Paper 2012/107

Security Analysis of A Single Sign-On Mechanism for Distributed Computer Networks

Guilin Wang, Jiangshan Yu, and Qi Xie

Abstract

Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in distributed computer networks. Recently, Chang and Lee proposed a new SSO scheme and claimed its security by providing well-organized security arguments. In this paper, however, we demonstratively show that their scheme is actually insecure as it fails to meet credential privacy and soundness of authentication. Specifically, we present two impersonation attacks. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the user's credential and then to impersonate the user to access resources and services offered by other service providers. In the other attack an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. We identify the flaws in their security arguments to explain why attacks are possible against their SSO scheme. Our attacks also applies to another SSO scheme proposed by Hsu and Chuang, which inspires the design of Chang-Lee scheme. We promote the study of the soundness of authentication as one open problem.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Unknown where it was published
Keywords
AuthenticationSingle Sign-OnAttacksInformation Security
Contact author(s)
guilin @ uow edu au
History
2012-02-29: received
Short URL
https://ia.cr/2012/107
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/107,
      author = {Guilin Wang and Jiangshan Yu and Qi Xie},
      title = {Security Analysis of A Single Sign-On Mechanism for Distributed Computer Networks},
      howpublished = {Cryptology {ePrint} Archive, Paper 2012/107},
      year = {2012},
      url = {https://eprint.iacr.org/2012/107}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.