0 penilaian0% menganggap dokumen ini bermanfaat (0 suara)
53 tayangan5 halaman
The Single sign-on (SSO) is a new authentication mecha-nism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Specifically there are two impersonation attacks which do not meet credential privacy and soundness of authentication.. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the user’s credential and then to im-personate the user to access resources and services offered by other service providers. In another attack an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. The flaws in their security arguments have to be identified to explain why attacks are possible against their SSO scheme. Moreover, by employing an efficient verifiable encryption of RSA signatures proposed by Ateniese; this paper proposes an improvement for repairing the Chang–Lee scheme and promotes the formal study of the soundness of authentication as one open problem.
Judul Asli
IJIRET Harish K Security Enhancement of Single Sign on Mechanism for Distributed Computer Network
The Single sign-on (SSO) is a new authentication mecha-nism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Specifically there are two impersonation attacks which do not meet credential privacy and soundness of authentication.. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the user’s credential and then to im-personate the user to access resources and services offered by other service providers. In another attack an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. The flaws in their security arguments have to be identified to explain why attacks are possible against their SSO scheme. Moreover, by employing an efficient verifiable encryption of RSA signatures proposed by Ateniese; this paper proposes an improvement for repairing the Chang–Lee scheme and promotes the formal study of the soundness of authentication as one open problem.
The Single sign-on (SSO) is a new authentication mecha-nism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Specifically there are two impersonation attacks which do not meet credential privacy and soundness of authentication.. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the user’s credential and then to im-personate the user to access resources and services offered by other service providers. In another attack an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. The flaws in their security arguments have to be identified to explain why attacks are possible against their SSO scheme. Moreover, by employing an efficient verifiable encryption of RSA signatures proposed by Ateniese; this paper proposes an improvement for repairing the Chang–Lee scheme and promotes the formal study of the soundness of authentication as one open problem.
Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 6
Security Enhancement of Single Sign on Mechanism
for Distributed Computer Network
Harish K M.Tech in Computer Network & Engineering Center for PG Studies, VTU Belgaum, Karnataka, India patilharish96@gmail.com
Pushpalatha S Assistant Professor in Computer Network & Engineering Center for PG Studies, VTU Belgaum, Karnataka, India pushpalatha@vtu.ac.in
Henin Roland Karkada M.Tech in Computer Science & Engineering Center for PG Studies, VTU Belgaum, Karnataka, India henin.roland@gmail.com
Shilpa V M.Tech in Computer Network & Engineering Center for PG Studies, VTU Belgaum, Karnataka, India shilpav92@gmail.com
Abstract
The Single sign-on (SSO) is a new authentication mecha- nism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Specifically there are two impersonation attacks which do not meet credential privacy and soundness of authentication.. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the users credential and then to im- personate the user to access resources and services offered by other service providers. In another attack an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. The flaws in their security arguments have to be identified to explain why attacks are possible against their SSO scheme. Moreover, by employing an efficient verifiable encryption of RSA signatures proposed by Ateniese; this paper proposes an improvement for repairing the ChangLee scheme and promotes the formal study of the soundness of authentication as one open problem.
Keywords
SSO, GPS, GDC, LDPA, sign-on, NZK
Introduction
Computer security is an information security as applied to computer and networks. Most computer security measures involve data encryption and passwords. Data encryption is the translation of data into a form that is unintelligible with- out a deciphering mechanism.
Single sign-on
Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user login once and gain access to all systems without being prompted to log in again at each of them. This is typically accomplished using Lightweight Directory Ac- cess Protocol (LDPA) and stored LDPA databases on serv- ers. A simple version of single sign-on can be achieved us- ing cookies but only if the sites are on the same server.
Users typically have to sign-on to multiple systems, ne- cessitating an equivalent number of sign-on dialogues, each of which may involve different usernames and authentica- tion information. Historically a distributed system has been assembled from components that act as independent security domains. These components comprise individual platforms with associated operating system and applications. These components act as independent domains in the sense that an end-user has to identify and authenticate himself inde- International Journal of Innovatory Research in Engineering and Technology IJIRET www.ijirusa.webs.com
Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 7 pendently to each of the domains with which he wishes to interact.
The security objectives to be met by an implementation of single sign-on are: It shall not adversely affect the resilience of the system within which it is deployed. It shall not adversely impact the availability of any indi- vidual system service. It shall not provide access by principals to User Account Information to which they would not be permitted access within the controlling security domain for that information. An implementation shall audit all security relevant events which occur within its own context. It shall provide protection to security relevant information when exchanged between its own constituent components and between those components and other services.
