Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

YAO Lin,FAN Qingna,KONG Xiangwei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2011.06.023

2011-01-01

Abstract:As a result of the high mobility of the pervasive computing,the principles communicating with each other usually locate at different domains.To secure the service access and communications,the principles should authenticate each other and establish a fresh session key.A novel inter-domain authentication and key establishment protocol is proposed.The proposed protocol reduces the burden of certificates management by adopting the biometric encryption.After inter-domain mutual authentication,the two principles build a new session key using the signcryption technique.The protocol can defend lots of attacks and its correctness is proven by the SVO logic.

高俊娜,于继万,朱华飞,潘雪增

2004-01-01

Abstract:In current SIP protocol,to interact with other domain services,a node need multi-authentication processes. This paper integrates SAML into SIP protocol which well extends SIP authentication mechanism between multi-domains. It makes full use of SAML capability based on XML to bring an easy method to implement single sign-on(SSO).

Ge Gao,Yuan Zhang,Yaqing Song,Shiyu Li

DOI: https://doi.org/10.1109/tifs.2024.3392533

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Single-sign-on (SSO) authentication employs an identity provider (IdP) to provide users with an efficient way to authenticate themselves with different service providers and has been widely applied in digital systems. However, existing SSO authentication schemes suffer from critical issues in terms of security and privacy. Regarding security, most SSO authentication schemes achieve a high convenience at the expense of security and are thereby susceptible to various attacks. Regarding privacy, most existing schemes fail to protect users' subscription pattern and access pattern against adversaries who can easily extract users' sensitive information from their authentications and launch subsequent attacks for profits. In this paper, we develop a practical SSO authentication system, dubbed PrivSSO, with the protection of users' subscription pattern and access pattern. To balance the trade-off between security and convenience, the key technique is a secure "hybrid" key-based authentication mechanism: a long-term key stored in a well-guarded hardware token serves as the "primary" authentication factor (AF) to guarantee strong security; an ephemeral key bound with portable device(s) serves as the "daily-used" AF to achieve high convenience. To protect the subscription pattern and access pattern from leakage, we propose a redactable token generation mechanism, where the users themselves specify what IdP and the service providers can learn from their authentications. We formally define and prove the security of PrivSSO. We also implement a PrivSSO prototype and conduct a comprehensive performance evaluation to demonstrate its practicality.

TAN Jinfu,SONG Anjun,PENG Qinke,Hu Baosheng

DOI: https://doi.org/10.3969/j.issn.1004-373x.2007.18.037

2007-01-01

Abstract:SSO technology is gradually applied in many fields of software systems.This paper introduces the requirements of SSO and analyzes the inner mechanism of SSO in web applications on the basis of Cookie technology.Besides,SSO is further expatiated on the aspect of security and performance,its risks and improvements needing to be done are pointed out.

Jie Jiang,Deren Chen,Tim Chen,Xiaodong Shen

DOI: https://doi.org/10.1109/imsccs.2006.169

2006-01-01

Abstract:With the development of grid service, there are two key problems to be improved. One is to access Web grid service with friend interface for user. Another is the security authentication for grid resource share. Nowadays, a solution of Web universal entrance for grid service has been given through a Web framework named grid portal. PKI based grid security infrastructure has been widely used in order to guarantee grid security. However, although proxy certificate has been well applied in GSI, there is still no integrated model for security grid portal based on PKI and proxy mechanism. From the view of cooperation, a security grid portal is proposed based on PKI and online proxy certificate repository. It can successfully move the user's credential from the PKI public key certificates to its proxy certificate issued by online proxy certificate repository, which makes a Web user be easily authenticated through Web client to any grid service process

ZHANG Jing-yu,LI Zhi-shu,CHEN Liang-yin,XING Jian-chuan,LI Bao-lin,LI Qing

DOI: https://doi.org/10.3969/j.issn.1009-3087.2007.05.027

2007-01-01

Abstract:Single Sign On(SSO) provides uniform authentication entrance for multi-application integration system,but has a security issue on which it normally does not focus— authentication management in Single Sign Out.A Message System-based and Customizable Single Sign Out Service —MSC-SSOS integrating Yale ITS CAS into a multi-application online service system,was designed and implemented.Many services such as security management,business customization,message persistency and balance loading are provided through a message bus.MSC-SSOS demonstrates characteristics of security,stability and efficiency in the online system which is visited by more than 400000 pages a day.

