LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

LI Jian-jun,GUO Wei-qing,XU Duan-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.15.056

2006-01-01

Abstract:Authentication is the core and the first gateway to computer security system. With mentality of middleware and the tokencard authentication system, the improved project of GINA and extensional technology on Windows are introduced and a more flexible mecha- nism for the two-factor authentication module is provided. With the virtual tokencard technology, the Tokencard make the multi-role logon authentication possible and it proves to be more flexible and reliable.

ZHENG Lan,CHEN Qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.07.058

2005-01-01

Abstract:With the rapid growth of internet and enterprises on a global scale, the use of directories as accessible repositories providesa flexible and various solution for gathering, storage and accessing information. The design and implementation of an unified accesscontrol system supporting single-sign-on areintrodueed, whichis based on LDAPdirectory and combines access controls ofall applicationsystems to realize security access system of unified users management. The system used middleware technology to efficiently resolvethe bottleneck problem when a lot of users accesed LDAP database.

Muhammad Bilal,Can Wang,Zhi Yu,Abid Bashir

DOI: https://doi.org/10.1109/icsess49938.2020.9237635

2020-01-01

Abstract:Identity management (IdM) plays a significant role in managing user identities (IDs). However, IdM is challenging to handle the rapidly rising numerous kinds of Web-based applications nowadays. The OpenID 2.0 communication protocol is an improved solution for managing a user's IDs based on the OpenID URL identity. OpenID URL identity is not very much secure in specific Web-based attacks; for instance, session hijacking and phishing attacks often occur. The earlier OpenID-based methods secure OpenID URL identity with single, double, and triple authentication schemes. But Identity Provider (IdP) side is still not secure in Web attacks: if an attacker steals the IdP-side legal user information, then existing OpenID-based security techniques are unreliable. The anticipated OpenID Reverse Authentication Authorizing and Accounting (RAAA) user authentication-based protocol secured OpenID URL identity by providing two beneficial fields Secret Alphanumeric String (SAS) and Special Innovative PIN (SIP) that utilize in testing website both sides in reverse and cost-effective way. In this experiment, IdP and Relying Party (RP), both sides are being used secretly. Therefore, experimental websites also test to check the proposed triple authentication protocol. In this paper, we have compared our RAAA user authentication protocol with already available SSO protocol methods. The tested websites and comparative results represent that the anticipated design protocol is very much secure and reliable solution. The advanced cryptographic Single-Sign-On (SSO) secure protocol reduces the higher-level session hijacking and phishing attacks risk in an OpenID-based environment. We suggest future SSO protocol methods will be needed more in terms of the authorized user's identity authentication in Web-based applications.

TAN Jinfu,SONG Anjun,PENG Qinke,Hu Baosheng

DOI: https://doi.org/10.3969/j.issn.1004-373x.2007.18.037

2007-01-01

Abstract:SSO technology is gradually applied in many fields of software systems.This paper introduces the requirements of SSO and analyzes the inner mechanism of SSO in web applications on the basis of Cookie technology.Besides,SSO is further expatiated on the aspect of security and performance,its risks and improvements needing to be done are pointed out.

Wang Ke,Ling Li

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.02.068

2008-01-01

Abstract:In order to make the authentic-name network services much more convenient and effective for customers,a model of Single-Sign-On in Authentic-Name Network Services is proposed.The model combines the advantages of two popular SSO methods,Centralized SSO(Microsoft) and distributed SSO(Liberty Alliance).Based on this,the SSO process in Authentic-Name Network Services is elaborated with the eKey idea,and finally,a daemon is set up to verify the model.

高俊娜,于继万,朱华飞,潘雪增

2004-01-01

Abstract:In current SIP protocol,to interact with other domain services,a node need multi-authentication processes. This paper integrates SAML into SIP protocol which well extends SIP authentication mechanism between multi-domains. It makes full use of SAML capability based on XML to bring an easy method to implement single sign-on(SSO).

Dongxi Zheng,Shaohua Tang,Shaofa Li

DOI: https://doi.org/10.1142/S0218126605002714

2011-01-01

Journal of Circuits Systems and Computers

Abstract:Web Services technology is suitable for cross-platform and cross-application integration. To secure systems based on Web Services, a single sign-on protocol for Web Services supporting several login modes are presented. The architecture and the formalized flow of the protocol are described. The protocol is also analyzed and proven using an extended SVO logic.

