single sign-on & strong authentication
DESCRIPTION
Realization of Double SSO, a Prudent & Light-Weight SSO Solution.TRANSCRIPT
1
Double SSO & Strong Authentication
For Secure Network Establishment
Project By:- Internal Guide:- External Guide:-Akshaya Kumar Y H M 1BM10CS004 Mrs Nagarathna N Dr Mohammad Misbahuddin
Aruna S M 1BM10CS010 Associate Professor Senior Technical Officer, CNIE
Sarthak Gupta 1BM10CS065 CSE,BMSCE CDAC, Bangalore
2
1. INTRODUCTION2. LITERATURE REVIEW3. REQUIREMENTS4. DESIGN & IMPLIMENTATION5. SOCIETAL IMPACTS6. CONCLUSION7. REFERENCE
RequirementsHardware Requirements
• Application uses Server as one of the major component, we need the Client machines to connect to the Server and Network setup.
• Processor : Intel i3 or above or equivalent
• RAM : 4GB or more
Software Requirements
• Web Server , Service Provider and Client machines with web support.
• Proposed implementation language is C / C++, however we may occasionally work with certain scripting languages to configure and work with the Server.
3
4
SINGLE SIGN-ON SYSTEM (SSO)
Property of access control that enables a user to perform a single authentication to a service, and then get access to other protected services without the need to re-authenticate.
DOUBLE SSO
Double SSO is a secure server-side caching-based SSO architecture and a proxy-based pseudo-SSO system.
INTRODUCTION
5
ADVANTAGES
• With SSO, users' and administrators' lives become much easier as they will have to deal with a single digital identity for each user.
• Reduces IT help desk costs, by reducing the number of calls to the help desk about lost password.
• A user will have to provide this digital identity only once per day. This will increase user's productivity.
• The maintenance of authentication data and enforcement of authentication policies become much easier with SSO, since authentications data will be centralized.
• Reduces the chance that users will forget or lose their digital identities, therefore it reduces the risk of compromising a security system.
6
Double SSO Features
• User Authorization is separated from Identification Process.
• Asynchronous authorization is achieved.
• Executes a minimum number of computations on the user side and requires parties to maintain the bare minimum number of keys.
• Provably precludes the Replay Attack, the Man-in-the-Middle Attack and the Weakest Link Attack. Additionally, it is safe from repudiated parties.
Security Analysis
• The Weakest Link Attack
• Attacks on Security Parameters
• Attacks on Identity Proof
• The Replay Attack
• The Man-in-the-Middle Attack
• Repudiation of Parties
7
LITERATURE REVIEW
SSO Categories
• Web SSO : These solutions are for users who access applications using a web interface.
• Enterprise SSO: These solutions are much broader than web SSO in that they provide SSO to almost all kinds of applications, not only to web-enabled applications.
• Network SSO : These solutions are for users who access applications in a corporate network domain either through a LAN, or wirelessly, or through a VPN connection.
8
Available SSO Solutions
• Google SSO Solution
• Windows Live ID
• Microsoft Office SharePoint Server
• Active Directory Federation Service
• Liberty SSO Solution
9
Double SSO Components
• Shamir's Identity-Based Signature Scheme
• Zero-Knowledge Identification Protocol
• Simmons' Impersonation-Proof Identity Verification Scheme
10
Shamir's Identity-Based Signature Scheme
• The user uses her/his identity as a public key and asks a trusted Key Generation Center (KGC) to generate the corresponding private key.
• KGC generates RSA Public & Private Keys.
• KGC issues a Private key to the Sender.
• Sender signs on the message using the Private key issued by KGC.
• Receiver Verifies the message using Senders’ RSA Public key and Identity.
