Single Sign-on Scheme Research Articles

PriSign, A Privacy-Preserving Single Sign-On System for Cloud Environments

Anonymous single sign-on systems allow users to use a single credential to access multiple services protected by verifiers without revealing their personal information, which is especially important due to privacy regulations such as GDPR. In this paper, we introduce a new strong privacy-preserving single sign-on scheme, dubbed PriSign, based on our proposed attribute-based credential with traceability (ABCT), attribute-based credential with blindness (ABCB), and threshold inner-product functional encryption (TIPFE). Compared with the existing state-of-the-art solutions, PriSign presents three improvements: (1) users can obtain different types of tickets according to the attribute disclosure policies enforced by the ticket issuer to support fine-grained access control; (2) users can hide access tokens and designate a verifier for tokens according to a verifier’s policy jointly issued by multiple policymakers, meaning that non-designated verifiers cannot obtain any information about the tokens; (3) we innovatively use a threshold approach to issue policy keys online in order for verifiers to achieve proxy re-verification services in an unstable cloud environment. We implement PriSign and compare the performance with other ASSO systems in the personal laptop, and the results prove its practicability.

Decentralized, Privacy-Preserving, Single Sign-On

In current single sign-on authentication schemes on the web, users are required to interact with identity providers securely to set up authentication data during a registration phase and receive a token (credential) for future access to services and applications. This type of interaction can make authentication schemes challenging in terms of security and availability. From a security perspective, a main threat is theft of authentication reference data stored with identity providers. An adversary could easily abuse such data to mount an offline dictionary attack for obtaining the underlying password or biometric. From a privacy perspective, identity providers are able to track user activity and control sensitive user data. In terms of availability, users rely on trusted third-party servers that need to be available during authentication. We propose a novel decentralized privacy-preserving single sign-on scheme through the Decentralized Anonymous Multi-Factor Authentication (DAMFA), a new authentication scheme where identity providers no longer require sensitive user data and can no longer track individual user activity. Moreover, our protocol eliminates dependence on an always-on identity provider during user authentication, allowing service providers to authenticate users at any time without interacting with the identity provider. Our approach builds on threshold oblivious pseudorandom functions (TOPRF) to improve resistance against offline attacks and uses a distributed transaction ledger to improve availability. We prove the security of DAMFA in the universal composibility (UC) model by defining a UC definition (ideal functionality) for DAMFA and formally proving the security of our scheme via ideal-real simulation. Finally, we demonstrate the practicability of our proposed scheme through a prototype implementation.

Blockchain based Privacy Preserving User Authentication Protocol for Distributed Mobile Cloud Environment

The development in cloud computing platforms has resulted, hosting many day-to-day service applications in the cloud. To avail the services provided by different cloud service providers (CSPs), the mobile user has to register his/her identity with the CSPs. The mobile user (MU) has to remember multiple identities and credentials to access various CSPs. Many single sign-on schemes have been proposed in the literature to eliminate multiple registrations by mobile users to access CSPs. Most of these schemes rely on a trusted third party known as Registration Authority Center (RAC), which is a centralized entity to manage the identity information of all the mobile users registered with it. The centralized RAC has two operational problems, i.e., RAC has full control over the data it possesses, resulting in the possibility of the data breach and increased risk of single-point-of-failure. In this paper, we propose a blockchain based privacy preserving user authentication protocol for distributed mobile cloud environment, which solves these two traditional problems with centralized registration centers. In proposed protocol, the registration of MU and CSP are performed through public blockchain network for MU to access CSPs and the authentication was performed between MU and CSP through public blockchain. The public blockchain network stores MU and CSPs identity information. Public blockchain network provides integrity to the data stored in it and secures the system from single-point-of-failure. In addition, security analysis and performance analysis were also performed for proposed protocol and it showed that the proposed protocol is secure from all-known attacks with better performance efficiency.

Comparative Analysis and Framework Evaluating Web Single Sign-on Systems

We perform a comprehensive analysis and comparison of 14 web single sign-on (SSO) systems proposed and/or deployed over the past decade, including federated identity and credential/password management schemes. We identify common design properties and use them to develop a taxonomy for SSO schemes, highlighting the associated tradeoffs in benefits (positive attributes) offered. We develop a framework to evaluate the schemes, in which we identify 14 security, usability, deployability, and privacy benefits. We also discuss how differences in priorities between users, service providers, and identity providers impact the design and deployment of SSO schemes.

