Smart%20City%20mobile%20applications&rft.jtitle=Computers%20&%20security&rft.au=Sucasas,%20Victor&rft.date=2018-05&rft.volume=74&rft.spage=258&rft.epage=274&rft.pages=258-274&rft.issn=0167-4048&rft.eissn=1872-6208&rft_id=info:doi/10.1016/j.cose.2018.01.014&rft_dat=%3Cproquest_cross%3E2068029523%3C/proquest_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c328t-993c511f052e556a36da200f53f51da0ea918bbdf6e82b7ea9b226800f4346443%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=2068029523&rft_id=info:pmid/&rfr_iscdi=true