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Krügel,Giovanni Vigna,Yan Chen

DOI: https://doi.org/10.1007/978-3-319-11379-1_14

2014-01-01

Abstract:Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.

Haojiang Gao,Xiao Tian-yuan

2011-01-01

Abstract:To overcome the shortcomings of SAML(security assertion markup language),the following improvements are done.Web sites group-based session life cycle is defined.Reverse query on-line user(RQOU) protocol,and logout of fixed logon(SOFL) protocol is designed.Avoiding duplication login method is given.Domain-crossed SSO problem is resolved.A data synchronization strategy is stated,which simplifies legacy system integration.A SSO system based on these designs is used in a state-owned bank in China,which has reduced system management costs and improved productivity,and then satisfies the enterprise requirements.

Ke CHEN,Kun SHE,Di-ming HUANG

2005-01-01

Journal of Computer Applications

Abstract:Single-signon technology enables users to use multiple Web services without repetitious login which makes user identity management more convenient and secure.SAML is the criterion to implement a single-signon system.It provides a standard for Web services to exchange user identity authentication information.The implementation of SAML artifact technology in single-signon system was mainly discussed.The flow and security of this single-signon system was analyzed.

He,Wei,Li,Xiu,Liu,Wenhuang

DOI: https://doi.org/10.3969/j.issn.1008-0570.2005.33.001

2005-01-01

Abstract:This paper investigates the importance of uniform identity authentication system for building knowledge sharing platform, and presents the general framework of this system. An architecture based on kerberos Protocol and Security Assertion Markup Language is used to solve the issue of the Single User Sign-on to Multiple Services. This paper also discusses the issue of organizing user's id and access control lists with the distributed directory tree method, and a real application model is presented. This system can provide a very effective and secure access on knowledge sharing system.

Fang Song,Jianhua Chen,Debiao He

2014-01-01

Abstract:With advancement of computer community, people can obtain their service through the mobile devices. The number of service servers providing Internet applications is usually more than one. As a result, users generally need multiple servers to provide different services. It has become a big challenge to design a secure and efficient authentication for remote user under multi-server architecture. In 2013, Jiang et al. proposed an anonymous user authentication with key agreement scheme without pairings for multi-server architecture using self-certified public keys (SCPKs). They claimed that their scheme can satisfy all of the requirements needed for achieving secure authentication in multi-server environments. However, in this paper, we will show that Jiang et al.'s scheme cannot withstand password guessing attack, impersonation attack and insider attack. Therefore, we present a more secure authentication based on SCPKs.

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Kruegel,Giovanni Vigna,Yan Chen

2014-01-01

Abstract:Author(s): Cao, Yinzhi; Shoshitaishvili, Yan; Borgolte, Kevin; Kruegel, Christopher; Vigna, Giovanni; Chen, Yan | Abstract: Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.Single sign-on (SSO) protocols, however, are not immune to vulnerabilities. Recent research introduced several attacks against existing SSO protocols, and further work showed that these problems are prevalent: 6.5% of the investigated relying parties were vulnerable to impersonation attacks, which can lead to account compromises and privacy breaches. Prior work used formal verification methods to identify vulnerabilities in SSO protocols or leveraged invariances of SSO interaction traces to identify logic flaws. No prior work, however, systematically studied the actual root cause of impersonation attacks against the relying party.In this paper, we systematically examine existing SSO protocols and determine the root cause of the aforementioned vulnerabilities: the design of the communication channel between the relying party and the identity provider, which, depending on the protocol and implementation, suffers from being a one-way communication protocol, or from a lack of authentication. We (a) systematically study the weakness responsible for the vulnerabilities in existing protocols that allow impersonation attacks against the relying party, (b) introduce a dedicated, authenticated, bi-directional, secure channel that does not suffer from those shortcomings, (c) formally verify the authentication property of this channel using a well-known cryptographic protocol verifier (ProVerif), and (d) evaluate the practicality of a prototype implementation of our protocol.Ultimately, to support a smooth and painless transition from existing SSO protocols, we introduce a proxy setup in which our channel can be used to secure existing SSO protocols from impersonation attacks. Furthermore, to demonstrate the flexibility of our approach, we design two different SSO protocols: an OAuth-like and an OpenID-like protocol.

