Sie sind auf Seite 1von 5

Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 6

Security Enhancement of Single Sign on Mechanism

for Distributed Computer Network

Harish K
M.Tech in Computer Network & Engineering
Center for PG Studies, VTU
Belgaum, Karnataka, India

Pushpalatha S
Assistant Professor in Computer Network & Engineering
Center for PG Studies, VTU
Belgaum, Karnataka, India

Henin Roland Karkada
M.Tech in Computer Science & Engineering
Center for PG Studies, VTU
Belgaum, Karnataka, India

Shilpa V
M.Tech in Computer Network & Engineering
Center for PG Studies, VTU
Belgaum, Karnataka, India


The Single sign-on (SSO) is a new authentication mecha-
nism that enables a legal user with a single credential to be
authenticated by multiple service providers in a distributed
computer network. Specifically there are two impersonation
attacks which do not meet credential privacy and soundness
of authentication.. The first attack allows a malicious service
provider, who has successfully communicated with a legal
user twice, to recover the users credential and then to im-
personate the user to access resources and services offered
by other service providers. In another attack an outsider
without any credential may be able to enjoy network services
freely by impersonating any legal user or a nonexistent user.
The flaws in their security arguments have to be identified to
explain why attacks are possible against their SSO scheme.
Moreover, by employing an efficient verifiable encryption of
RSA signatures proposed by Ateniese; this paper proposes
an improvement for repairing the ChangLee scheme and
promotes the formal study of the soundness of authentication
as one open problem.


SSO, GPS, GDC, LDPA, sign-on, NZK


Computer security is an information security as applied
to computer and networks. Most computer security measures
involve data encryption and passwords. Data encryption is
the translation of data into a form that is unintelligible with-
out a deciphering mechanism.

Single sign-on

Single sign-on (SSO) is a property of access control of
multiple related, but independent software systems. With
this property a user login once and gain access to all systems
without being prompted to log in again at each of them. This
is typically accomplished using Lightweight Directory Ac-
cess Protocol (LDPA) and stored LDPA databases on serv-
ers. A simple version of single sign-on can be achieved us-
ing cookies but only if the sites are on the same server.

Users typically have to sign-on to multiple systems, ne-
cessitating an equivalent number of sign-on dialogues, each
of which may involve different usernames and authentica-
tion information. Historically a distributed system has been
assembled from components that act as independent security
domains. These components comprise individual platforms
with associated operating system and applications. These
components act as independent domains in the sense that an
end-user has to identify and authenticate himself inde-
International Journal of Innovatory Research in Engineering and Technology IJIRET

Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 7
pendently to each of the domains with which he wishes to

The security objectives to be met by an implementation
of single sign-on are:
It shall not adversely affect the resilience of the system
within which it is deployed.
It shall not adversely impact the availability of any indi-
vidual system service.
It shall not provide access by principals to User Account
Information to which they would not be permitted access
within the controlling security domain for that information.
An implementation shall audit all security relevant events
which occur within its own context.
It shall provide protection to security relevant information
when exchanged between its own constituent components
and between those components and other services.

Figure 1. Simple SSO operation


The aim of the objective of this paper is to identify flaws
in security arguments and to explain why attacks are possi-
ble against SSO scheme mainly impersonation attacks.
Moreover, by employing an efficient verifiable encryption of
RSA signatures this paper proposes an improvement for re-
pairing the old scheme.


The system comprises of these modules:
1) User Identification Phase
2) Attacks against the ChangLee Scheme
3) Recovering Attack
4) Non-interactive zero-knowledge(NZK)
5) Security Analysis

Module Description

A. User Identification Phase

To access the resources of service provider, user needs to
go through the authentication protocol specified. The ran-
dom integers chosen are three random nonces; and it de-
notes a symmetric key encryption scheme which is used to
protect the confidentiality of users identity.

B. Attacks against the ChangLee Scheme

The ChangLee scheme is actually not a secure SSO
scheme because there are two potential effective and con-
crete impersonation attacks. The first attack, the credential
recovering attack compromises the credential privacy in the
ChangLee scheme as a malicious service provider is able to
recover the credential of a legal user. The other attack, an
impersonation attack without credentials, demonstrates
how an outside attacker may be able to freely make use of
resources and services offered by service providers, since the
attacker can successfully impersonate a legal user without
holding a valid credential and thus violate the requirement of
soundness for an SSO scheme. In real life, these attacks may
put both users and service providers at high risk.

