Preventing single sign-on impersonation attacks with a keyless signature scheme

Abstract

The mutli-server environment of many Internet services available today such as Google, and the availability of Single Sign-On (SSO) solutions have brought about promising technologies. Many of these and similar applications provide clients with the ability sign on using one set of username and password alleviating the need of multiple identities and multiple password. Although promising, SSO mechanisms need to be extra robust and provide utmost authentication for their users. Due to the unidirectional nature of the authentication channel between the service provider and the client in SSO and the lack of a recent authentication key, researchers have pointed out vulnerabilities in such schemes leading to attacks such as impersonation attacks. In this paper, we present a keyless signature scheme that remedies the aforementioned problem. By utilizing a combination of a Merkle hash tree and a hash calendar, the identity provider in SSO periodically creates an authentication key used by the client and the service provider. Traffic between the latter two is secured by a one-way hash chain to achieve bidirectional authentication. The proposed scheme is evaluated by simulation experiments and communication and computation costs are employed for evaluation. The optimal length of the one-way hash chain between the service providers and the client is validated analytically.