Zongpu Jia,Guowei Wang

DOI: https://doi.org/10.1007/978-3-642-40633-1-18

2014-01-01

Abstract:To resolve the problems about identity authentication of heterogeneous application systems that emerged in the procedure of data integration. This paper presents a solution of unified identity authentication based on Light Directory Access Protocol (LDAP). By using a method of double sign on an interface calling the solution can separately realize unified identity authentication in developed application systems and new systems. Then the paper design a reasonable structure Directory Information Tree (DIT) based on Role-Based Access Control (RBAC) model that consists of organization, user, role, and permission entries to realize permissions distributing and access control. ? Springer-Verlag Berlin Heidelberg 2014.

Qiong Li,XinGuang Zou,Huang Lin,Zhaoqing Liu,Xiamu Niu

2006-01-01

Abstract:Kerberos is a commonly used distributed network authentication protocol. Both Windows 2000 and Windows XP adopted Kerberos as their default authentication method. But in the practical application, it still suffers from the password guessing attacks, along with other password related problems, such as no connection to the valid user, forgotten and stolen, etc. In this paper, a solution is proposed to overcome these problems by using a smartcard-based iris key authentication algorithm to replace the password authentication module of Kerberos. Iris key authentication algorithm binds a valid user's iris template and his key monolithically. Secret sharing, error correcting coding and iris authentication are combined to guarantee that the key can be retrieved exactly only when a matching iris is available, but neither the iris template nor the key can be derived from the iris key independently. Integrating the iris key authentication algorithm with smartcard technique can improve the security, usability and maintainability of Kerberos system. The experiment results show that the scheme is feasible and secure.

Xiong Li,Yongping Xiong,Jian Ma,Wendong Wang

DOI: https://doi.org/10.1016/j.jnca.2011.11.009

IF: 7.574

2012-01-01

Journal of Network and Computer Applications

Abstract:Generally, if a user wants to use numerous different network services, he/she must register himself/herself to every service providing server. It is extremely hard for users to remember these different identities and passwords. In order to resolve this problem, various multi-server authentication protocols have been proposed. Recently, Sood et al. analyzed Hsiang and Shih's multi-server authentication protocol and proposed an improved dynamic identity based authentication protocol for multi-server architecture. They claimed that their protocol provides user's anonymity, mutual authentication, the session key agreement and can resist several kinds of attacks. However, through careful analysis, we find that Sood et al.'s protocol is still vulnerable to leak-of-verifier attack, stolen smart card attack and impersonation attack. Besides, since there is no way for the control server CS to know the real identity of the user, the authentication and session key agreement phase of Sood et al.'s protocol is incorrect. We propose an efficient and security dynamic identity based authentication protocol for multi-server architecture that removes the aforementioned weaknesses. The proposed protocol is extremely suitable for use in distributed multi-server architecture since it provides user's anonymity, mutual authentication, efficient, and security.

CHEN Dong,YIN Jian-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.04.084

2007-01-01

Abstract:This paper analyzed the principles and drawbacks of traditional SSO products.It separated the two types of information which is needed through login procedure of applications,and realized auto-login with sharing information of login procedure based on XML and USB authentication.Furthermore,it made research on the structure and message transmission of Windows and Web applications,and developd a distributed SSO System which supports multi-mode applications.The system was proved to be effect.

Xiong Li,Kaihui Wang,Jian Shen,Saru Kumari,Fan Wu,Yonghua Hu

DOI: https://doi.org/10.1007/s12652-015-0338-z

IF: 3.662

2016-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Computer networks have become so ubiquitous that the user can access various services by using network devices at anytime and anywhere. However, due to the open nature of the network, the security issue has become an important consideration in these network-based systems that cannot be ignored, especially in critical systems, such as life-critical system and financial system. User authentication scheme is the most used and effective mechanism for information security, and many user authentication schemes have been proposed by researchers. Recently, Shen et al. proposed a biometrics-based user authentication scheme for multi-server environments in critical systems. However, their scheme lacks the wrong password detection mechanism and is vulnerable to denial-of-service attack. Besides, they do not consider the user anonymity property, and may suffer from biometrics template lost attack because the biometrics template is directly stored in user’s smart card. In this paper, an enhanced biometrics-based user authentication scheme for multi-server environments in critical systems is presented by adopting the fuzzy extractor. The analysis shows that the proposed scheme not only removes the security weaknesses of previous schemes, but also keeps the computational efficiency.