1. Double SSO & Strong Authentication
For Secure Network Establishment
Project By:-
Internal Guide:-
External Guide:-
Akshaya Kumar Y H M
1BM10CS004
Mrs Nagarathna N
Dr Mohammad Misbahuddin
Aruna S M
1BM10CS010
Associate Professor
Senior Technical Officer, CNIE
Sarthak Gupta
1BM10CS065
CSE,BMSCE
CDAC, Bangalore
1
3. Requirements
Hardware Requirements
• Application uses Server as one of the major component, we need the
Client machines to connect to the Server and Network setup.
• Processor
• RAM
: Intel i3 or above or equivalent
: 4GB or more
Software Requirements
• Web Server , Service Provider and Client machines with web support.
• Proposed implementation language is C / C++, however we may
occasionally work with certain scripting languages to configure and work
with the Server.
3
4. INTRODUCTION
SINGLE SIGN-ON SYSTEM (SSO)
Property of access control that enables a user to perform a single
authentication to a service, and then get access to other protected services
without the need to re-authenticate.
DOUBLE SSO
Double SSO is a secure server-side caching-based SSO
architecture and a proxy-based pseudo-SSO system.
4
5. ADVANTAGES
• With SSO, users' and administrators' lives become much easier as they will
•
•
•
•
have to deal with a single digital identity for each user.
Reduces IT help desk costs, by reducing the number of calls to the help desk
about lost password.
A user will have to provide this digital identity only once per day. This will
increase user's productivity.
The maintenance of authentication data and enforcement of authentication
policies become much easier with SSO, since authentications data will be
centralized.
Reduces the chance that users will forget or lose their digital
identities, therefore it reduces the risk of compromising a security system.
5
6. Double SSO Features
• User Authorization is separated from Identification Process.
• Asynchronous authorization is achieved.
• Executes a minimum number of computations on the user side and
requires parties to maintain the bare minimum number of keys.
• Provably precludes the Replay Attack, the Man-in-the-Middle Attack and
the Weakest Link Attack. Additionally, it is safe from repudiated parties.
6
7. Security Analysis
•
•
•
•
•
•
The Weakest Link Attack
Attacks on Security Parameters
Attacks on Identity Proof
The Replay Attack
The Man-in-the-Middle Attack
Repudiation of Parties
7
8. LITERATURE REVIEW
SSO Categories
• Web SSO : These solutions are for users who access applications using a
web interface.
• Enterprise SSO: These solutions are much broader than web SSO in that
they provide SSO to almost all kinds of applications, not only to webenabled applications.
• Network SSO : These solutions are for users who access applications in a
corporate network domain either through a LAN, or wirelessly, or through
a VPN connection.
8
9. Available SSO Solutions
•
•
•
•
•
Google SSO Solution
Windows Live ID
Microsoft Office SharePoint Server
Active Directory Federation Service
Liberty SSO Solution
9
11. Shamir's Identity-Based Signature Scheme
• The user uses her/his identity as a public key and asks a trusted Key
Generation Center (KGC) to generate the corresponding private key.
•
•
•
•
KGC generates RSA Public & Private Keys.
KGC issues a Private key to the Sender.
Sender signs on the message using the Private key issued by KGC.
Receiver Verifies the message using Senders’ RSA Public key and Identity.
11
13. Zero-Knowledge Identification Protocol
•
•
•
•
P sends witness ( calculated using random number ) to V
V challenges P with a time-variant challenge
P uses the challenge and secret to compute the response that she sends to V
V uses the response and her challenge to decide whether the response is
correct
• A zero-knowledge protocol must satisfy three properties:
Completeness: Prover is Honest
Soundness: False Prover are not entertained
Zero-knowledge: No Interaction can be Repudiated
13
15. Simmons' Impersonation-Proof Identity Verification
Scheme
• Simmons' scheme relies on an issuer's public authentication channel to
validate a private authentication channel belonging to a user who wants to
prove identity.
• These two channels can be independent and based on two different
authentication algorithms.
• The scheme assumes a trusted issuer whose responsibility is to validate
identification credentials of each user.
15
18. Identity Provider Setup
1. Identity provider generates RSA public & private key (e,n) & (d,n) where
n=p × q, p & q being two large prime numbers generated according to RSA
algorithm
2. e & n are made public.
3. Identity Provider constructs a secret redundant data block seed.
18
26. Societal Impact
• Introduction of light weight and secure SSO will help in reducing cost of IT
management.
• Double SSO does not require time synchronization between involved
parties, thus helping novices.
• One Stage in Double SSO can be extracted and used independently as an
Identification Protocol, thus reducing cost of additional identification
algorithm.
26
27. Conclusion
Lot of theories have been put in to explain and Implement SSO solution for
different platform. It is always seldom confusing to choose which SSO
solution is better. Double SSO considers all such aspect thus resolving the
conflict.
Many currently available SSO solutions involve high operational overhead as
they contain Cryptographic value calculations. Double SSO enhances
efficiency so that additional overhead is removed making it safe and suitable.
27
29. Resources & References
1. Double SSO – A Prudent and Lightweight SSO Scheme Master of Science Thesis in the Programme Secure and
Dependable Computer Systems SARI HAJ HUSSEIN.
Chalmers University of Technology
Department of Computer Science and Engineering , Göteborg, Sweden, November 2010
2. M. Linden and I. Vilpola. An Empirical Study on the Usability of Logout in a Single
Sign-on System. Proceedings of the 1st International Conference on Information
Security Practice and Experience, Singapore, 2005.
3. A. Shamir. Identity-Based Cryptosystem and Signature Scheme. Proceedings ofCRYPTO 84, Santa Barbara,
California, USA, 1984.
4. U. Fiege, A. Fiat and A. Shamir. Zero knowledge proofs of identity. Proceedings of the nineteenth annual ACM symposium
on Theory of computing, New York, USA, 1987.
5. G. J. Simmons. An Impersonation-Proof Identity Verification Scheme. Proceedings of CRYPTO 87, Santa
Barbara, California, USA, 1987.
29