LI Dong-feng,WEI Ming-Xin,LI Wei-ping

DOI: https://doi.org/10.3969/j.issn.1009-8054.2011.09.049

2011-01-01

Abstract:As considerable quantities of complex cryptographic computation should be done on client side in the traditional public key cryptosystems,it's difficult for the PKI technology to be used in the special case with weak computation capability. In addition,the communication between digital certificate and authentication is required,thus to obtain the CRLs as certificate chain and verify the validity of online certificate,this would greatly reduce the application and development of public key cryptographic technology. In the proposed proxy-based application model,the computation and communication are completed via the proxy service,and the client just needs to send standard application request and accept the corresponding response,thus effectively simplifying the application of public key cryptography.

Hui Wang,Dawu Gu,Yuanyuan Zhang,Yikun Hu

DOI: https://doi.org/10.1007/s11432-019-2697-1

2021-01-01

Science China Information Sciences

Abstract:>Dear editor, Single sign-on (SSO) schemes have been widely used by major companies to manage service authorization and user authentication. They can enable third-party applications to obtain user information from a service provider to identify a user. The third-party application is often referred to as the relying party (RP), and the service provider is referred to as the identity provider (Id P). According to a recent study [1], OAuth and its extension Open ID connect (OIDC) are amongst the most widespread SSO protocols;

CHEN Dong,YIN Jian-wei

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.04.084

2007-01-01

Abstract:This paper analyzed the principles and drawbacks of traditional SSO products.It separated the two types of information which is needed through login procedure of applications,and realized auto-login with sharing information of login procedure based on XML and USB authentication.Furthermore,it made research on the structure and message transmission of Windows and Web applications,and developd a distributed SSO System which supports multi-mode applications.The system was proved to be effect.

邓绪水,宋庭新,黄必清

DOI: https://doi.org/10.3969/j.issn.1003-4684.2010.02.008

2010-01-01

Abstract:Single sign-on(SSO) is an important part of Enterprise Application Integration(EAI).By analyzing the project needs,a new SSO model based on certificate encryption and Agent Login is proposed.This model not only perfectly matches the original operational system,but also enables a flexible and safety SSO access control.The application of this model to the Enterprise Information Portal is introduced in detail,and some corresponding analyses on technical security are put forward.The current system will be on the Public Services Platform for Population and Reproductive Health at present.

Zhiyi Zhang,Michał Król,Alberto Sonnino,Lixia Zhang,Etienne Rivière

DOI: https://doi.org/10.48550/arXiv.2002.10289

2020-02-24

Cryptography and Security

Abstract:We introduce EL PASSO, a privacy-preserving, asynchronous Single Sign-On (SSO) system. It enables personal authentication while protecting users' privacy against both identity providers and relying parties, and allows selective attribute disclosure. EL PASSO is based on anonymous credentials, yet it supports users' accountability. Selected authorities may recover the identity of allegedly misbehaving users, and users can prove properties about their identity without revealing it in the clear. EL PASSO does not require specific secure hardware or a third party (other than existing participants in SSO). The generation and use of authentication credentials are asynchronous, allowing users to sign on when identity providers are temporarily unavailable. We evaluate EL PASSO in a distributed environment and prove its low computational cost, yielding faster sign-on operations than OIDC from a regular laptop, one-second user-perceived latency from a low-power device, and scaling to more than 50 sign-on operations per second at a relying party using a single 4-core server in the cloud.