A secure three factor-based fully anonymous user authentication protocol for multi-server environment

A single sign-on authentication scheme is required protocol in multi-server environment. Recently, an authentication protocol based on Lagrange interpolation polynomial to satisfy multi-server environment with low computational and communication cost is proposed. In this paper, we have analysed the above scheme and show that their scheme is vulnerable to various attacks like insider attack, server impersonation attack, user impersonation attack and stolen smart card attack. We also show that their scheme fails to provide server anonymity, user revocation in case smart card is lost/stolen or users authentication parameters are revealed. We have also proposed enhanced multi-server authentication protocol using biometric-based smart card and Lagrange interpolation which is more secure. The proposed protocol is analysed using BAN logic to show that the proposed protocol provides secure authentication. In addition, we have simulated our scheme using widely accepted and used AVISPA tool to prove that our scheme is secure against passive and active attacks. The proposed protocol provides high security and anonymity along with low communication and computational cost and various security functions.

Anonymous Single Sign-On With Proxy Re-Verification

An anonymous single sign-on (ASSO) scheme allows users to access multiple services anonymously using one credential. We propose a new ASSO scheme, where users can access services anonymously through the use of anonymous credentials and unlinkably through the provision of designated verifiers. Notably, verifiers cannot link a user's service requests even if they collude. The novelty is that when a designated verifier is unavailable, a central authority can authorize new verifiers to authenticate the user on behalf of the original verifier. Furthermore, a central verifier can also be authorized to de-anonymize users and trace their service requests. We formalize the scheme along with a security proof and provide an empirical evaluation of its performance. This scheme can be applied to smart ticketing where minimizing the collection of personal information of users is increasingly important to transport organizations due to privacy regulations such as general data protection regulations (GDPRs).

A Practical Single Sign-on Protocol for Web-based Cloud Computing Services Using Channel Bindings

In practice, web-based single sign-on(SSO) protocols, such as OpenID, SAML, and OAuth, have been widely used in cloud computing services due to its convenience to users. However, these SSO authentication schemes require a fully trusted third party to help achieve mutual authentication, which makes the trusted third party being a bottleneck of security. Moreover, they do not protect users’ privacy: the trusted third party learn at which service a user logs in. To address these issues, in this work, we design an efficient and provably secure SSO protocol based on identity-based authentication using a secure channel binding, such as Transport Layer Security (TLS). The proposed SSO scheme can achieve mutual authentication without the help of the trust third party. Furthermore, our scheme can resist against various kinds of attacks and is able to provide user privacy.

ADVANCED MECHANISM FOR SINGLE SIGN-ON FOR DISTRIBUTED COMPUTER NETWORKS

A distributed computer networks could be a special form of the network that facilitates the purchasers to use completely different network services that is provided by the service suppliers. Within the distributed computer networks, user verification is a crucial method for the protection. Within the verification, the choice is taken whether the user is legal or not and then enabled the users to access the service. In general users are using multiple usernames and passwords for to access different applications on a distributed computer network. This increase the burden of the user and organization administrator as each and every account of the organization is going to be handled with their explicit username and credential. A new certification plan that is named as single sign-on mechanism that facilitates the users with one identity token to be verified by multiple service suppliers. Single signon is one of user authentication method that allows a user to enter one name and identity token so as to access multiple applications. The method authenticates the user for all the applications they have been offered access to and eliminates additional prompts after they switch applications throughout a specific session. However, existing approaches which are utilizing single sign-on scheme have some drawbacks relating to security needs. Thus, through this paper, we will discuss regarding the event of security from earlier stage to present stage. And clearly discuss regarding the authentication steps between user and service supplier.

Single Sign-on Mechanism for Secure Web Service Access through ISSO

Single sign-on (SSO) is an emerging and more secure authentication mechanism that enables an authorized user with a single username/password to be authenticated by many service providers in a distributed network system. The existing technique used SSO scheme and it has achieved security by applying well-organized security parameters and its improved scheme introduced Verifiable Encryption of Signatures (RSA-VES). But the improvement of both the techniques with respect to security is not fully accomplished. We identified two attacks in existing SSO techniques. The first attack permits a malicious service provider to successfully communicate with a legal user more than one time and to recover the authenticated username/password and then to impersonate the service consumer to grant access to web resources and web services provided by other SP (Service Provider). Another attack is that a third party without any security credential may be able to access network services easily by impersonating some legal user or a fictional user. In our proposed work we introduced Improved Single sign-on (ISSO) scheme, which prevents Credential recovery attack, Impersonation attack and Data injection attack. We used the modified version of JMeter open source tool for generating the test report of the particular web apps. We implemented three web applications which provide financial solutions to customers. These three web applications used SOAP based request and response mapping for efficient handling of communication protocols. The testing result stated that the ISSO scheme fights against the attacks that were present in current SSO scheme.

