Double SSO – A Secure & Lightweight protocol for SSO 1 Project By: Internal Guide: External Guide: Akshaya Kumar Y H M 1BM10CS004 Mrs Nagarathna N Dr Mohammad Misbahuddin Aruna S M 1BM10CS010 Associate Professor Senior Technical Officer, CNIE Sarthak Gupta 1BM10CS065 CSE,BMSCE CDAC, Bangalore
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Double SSO – A Secure & Lightweight protocol for SSO
Project By: Internal Guide: External Guide:
Akshaya Kumar Y H M 1BM10CS004 Mrs Nagarathna N Dr Mohammad Misbahuddin
Aruna S M 1BM10CS010 Associate ProfessorSenior Technical Officer, CNIE
Sarthak Gupta 1BM10CS065 CSE,BMSCECDAC, Bangalore
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 2
SINGLE SIGN-ON SYSTEM (SSO)
Property of access control that enables a user to perform a single authentication to a service, and then get access to other protected services without the need to re-authenticate.
DOUBLE SSO
Double SSO is new protocol being implemented as a solution for achieving SSO. It is a secure server-side caching-based SSO architecture and a proxy-based pseudo-SSO system.
INTRODUCTION
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 3
Simmons' scheme relies on an issuer's public authentication channel to validate a private authentication channel belonging to a user who wants to prove identity.
These two channels can be independent and based on two different authentication algorithms.
The scheme assumes a trusted issuer whose responsibility is to validate identification credentials of each user.
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 9
Fig. 3 Simmon’s Impersonation Verification
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 10
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 11
DESIGN
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 12
1. Identity provider generates RSA public & private key (e,n) & (d,n) where n=p × q, p & q being two large prime numbers generated according to RSA algorithm
2. e & n are made public.
3. Identity Provider constructs a secret redundant data block seed.
Identity Provider Setup
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 13
Fig. 4 Stage A
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 14
1. User decides on Identity (unique identifier such as name, email id).2. Identity provider constructs block which has Identity of user along
with Id issue date and expiration date strings.3. User’s unique Identity is produced by applying one way hash function
to above block. (ID)4. Users’ Private key is generated by using 5. Identity provider Signs ID to get sign(ID) = 6. Identity provider returns ID, sign(ID) and x to User.7. User shall keep x as secret and makes ID & sign(ID) as public.
User Registering to Identity Provider
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 15
Fig. 5 Stage B
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 16
1. User gives ID, sign(ID) and some nonce (R) to Identity Provider.2. Identity Provider verifies if ID not expired, if not expired check if it is
valid ID by using Issue User with nonce (R + 1) & Identity Provider nonce (Ri).
3. User Computes hash 4. User finds s1 & s2 which form the signature components as and where
t being some random number.5. User signs the N and sends it to Identity Provider where sign(N) = s1 ||
s2.6. Identity Provider verifies user by checking .
User proving Identity to Identity Provider
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 17
Fig. 6 Stage C
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 18
1. User sends request to Service Provider.2. Service Provider asks Identity Provider to Authenticate user.3. If user is not Verified in further access is violated.4. Otherwise Identity Provider issues R. R being random number, r is used as
commitment & R as witness.5. Service Provider issues challenge c to Identity Provider.6. Identity Provider calculates Z as response.7. Service Provider Verifies.8. Upon verification Identity Provider gives access on Service Provider.
Identity Provider verifies user to Service Provider
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 19
Fig. 7 Stage D
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 20
SECURITY ANALYSIS
Attacks on Security Parameters
Attacks on Identity Proof
The Replay Attack
The Man-in-the-Middle Attack
The Weakest Link Attack
Repudiated Parties
The Forward Search Cryptanalytic Attack
Other Security Issues
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 21
1. Registration Phase: User submits his Unique ID to IDP, as per the policies of IDP (Need not be unique). This ID shall
represent User such as name, DOB etc IDP logs the user request and generates a trusted Public ID, a corresponding Signature & generates a
unique private key that should be kept secret by user for further steps A pair of keys, Public Key & Private Key are generated as well This is realized in form of a file & downloaded on client machine automatically after registration SP’s list will be visible to User, he can opt for any such services as required by him Admin Panel is provided for IDP to enable / disable access of any Service to User or to disable
liability of Service Provider
IMPLEMENTATION
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 22
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 23
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 24
2. User Requesting for Service: User requests for Services he is registered for He will be provided with the interface given by IDP User selects the file generated by IDP during registration IDP checks if the Public ID & Signature are still valid If ID is valid, IDP checks if uniquely generated private key is possessed by User by using Public Key A hash is created by User using the private key, thus he is not leaking his private key obtained during
registration phase This hash is used to encrypt nonce, which will be verified by IDP if IDP is trusted & possess User Details
(i.e. User Registered to that IDP) IDP verifies SP by using encrypted information of Public ID of User, which is possessed by SP. If SP
possess can decrypt the sent message & get Public ID, thus verification is done. Detailed Protocol Operation is explained as follows
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 25
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 26
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 27
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 28
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 29
TESTING / DEMONSTRATION
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 30
WORK PLAN
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO
SOCIETAL IMPACT
Introduction of light weight and secure SSO will help in reducing cost of IT management.
Double SSO does not require time synchronization between involved parties, thus helping novices.
One Stage in Double SSO can be extracted and used independently as an Identification Protocol, thus reducing cost of additional identification algorithm.
31
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 32
CONCLUSIONS
The analysis of SSO schemes that are existent is done manually by observing traditional attacks and how they can be mounted against a scheme run.
The design of new protocol was made by analyzing known algorithms in the field of network security.
The concept of auditing was handled more efficiently using tokens generated during registration.
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 33
FUTURE WORK
Uses Smart Phone for Authentication
Access to Smart Phone is required at the time of Authentication
A specific applications is to be developed for Smart Phone, it needs to be stored in such a way that it is safe from unauthorized access & access from other applications
The Smart Phone App needs to be protected via a password
Smart Phone must be connected to internet / network such that key exchange must be made available between Service Providers & Smart Phone Application
In case of losing of Smart Phone or Change of Smart Phone a protocol needs to be followed for continued access
Provides TWO factor authentication
DOUBLE SSO - A SECURE & LIGHTWEIGHT PROTOCOL FOR SSO 34
REFERENCES1. J. De Clercq. Single Sign-On Architectures. Proceedings of the International
Conference on Infrastructure Security, Bristol, United Kingdom, 2002.
2. https://github.com/phpseclib/phpseclib
3. https://www.apachefriends.org/index.html
4. http://www.php.net/
5. https://www.python.org/
6. http://getbootstrap.com/
7. http://en.wikipedia.org/wiki/Main_Page
8. http://stackoverflow.com/
9. Double SSO – A Prudent and Lightweight SSO Scheme Master of Science Thesis in
the Programme Secure and Dependable Computer Systems SARI HAJ HUSSEIN