Figure 1. Simple SSO operation
Objective
The aim of the objective of this paper is to identify flaws in security arguments and to explain why attacks are possi- ble against SSO scheme mainly impersonation attacks. Moreover, by employing an efficient verifiable encryption of RSA signatures this paper proposes an improvement for re- pairing the old scheme.
Modules
The system comprises of these modules: 1) User Identification Phase 2) Attacks against the ChangLee Scheme 3) Recovering Attack 4) Non-interactive zero-knowledge(NZK) 5) Security Analysis
Module Description
A. User Identification Phase
To access the resources of service provider, user needs to go through the authentication protocol specified. The ran- dom integers chosen are three random nonces; and it de- notes a symmetric key encryption scheme which is used to protect the confidentiality of users identity.
B. Attacks against the ChangLee Scheme
The ChangLee scheme is actually not a secure SSO scheme because there are two potential effective and con- crete impersonation attacks. The first attack, the credential recovering attack compromises the credential privacy in the ChangLee scheme as a malicious service provider is able to recover the credential of a legal user. The other attack, an impersonation attack without credentials, demonstrates how an outside attacker may be able to freely make use of resources and services offered by service providers, since the attacker can successfully impersonate a legal user without holding a valid credential and thus violate the requirement of soundness for an SSO scheme. In real life, these attacks may put both users and service providers at high risk.
C. Recovering Attack
If all service providers are assumed to be trusted, to iden- tify him/her user can simply encrypt his/her credential under the RSA public key of service provider. Then, can easily decrypt this cipher text to get s credential and verify its va- lidity by checking if it is a correct signature issued by . In fact, such a straightforward scheme with strong assumption is much simpler, more efficient and has better security, at least against this type of attack.
D. Non-interactive zero-knowledge (NZK)
The basic idea of VES is that Alice who has a key pair of signature scheme signs a given message and encrypts the resulting signature under the trusted partys public key, and uses a non-interactive zero-knowledge (NZK) proof to con- vince Bob that she has signed the message and the trusted party can recover the signature from the cipher text. After validating the proof, Bob can send his signature for the same message to Alice. For the purpose of fair exchange, Alice should send her signature in plaintext back to Bob after ac- cepting Bobs signature.
E. Security Analysis
The security of the SSO scheme is improved by focusing on the security of the user authentication part, especially soundness and credential privacy due to two reasons. On the other hand, the Unforgeability of the credential is guaranteed by the Unforgeability of RSA signatures, and the security of service provider authentication is ensured by the Unforgea- International Journal of Innovatory Research in Engineering and Technology IJIRET www.ijirusa.webs.com
Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 8 bility of the secure signature scheme chosen by each service provider.
Results and Discussions
The system has a GUI where in a user needs to enter the details to register.
The users who have registered will have to get the per- mission from the server; this will activate the user and make the login successfully. The user can use some of the ser- vices; here some file can be uploaded after generating signa- ture and verifying of that sign.
File Download:
Figure 2. Download the file with verification
The Figure 2 depicts the user can download the file with verification by entering the file name its use the verifiable encryption of the signature for secure download.
Admin:
Figure 3. Admin
The Figure 3 depicts the admin which sending the re- quested file to the client.
Client:
Figure 4. Client
The Figure 4 depicts the client which is receiving the re- quested file, the files is receiving in terms of packets.
Server:
Figure 5. Server
The Figure 5 depicts the server in that every information will be there it includes all the file details and user details also its finds any type of credential and impersonation at- tackers is entered.
Credential attackers:
Figure 6. Credential attackers
International Journal of Innovatory Research in Engineering and Technology IJIRET www.ijirusa.webs.com
Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 9 Impersonation attacker:
Figure 7. Impersonation attacker
The Figure 7 depicts impersonate attacker his trying to update IP to enter into the network as legal user.
User details:
Figure 8. User details
The Figure 8 shows the all the registered user infor- mation.
File details:
Figure 9. File details The Figure 9 depicts the all the file details including the status, date and time which file has been sent and download- ed.
Conclusions and Future Work
In this paper, it is demonstrated two effective impersona- tion attacks on single sign-on (SSO) scheme. The first attack shows that it cannot protect the privacy of a users creden- tial, and thus, a malicious service provider can impersonate a legal user in order to enjoy the resources and services from other service providers. The second attack violates the soundness of authentication by giving an outside attacker without credential the chance to impersonate even a non- existent user and then freely access resources and services provided by service providers. We also discussed why their well-organized security arguments are not strong enough to guarantee the security of their SSO scheme. In addition, it was explained why the previous scheme is also vulnerable to these attacks. Furthermore, by employing an efficient verifi- able encryption of RSA signatures and diffie-hellman, it was proposed an improved to achieve soundness and credential privacy.