C. Recovering Attack

If all service providers are assumed to be trusted, to iden-
tify him/her user can simply encrypt his/her credential under
the RSA public key of service provider. Then, can easily
decrypt this cipher text to get s credential and verify its va-
lidity by checking if it is a correct signature issued by . In
fact, such a straightforward scheme with strong assumption
is much simpler, more efficient and has better security, at
least against this type of attack.

D. Non-interactive zero-knowledge (NZK)

The basic idea of VES is that Alice who has a key pair of
signature scheme signs a given message and encrypts the
resulting signature under the trusted partys public key, and
uses a non-interactive zero-knowledge (NZK) proof to con-
vince Bob that she has signed the message and the trusted
party can recover the signature from the cipher text. After
validating the proof, Bob can send his signature for the same
message to Alice. For the purpose of fair exchange, Alice
should send her signature in plaintext back to Bob after ac-
cepting Bobs signature.

E. Security Analysis

The security of the SSO scheme is improved by focusing
on the security of the user authentication part, especially
soundness and credential privacy due to two reasons. On the
other hand, the Unforgeability of the credential is guaranteed
by the Unforgeability of RSA signatures, and the security of
service provider authentication is ensured by the Unforgea-
International Journal of Innovatory Research in Engineering and Technology IJIRET

Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 8
bility of the secure signature scheme chosen by each service

Results and Discussions

The system has a GUI where in a user needs to enter the
details to register.

The users who have registered will have to get the per-
mission from the server; this will activate the user and make
the login successfully. The user can use some of the ser-
vices; here some file can be uploaded after generating signa-
ture and verifying of that sign.

File Download:

Figure 2. Download the file with verification

The Figure 2 depicts the user can download the file with
verification by entering the file name its use the verifiable
encryption of the signature for secure download.


Figure 3. Admin

The Figure 3 depicts the admin which sending the re-
quested file to the client.


Figure 4. Client

The Figure 4 depicts the client which is receiving the re-
quested file, the files is receiving in terms of packets.


Figure 5. Server

The Figure 5 depicts the server in that every information
will be there it includes all the file details and user details
also its finds any type of credential and impersonation at-
tackers is entered.

Credential attackers:

Figure 6. Credential attackers

International Journal of Innovatory Research in Engineering and Technology IJIRET

Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 9
Impersonation attacker:

Figure 7. Impersonation attacker

The Figure 7 depicts impersonate attacker his trying to
update IP to enter into the network as legal user.

User details:

Figure 8. User details

The Figure 8 shows the all the registered user infor-

File details:

Figure 9. File details
The Figure 9 depicts the all the file details including the
status, date and time which file has been sent and download-

Conclusions and Future Work

In this paper, it is demonstrated two effective impersona-
tion attacks on single sign-on (SSO) scheme. The first attack
shows that it cannot protect the privacy of a users creden-
tial, and thus, a malicious service provider can impersonate a
legal user in order to enjoy the resources and services from
other service providers. The second attack violates the
soundness of authentication by giving an outside attacker
without credential the chance to impersonate even a non-
existent user and then freely access resources and services
provided by service providers. We also discussed why their
well-organized security arguments are not strong enough to
guarantee the security of their SSO scheme. In addition, it
was explained why the previous scheme is also vulnerable to
these attacks. Furthermore, by employing an efficient verifi-
able encryption of RSA signatures and diffie-hellman, it was
proposed an improved to achieve soundness and credential

As future work, further research is necessary to investi-
gate the maturity of this model and study how the security of
the improved SSO scheme proposed in this paper can be
formally proven.


