Single Sign On

1

Double SSO – A Secure & Lightweight protocol for SSO

Project By: Internal Guide: External Guide:

Akshaya Kumar Y H M 1BM10CS004 Mrs Nagarathna N Dr Mohammad Misbahuddin

Aruna S M 1BM10CS010 Associate ProfessorSenior Technical Officer, CNIE

Sarthak Gupta 1BM10CS065 CSE,BMSCECDAC, Bangalore

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 2

SINGLE SIGN-ON SYSTEM (SSO)

Property of access control that enables a user to perform a single authentication to a service, and then get access to other protected services without the need to re-authenticate.

DOUBLE SSO

Double SSO is new protocol being implemented as a solution for achieving SSO. It is a secure server-side caching-based SSO architecture and a proxy-based pseudo-SSO system.

INTRODUCTION

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 3

COMPONENTS

Shamir's Identity-Based Signature Scheme

Zero-Knowledge Identification Protocol

Simmons' Impersonation-Proof Identity Verification Scheme

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 4

Shamir's Identity-Based Signature Scheme

The user uses her/his identity as a public key and asks a trusted Key Generation Center (KGC) to generate the corresponding private key.

KGC generates RSA Public & Private Keys.

KGC issues a Private key to the Sender.

Sender signs on the message using the Private key issued by KGC.

Receiver Verifies the message using Senders’ RSA Public key and Identity.

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 5

Fig. 1 Shamir’s Identity based signature scheme

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 6

Zero-Knowledge Identification Protocol

P sends witness ( calculated using random number ) to V

V challenges P with a time-variant challenge

P uses the challenge and secret to compute the response that she sends to V

V uses the response and her challenge to decide whether the response is correct

A zero-knowledge protocol satisfies three properties:

Completeness: Prover is Honest

Soundness: False Prover are not entertained

Zero-knowledge: No Interaction can be Repudiated

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 7

Fig. 2 Prover & Verifier communication during Zero-knowledge Identification protocol

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 8

Simmons' Impersonation-Proof Identity Verification Scheme

Simmons' scheme relies on an issuer's public authentication channel to validate a private authentication channel belonging to a user who wants to prove identity.

These two channels can be independent and based on two different authentication algorithms.

The scheme assumes a trusted issuer whose responsibility is to validate identification credentials of each user.

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 9

Fig. 3 Simmon’s Impersonation Verification

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 10

Technologies Used• PHPSECLIB• Apache Web Server• SSL• Python• PHP• MYSql• Bootstrap

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 11

DESIGN

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 12

1. Identity provider generates RSA public & private key (e,n) & (d,n) where n=p × q, p & q being two large prime numbers generated according to RSA algorithm

2. e & n are made public.

3. Identity Provider constructs a secret redundant data block seed.

Identity Provider Setup

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 13

Fig. 4 Stage A

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 14

1. User decides on Identity (unique identifier such as name, email id).2. Identity provider constructs block which has Identity of user along

with Id issue date and expiration date strings.3. User’s unique Identity is produced by applying one way hash function

to above block. (ID)4. Users’ Private key is generated by using 5. Identity provider Signs ID to get sign(ID) = 6. Identity provider returns ID, sign(ID) and x to User.7. User shall keep x as secret and makes ID & sign(ID) as public.

User Registering to Identity Provider

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 15

Fig. 5 Stage B

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 16

1. User gives ID, sign(ID) and some nonce (R) to Identity Provider.2. Identity Provider verifies if ID not expired, if not expired check if it is

valid ID by using Issue User with nonce (R + 1) & Identity Provider nonce (Ri).

3. User Computes hash 4. User finds s1 & s2 which form the signature components as and where

t being some random number.5. User signs the N and sends it to Identity Provider where sign(N) = s1 ||

s2.6. Identity Provider verifies user by checking .