As future work, further research is necessary to investi- gate the maturity of this model and study how the security of the improved SSO scheme proposed in this paper can be formally proven.
References
[1] A. C. Weaver and M. W. Condtry, Distributing internet services to the networks edge, IEEE Trans. Ind. Electron., vol. 50, no. 3, pp. 404411, Jun. 2003. [2] L. Barolli and F. Xhafa, JXTA-OVERLAY: A P2P plat- form for distributed, collaborative and ubiquitous compu- ting, IEEE Trans. Ind.Electron., vol. 58, no. 6, pp. 2163 2172, Oct. 2010. [3] L. Lamport, Password authentication with insecure communication, Common. ACM, vol. 24, no. 11, pp. 770 772, Nov. 1981. [4] W. B. Lee and C. C. Chang, User identification and key distribution maintaining anonymity for distributed computer networks, Comput.Syst. Sci. Eng., vol. 15, no. 4, pp. 113 116, 2000. [5] W. Juang, S. Chen, and H. Liaw, Robust and efficient password authenticated key agreement using smart cards, IEEE tras. Ind. Electron, vol. 15, no. 6, pp. 25512556, Jun. 2008. [6] X. Li,W. Qiu, D. Zheng, K. Chen, and J. Li, Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards, IEEE Trans. Ind. Elec- tron. vol. 57, no. 2, pp. 793800, Feb. 2010. [7] M. Cheminod, A. Pironti, and R. Sisto, Formal vulnera- bility analysis of a security system for remote field bus ac- International Journal of Innovatory Research in Engineering and Technology IJIRET www.ijirusa.webs.com
Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 10 cess, IEEE Trans. Ind. Inf.,vol. 7, no. 1, pp. 3040, Feb. 2011. [8] A. Valenzano, L. Durante, and M. Cheminod, Review of security issues in industrial networks, IEEE Trans. Ind. Inf., vol. PP, no. 99, 2012, DOI 10.1109/TII/2012.2198666. [9] T.-S.Wu and C.-L. Hsu, Efficient user identification scheme with key distribution preserving anonymity for dis- tributed computer networks, Comput. Security, vol. 23, no. 2, pp. 120125, 2004. [10] Y. Yang, S. Wang, F. Bao, J. Wang, and R. H. Deng, New efficient user identification and key distribution scheme providing enhanced security, Comput. Security, vol. 23, no. 8, pp. 697704, 2004. [11] K. V. Mangipudi and R. S. Katti, A secure identifica- tion and key agreement protocol with user anonymity (SI- KA), Comput. Security, vol. 25, no. 6, pp. 420425, 2006. [12] C.-L. Hsu and Y.-H. Chuang, A novel user identifica- tion scheme with key distribution preserving user anonymity for distributed computer networks, Inf. Sci., vol. 179, no. 4, pp. 422429, 2009.
Biographies
Harish K is currently pursuing M.Tech in Computer Network Engineering at Center for PG Studies, (VTU), Bel- gaum. He received his Bachelor of En- gineering in Computer Science from Rural Engineering College, Hulkoti, Karnataka. His areas of interests in- clude Cryptography and Network Security.
He may be reached at patilharish96@gmail.com.
Henin Roland Karkada is currently pursu- ing M.Tech in Computer Science at Center for PG Studies, (VTU), Belgaum. He re- ceived his Bachelor of Engineering in Com- puter Science from Mangalore Institute of Technology (MITE) Mangalore. His areas of interests include Content Based image Re- trieval, Cloud Computing, Cryptography and Semantic Web.
He may be reached at henin.roland@gmail.com.
Shilpa V is currently pursuing M.Tech in Computer Network Engineering at Center for PG Studies, (VTU), Belgaum. She received her Bachelor of Engineering in Electronics and Communications from Dr. SMCE, Byra- nayakanahalli, Bengaluru. Her areas of inter- ests include Cryptography and Mobile Com- puting.
She may be reached at shilpav92 @gmail.com
Pushpalatha S is currently working as a Professor in Dept. of Computer Network and Engineering, Center for PG Studies, VTU Belgaum. She has completed her Masters in Computer Network Engineering from the National Institute of Engi- neering, Mysore, Karnataka and her Bachelors of Engineer- ing in Electronics and Communication and Engineering from Coorg Institution of Technology, Kodagu, Karnataka. She has an overall of 7 years of teaching experience and handled subjects like Network Security, Computer Networks, Wire- less Communication and Digital Communication. Her recent interests include Network Security and Cryptography.