[1] A. C. Weaver and M. W. Condtry, Distributing internet
services to the networks edge, IEEE Trans. Ind. Electron.,
vol. 50, no. 3, pp. 404411, Jun. 2003.
[2] L. Barolli and F. Xhafa, JXTA-OVERLAY: A P2P plat-
form for distributed, collaborative and ubiquitous compu-
ting, IEEE Trans. Ind.Electron., vol. 58, no. 6, pp. 2163
2172, Oct. 2010.
[3] L. Lamport, Password authentication with insecure
communication, Common. ACM, vol. 24, no. 11, pp. 770
772, Nov. 1981.
[4] W. B. Lee and C. C. Chang, User identification and key
distribution maintaining anonymity for distributed computer
networks, Comput.Syst. Sci. Eng., vol. 15, no. 4, pp. 113
116, 2000.
[5] W. Juang, S. Chen, and H. Liaw, Robust and efficient
password authenticated key agreement using smart cards,
IEEE tras. Ind. Electron, vol. 15, no. 6, pp. 25512556, Jun.
[6] X. Li,W. Qiu, D. Zheng, K. Chen, and J. Li, Anonymity
enhancement on robust and efficient password-authenticated
key agreement using smart cards, IEEE Trans. Ind. Elec-
tron. vol. 57, no. 2, pp. 793800, Feb. 2010.
[7] M. Cheminod, A. Pironti, and R. Sisto, Formal vulnera-
bility analysis of a security system for remote field bus ac-
International Journal of Innovatory Research in Engineering and Technology IJIRET

Peer Reviewed Online International Journal Volume 1, Issue 3, July 2014 10
cess, IEEE Trans. Ind. Inf.,vol. 7, no. 1, pp. 3040, Feb.
[8] A. Valenzano, L. Durante, and M. Cheminod, Review
of security issues in industrial networks, IEEE Trans. Ind.
Inf., vol. PP, no. 99, 2012, DOI 10.1109/TII/2012.2198666.
[9] T.-S.Wu and C.-L. Hsu, Efficient user identification
scheme with key distribution preserving anonymity for dis-
tributed computer networks, Comput. Security, vol. 23, no.
2, pp. 120125, 2004.
[10] Y. Yang, S. Wang, F. Bao, J. Wang, and R. H. Deng,
New efficient user identification and key distribution
scheme providing enhanced security, Comput. Security,
vol. 23, no. 8, pp. 697704, 2004.
[11] K. V. Mangipudi and R. S. Katti, A secure identifica-
tion and key agreement protocol with user anonymity (SI-
KA), Comput. Security, vol. 25, no. 6, pp. 420425, 2006.
[12] C.-L. Hsu and Y.-H. Chuang, A novel user identifica-
tion scheme with key distribution preserving user anonymity
for distributed computer networks, Inf. Sci., vol. 179, no. 4,
pp. 422429, 2009.


Harish K is currently pursuing M.Tech
in Computer Network Engineering at
Center for PG Studies, (VTU), Bel-
gaum. He received his Bachelor of En-
gineering in Computer Science from
Rural Engineering College, Hulkoti,
Karnataka. His areas of interests in-
clude Cryptography and Network Security.

He may be reached at

Henin Roland Karkada is currently pursu-
ing M.Tech in Computer Science at Center
for PG Studies, (VTU), Belgaum. He re-
ceived his Bachelor of Engineering in Com-
puter Science from Mangalore Institute of
Technology (MITE) Mangalore. His areas of
interests include Content Based image Re-
trieval, Cloud Computing, Cryptography and
Semantic Web.

He may be reached at

Shilpa V is currently pursuing M.Tech in
Computer Network Engineering at Center for
PG Studies, (VTU), Belgaum. She received
her Bachelor of Engineering in Electronics
and Communications from Dr. SMCE, Byra-
nayakanahalli, Bengaluru. Her areas of inter-
ests include Cryptography and Mobile Com-

She may be reached at shilpav92

Pushpalatha S is currently working as a Professor in Dept. of
Computer Network and Engineering, Center for PG Studies,
VTU Belgaum. She has completed her Masters in Computer
Network Engineering from the National Institute of Engi-
neering, Mysore, Karnataka and her Bachelors of Engineer-
ing in Electronics and Communication and Engineering from
Coorg Institution of Technology, Kodagu, Karnataka. She
has an overall of 7 years of teaching experience and handled
subjects like Network Security, Computer Networks, Wire-
less Communication and Digital Communication. Her recent
interests include Network Security and Cryptography.

She may be reached at