Boffins have harnessed privacy-preserving crypto to create a browser extension that allows users to authenticate to services without being tracked.

The extension, Privacy Pass, offers people another way to authenticate themselves without having to repeatedly solve internet challenge-response tests like CAPTCHAs.

Alex Davidson, a PhD student at Royal Holloway, University of London, is one of a five-man team behind the extension, which he worked on while an intern at web security firm Cloudflare – the websites it protects support the extension.

"Privacy Pass aims to solve the problem of authenticating to services when the user seeks to preserve their anonymity," he told The Register, adding that it's most likely to benefit people who browse from shared IPs.

The extension allows users to generate a set of "signed" tokens from a service after a successful authentication attempt over HTTP, Davidson said.

"These tokens can be used as passes – allowing a means of authenticating to the same server in the future – instead of having to explicitly authenticate again; much like cookies are widely used now instead of having to log in over and over again."

But, crucially, Privacy Pass also ensures that the service doesn't recognise the user when they hand the pass back by making it cryptographically unlinkable.

How does it work?

The protocol uses a concept called verifiable oblivious pseudorandom function (VOPRF) combined with a blind signing protocol – where the server performs a compute function for the user without knowing the real input or output.

When a user needs to authenticate to a service, Davidson said, Privacy Pass will first generate a set of elliptic curve points that are used as tokens.

These are then blinded by Privacy Pass – by secretly multiplying each token by some random number – and sent with an authentication attempt to the server.

The server then validates the attempt and signs the token, by multiplying each with its own secret value, and returns them to the client.

The tokens are then unblinded by Privacy Pass, done by inverting the random multiplication, and are stored for the future.

When the user is asked to perform another authentication for that service, Privacy Pass creates a pass from an unspent token and sends that instead, giving the user quicker and easier access to the service.

"Since the blind is randomly generated by the client and never seen by the service, we ensure that the service cannot link a token that was signed to an unblinded token that is redeemed later," Davidson wrote in a Medium post explaining the concept.

Davidson described the protocol as follows:

A VOPRF protocol allows a server with key x and a user with input y to evaluate F_x(y) for some PRF F, without the user learning x and the server learning y. This is the oblivious aspect of the construction. The verifiable aspect allows the user to verify that what is returned by the server is a valid pseudorandom output from the PRF. That is, to prevent the server from returning some input that is potentially not random.

In the Privacy Pass protocol, a user will present y along with F_x(y), and a service with x can verify that the user has received a valid F_x(y) in the past.

As well as blinding, the team also introduced verifiable key consistency to ensure users couldn't be identified.

It uses a batched non-interactive, zero-knowledge proof that allows the service to prove that all clients are served outputs from the VOPRF using the same key x.

This is crucial as services that could use unique key pairs would be able to link future pass redemptions by analysing the key pairs used to compute the VOPRF protocol.

Davidson told The Reg that the tokens don't encode any data about the user or when it was generated to protect anonymity, but acknowledged that this did make trading signed tokens possible.

"But we can avert this becoming too much of an issue by using regular key rotation on the server-side," he said. "In the future, we may explore ways of encoding some data in the token to prevent this, without giving away any details about the user."

An alternative to cookies?

Davidson said that, because Privacy Pass is agnostic to the authentication mechanism used, it can be built on top of existing frameworks.

"For example, we envisage that it could be used as an alternative method for signing into services without having to use authenticators that do not preserve privacy, such as cookies."

This was particularly welcomed by privacy campaigners. "Cookie tracking is all too common, so methods to remove the need for it are a great idea," said Open Rights Group director Jim Killock.

Killock added that it could have implications for age verification services. These are coming under the spotlight in the UK as the Digital Economy Act requires all porn sites to verify the age of users – bringing with it concerns over privacy and data security.

Pandora/Blake, porn-maker and civil liberties campaigner, echoed this hope.

"Privacy Pass doesn't currently include a protocol for handling age verification itself, but if age verification services used this sort of zero knowledge proof then it would dramatically increase user privacy," they said.

"If Privacy Pass does what it says it does, it indicates that anonymous authentication is possible, and that age verification providers have no excuse for creating protocols that needlessly see and retain user data, with potential harmful consequences for privacy."

Experts have also welcomed the tech, with Alan Woodward, a security professor at the University of Surrey, saying that – although there are other ways of solving the problem – this was an "elegant" solution.

Software engineer Alec Muffet described it as "an awesome technology" but added: "We need to think about potential applications where it's not just proving to the infrastructure/operators that you have a right to be there, but instead using it in a space with third, and fourth, parties."

For its part, the Privacy Pass team has said that it views the protocol and extension as still being in beta, and it's looking for new partners and support from the developer community – the code for the extension and a compatible server implementation are both open source. ®