He,Wei,Li,Xiu,Liu,Wenhuang

DOI: https://doi.org/10.3969/j.issn.1008-0570.2005.33.001

2005-01-01

Abstract:This paper investigates the importance of uniform identity authentication system for building knowledge sharing platform, and presents the general framework of this system. An architecture based on kerberos Protocol and Security Assertion Markup Language is used to solve the issue of the Single User Sign-on to Multiple Services. This paper also discusses the issue of organizing user's id and access control lists with the distributed directory tree method, and a real application model is presented. This system can provide a very effective and secure access on knowledge sharing system.

Wang Ke,Ling Li

DOI: https://doi.org/10.3969/j.issn.1000-386X.2008.02.068

2008-01-01

Abstract:In order to make the authentic-name network services much more convenient and effective for customers,a model of Single-Sign-On in Authentic-Name Network Services is proposed.The model combines the advantages of two popular SSO methods,Centralized SSO(Microsoft) and distributed SSO(Liberty Alliance).Based on this,the SSO process in Authentic-Name Network Services is elaborated with the eKey idea,and finally,a daemon is set up to verify the model.

Ye Tang,Zhang Shen-Sheng,Lei Li,Zhang Jing-Yi

DOI: https://doi.org/10.1007/978-3-540-30501-9_70

2004-01-01

Abstract:The inconvenience and security risks arose from multi-system security functions are firstly analyzed as well as the limitation of Single Sign On. All kinds of methods to implement the integration of application system security functions are studied. Based on them the omnipotent integration technology for application system security functions (OITASSF) is brought forward. It employs intelligent agent combined with smart card to implement the interaction with application system security function instead of person. The technology has the characteristics of wide applicability, high agility, strong stability and good scalability. At last its simple implementation example is illustrated.

Siyu Gan,Gu, Chunhua,Xueqin Zhang

DOI: https://doi.org/10.1109/IEEC.2010.5533219

2010-01-01

Abstract:With the rapid development of E-Business systems, the technology of distributed services and security becomes research focus in the field of Internet based applications. The distributed E-Business application platform has strong security requirements and specific demands on secure user authentication. After analyzing the distributed authentication protocol and public key infrastructure (PKI), a method for distributed E-Business application authentication using public key cryptography is introduced in this paper. By distributing most of the authentication workload away from the trusted intermediary and to the communicating parties, significant enhancements to security and scalability can be achieved.

Ke CHEN,Kun SHE,Di-ming HUANG

2005-01-01

Journal of Computer Applications

Abstract:Single-signon technology enables users to use multiple Web services without repetitious login which makes user identity management more convenient and secure.SAML is the criterion to implement a single-signon system.It provides a standard for Web services to exchange user identity authentication information.The implementation of SAML artifact technology in single-signon system was mainly discussed.The flow and security of this single-signon system was analyzed.

Yinzhi Cao,Yan Shoshitaishvili,Kevin Borgolte,Christopher Krügel,Giovanni Vigna,Yan Chen

DOI: https://doi.org/10.1007/978-3-319-11379-1_14

2014-01-01

Abstract:Web-based single sign-on describes a class of protocols where a user signs into a web site with the authentication provided as a service by a third party. In exchange for the increased complexity of the authentication procedure, SSO makes it convenient for users to authenticate themselves to many different web sites (relying parties), using just a single account at an identity provider such as Facebook or Google.

DU Jian-dong,WANG Jin-lin,ZHAO Zhi-qiang

2012-01-01

Abstract:To propose a solution that realizes the Multi-terminal Single Sign-On(SSO) system based on the Terminal Manager(TM).The object is that the users just need to make a Single Sign-On among different terminals at the background of the merging of the three Network.On the basis of different terminals' individual single sign-on,Multi-terminal SSO can be realized by bundling the unique ID of different terminals.In the prototype system,we complete the project of Multi-terminal SSO through TM and Session Manager.