User proving Identity to Identity Provider

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 17

Fig. 6 Stage C

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 18

1. User sends request to Service Provider.2. Service Provider asks Identity Provider to Authenticate user.3. If user is not Verified in further access is violated.4. Otherwise Identity Provider issues R. R being random number, r is used as

commitment & R as witness.5. Service Provider issues challenge c to Identity Provider.6. Identity Provider calculates Z as response.7. Service Provider Verifies.8. Upon verification Identity Provider gives access on Service Provider.

Identity Provider verifies user to Service Provider

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 19

Fig. 7 Stage D

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 20

SECURITY ANALYSIS

Attacks on Security Parameters

Attacks on Identity Proof

The Replay Attack

The Man-in-the-Middle Attack

The Weakest Link Attack

Repudiated Parties

The Forward Search Cryptanalytic Attack

Other Security Issues

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 21

1. Registration Phase: User submits his Unique ID to IDP, as per the policies of IDP (Need not be unique). This ID shall

represent User such as name, DOB etc IDP logs the user request and generates a trusted Public ID, a corresponding Signature & generates a

unique private key that should be kept secret by user for further steps A pair of keys, Public Key & Private Key are generated as well This is realized in form of a file & downloaded on client machine automatically after registration SP’s list will be visible to User, he can opt for any such services as required by him Admin Panel is provided for IDP to enable / disable access of any Service to User or to disable

liability of Service Provider

IMPLEMENTATION

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 22

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 23

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 24

2. User Requesting for Service: User requests for Services he is registered for He will be provided with the interface given by IDP User selects the file generated by IDP during registration IDP checks if the Public ID & Signature are still valid If ID is valid, IDP checks if uniquely generated private key is possessed by User by using Public Key A hash is created by User using the private key, thus he is not leaking his private key obtained during

registration phase This hash is used to encrypt nonce, which will be verified by IDP if IDP is trusted & possess User Details

(i.e. User Registered to that IDP) IDP verifies SP by using encrypted information of Public ID of User, which is possessed by SP. If SP

possess can decrypt the sent message & get Public ID, thus verification is done. Detailed Protocol Operation is explained as follows

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 25

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 26

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 27

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 28

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 29

TESTING / DEMONSTRATION

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 30

WORK PLAN

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO

SOCIETAL IMPACT

Introduction of light weight and secure SSO will help in reducing cost of IT management.

Double SSO does not require time synchronization between involved parties, thus helping novices.

One Stage in Double SSO can be extracted and used independently as an Identification Protocol, thus reducing cost of additional identification algorithm.

31

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 32

CONCLUSIONS

The analysis of SSO schemes that are existent is done manually by observing traditional attacks and how they can be mounted against a scheme run.

The design of new protocol was made by analyzing known algorithms in the field of network security.

The concept of auditing was handled more efficiently using tokens generated during registration.

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 33

FUTURE WORK

Uses Smart Phone for Authentication

Access to Smart Phone is required at the time of Authentication

A specific applications is to be developed for Smart Phone, it needs to be stored in such a way that it is safe from unauthorized access & access from other applications

The Smart Phone App needs to be protected via a password

Smart Phone must be connected to internet / network such that key exchange must be made available between Service Providers & Smart Phone Application

In case of losing of Smart Phone or Change of Smart Phone a protocol needs to be followed for continued access

Provides TWO factor authentication

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 34

REFERENCES1. J. De Clercq. Single Sign-On Architectures. Proceedings of the International

Conference on Infrastructure Security, Bristol, United Kingdom, 2002.

2. https://github.com/phpseclib/phpseclib

3. https://www.apachefriends.org/index.html

4. http://www.php.net/

5. https://www.python.org/

6. http://getbootstrap.com/

7. http://en.wikipedia.org/wiki/Main_Page

8. http://stackoverflow.com/

9. Double SSO – A Prudent and Lightweight SSO Scheme Master of Science Thesis in

the Programme Secure and Dependable Computer Systems SARI HAJ HUSSEIN

DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 35

THANK YOUQUESTIONS ?