11
12
Zero-Knowledge Identification Protocol
• P sends witness ( calculated using random number ) to V
• V challenges P with a time-variant challenge
• P uses the challenge and secret to compute the response that she sends to V
• V uses the response and her challenge to decide whether the response is correct
• A zero-knowledge protocol must satisfy three properties:
Completeness: Prover is Honest
Soundness: False Prover are not entertained
Zero-knowledge: No Interaction can be Repudiated
13
14
Simmons' Impersonation-Proof Identity Verification Scheme
• Simmons' scheme relies on an issuer's public authentication channel to validate a private authentication channel belonging to a user who wants to prove identity.
• These two channels can be independent and based on two different authentication algorithms.
• The scheme assumes a trusted issuer whose responsibility is to validate identification credentials of each user.
15
16
17
DESIGN & IMPLEMENTATION
18
1. Identity provider generates RSA public & private key (e,n) & (d,n) where n=p × q, p & q being two large prime numbers generated according to RSA algorithm
2. e & n are made public.
3. Identity Provider constructs a secret redundant data block seed.
Identity Provider Setup
19
20
1. User decides on Identity (unique identifier such as name, email id).
2. Identity provider constructs block which has Identity of user along with Id issue date and expiration date strings.
3. User’s unique Identity is produced by applying one way hash function to above block. (ID)
4. Users’ Private key is generated by using 5. Identity provider Signs ID to get sign(ID) = 6. Identity provider returns ID, sign(ID) and x to User.7. User shall keep x as secret and makes ID & sign(ID) as
public.
User Registering to Identity Provider
21
22
1. User gives ID, sign(ID) and some nonce (R) to Identity Provider.
2. Identity Provider verifies if ID not expired, if not expired check if it is valid ID by using Issue User with nonce (R + 1) & Identity Provider nonce (Ri).
3. User Computes hash 4. User finds s1 & s2 which form the signature
components as and where t being some random number.5. User signs the N and sends it to Identity Provider where
sign(N) = s1 || s2.6. Identity Provider verifies user by checking .
User proving Identity to Identity Provider
23
24
1. User sends request to Service Provider.2. Service Provider asks Identity Provider to Authenticate
user.3. If user is not Verified in further access is violated.4. Otherwise Identity Provider issues R. R being random
number, r is used as commitment & R as witness.5. Service Provider issues challenge c to Identity Provider.6. Identity Provider calculates Z as response.7. Service Provider Verifies.8. Upon verification Identity Provider gives access on
Service Provider.
Identity Provider verifies user to Service Provider
25
26
Societal Impact
• Introduction of light weight and secure SSO will help in reducing cost of IT management.
• Double SSO does not require time synchronization between involved parties, thus helping novices.
• One Stage in Double SSO can be extracted and used independently as an Identification Protocol, thus reducing cost of additional identification algorithm.
27
Conclusion
Lot of theories have been put in to explain and Implement SSO solution for different platform. It is always seldom confusing to choose which SSO solution is better. Double SSO considers all such aspect thus resolving the conflict.
Many currently available SSO solutions involve high operational overhead as they contain Cryptographic value calculations. Double SSO enhances efficiency so that additional overhead is removed making it safe and suitable.
28
Work Plan
29
Resources & References
1. Double SSO – A Prudent and Lightweight SSO Scheme Master of Science Thesis in the Programme Secure and Dependable Computer Systems SARI HAJ HUSSEIN.
Chalmers University of TechnologyDepartment of Computer Science and Engineering , Göteborg, Sweden, November
2010
2. M. Linden and I. Vilpola. An Empirical Study on the Usability of Logout in a Single
Sign-on System. Proceedings of the 1st International Conference on InformationSecurity Practice and Experience, Singapore, 2005.
3. A. Shamir. Identity-Based Cryptosystem and Signature Scheme. Proceedings ofCRYPTO 84, Santa Barbara, California, USA, 1984.
4. U. Fiege, A. Fiat and A. Shamir. Zero knowledge proofs of identity. Proceedings of the nineteenth annual ACM symposium on Theory of computing, New York, USA, 1987. 5. G. J. Simmons. An Impersonation-Proof Identity Verification Scheme. Proceedings of CRYPTO 87, Santa Barbara, California, USA, 1987.
30
Thank You
Questions ?