Cryptology ePrint Archive: Report 2011/246
A Framework for Secure Single Sign-On
Bernardo Machado David and Anderson C. A. Nascimento and Rafael Tonicelli
Abstract: Single sign-on solutions allow users to sign on only once and
have their identities automatically verified by each application or service they want to access afterwards. There are few practical and secure single sign-on models, even though it is of great importance to current distributed application environments. We build on proxy signature schemes to introduce the first public key cryptographic approach to single sign-on frameworks, which represents an important milestone towards the construction of provably secure single sign-on schemes. Our contribution is two-fold, providing a framework that handles both session state across multiple services and granular access control. The intrinsic centralized access control functionality adds no additional cost to the single sign on protocol while providing an easy way to manage access policies and user rights revocation. Moreover, our approach significantly improves communication complexity by eliminating any communication between services and identity providers during user identity and access permission verification. Relying on simple primitives, our methods can be easily and efficiently implemented using standard cryptography APIs and libraries. We base our constructions on standard cryptographic techniques and a threat model that captures the characteristics of current attacks and the requirements of modern applications. This is the first approach to base single sign-on security on public key cryptography and associate such a
practical application to proxy signatures.
Category / Keywords: applications / single sign on user authentication log in proxy signature identification protocol
Date: received 16 May 2011, last revised 26 Sep 2011
Contact author: bernardo david at redes unb br
Available format(s): PDF | BibTeX Citation
Note: Modified overall paper structure focusing only on the single sign on framework rather than the initial user authentication step.
Version: 20110926:073916 (All versions of this report)
Discussion forum: Show discussion | Start new discussion
[ Cryptology ePrint archive ]