Single Sign on Mechanism Using Attribute Based Encryption in Distributed Computer Networks

Abstract Single Sign On (SSO) is an authentication mechanism that enables legal user with a single credential to be authenticated by multiple service providers in a distributed computer networks. SSO obtains credential from trusted authorities i.e., Smart Card Producing Center (SCPC) and Trusted Credential Privacy (TCP) which is used for mutual authentication and authorization of legal users. Chang-Lee coined a new SSO scheme which makes use of SCPC for mutual authentication and session key establishment whereas Schnorr signature makes use of TCP which generates and verifies the signature for user's authentication. RSA algorithm and Attribute Based Encryption (ABE) is used for encryption and decryption of messages in which ABE tends to be more efficient than RSA based algorithm. ABE is a new public key based on one-to-many encryption that allows users to decrypt the message based on set of attributes and access policies. Decryption is an expensive process and this ABE system eliminates the decryption overhead using outsourced decryption. Integrity of data is maintained by verification of the cipher text which guarantees that the encrypted and decrypted files are same and original message is recovered using hash technique in case of any modifications in the file.

Security Analysis of a Single Sign-On Mechanism For Distributed Computer Networks

Single sign on mechanisms allow users to sign on only once and have their identities automatically verified by each application or service they want to access afterwards. There are few practical and secure single sign on models, even though it is of great importance to current distributed application environments. Most of current application architectures require the user to memorize and utilize a different set of credentials (eg username/password or tokens) for each application he/she wants to access. However, this approach is inefficient and insecure with the exponential growth in the number of applications and services a user has to access both inside corporative environments and at the Internet. Single sign on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in distributed computer networks. Recently, Chang and Lee proposed a new SSO scheme and claimed its security by providing well organized security arguments. In this paper, however, it is shown that their scheme is actually insecure as it fails to meet security during communication, in order to provide a secure authentication digital signature with hash function is researched for future work.

Security Analysis of a Single Sign-On Mechanism for Distributed Computer Networks

Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Recently, Chang and Lee proposed a new SSO scheme and claimed its security by providing well-organized security arguments. In this paper, however, we demonstrative that their scheme is actually insecure as it fails to meet credential privacy and soundness of authentication. Specifically, we present two impersonation attacks. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the user's credential and then to impersonate the user to access resources and services offered by other service providers. In another attack, an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. We identify the flaws in their security arguments to explain why attacks are possible against their SSO scheme. Our attacks also apply to another SSO scheme proposed by Hsu and Chuang, which inspired the design of the Chang–Lee scheme. Moreover, by employing an efficient verifiable encryption of RSA signatures proposed by Ateniese, we propose an improvement for repairing the Chang–Lee scheme. We promote the formal study of the soundness of authentication as one open problem.

Trustworthy Mutual Attestation Protocol for Local True Single Sign-On System: Proof of Concept and Performance Evaluation

In a traditional Single Sign-On (SSO) scheme, the user and the Service Providers (SPs) have given their trust to the Identity Provider (IdP) or Authentication Service Provider (ASP) for the authentication and correct assertion. However, we still need a better solution for the local/native true SSO to gain user confidence, whereby the trusted entity must play the role of the ASP between distinct SPs. This technical gap has been filled by Trusted Computing (TC), where the remote attestation approach introduced by the Trusted Computing Group (TCG) is to attest whether the remote platform integrity is indeed trusted or not. In this paper, we demonstrate a Trustworthy Mutual Attestation (TMutualA) protocol as a proof of concept implementation for a local true SSO using the Integrity Measurement Architecture (IMA) with the Trusted Platform Module (TPM). In our proposed protocol, firstly, the user and SP platform integrity are checked (i.e., hardware and software integrity state verification) before allowing access to a protected resource sited at the SP and releasing a user authentication token to the SP. We evaluated the performance of the proposed TMutualA protocol, in particular, the client and server attestation time and the round trip of the mutual attestation time.

Design on a Single Sign-On Scheme

In practice, the single sign-on system is likely to suffer password attack and replay attack, etc. For the purpose of resolving these problems, a new single sign-on scheme is raised, which is based on dynamic password method. In the new scheme, a specific design is given, and the security of this scheme is analyzed in details. In this scheme, through the universal dynamic password authentication, the user can visit all the services in the visiting range. At the same time, the scheme implements the connect authentication between the client and application servers.

An XML-based single sign-on scheme supporting mobile and home network service environments

The number of services a typical mobile user accesses has grown and this forces the users to manage the multiple user names and passwords daily. The same situation is extended to the home network service environments. Recently, DHWG (digital home working group) suggests that the framework for compatible authentication and authorization mechanisms for user and devices should be set up. SAML (security assertion markup language) is an XML based single sign-on standard, which enables the exchange of authentication, authorization, and profile information between different entities including mobile and home devices. In this paper, we propose a single sign-on scheme in which a mobile user offers his credential information to the home network to obtain the user authentication and accesses an another domain using this authentication based on the SAML standard. In this scheme, a mobile device keeps a string token called an "artifact" which verifies that the mobile user has been authenticated once by the authentication authority in the system. Having an artifact in the mobile device, it can overcome the handicap of the low computing and memory capability in the mobile device.