5 pages

Please download to get full document.

View again

of 5
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
    REDUCED SIGN ON MECHANISM USING VERIFIABLE ENCRYPTION SIGNATURE   Ms.Suguna.M 1 , Mr.K.Sivachandran 2   2 Assistant Professor, Department of Computer Science and Engineering, Sasurie Academy of Engineering, Coimbatore-641653, India  1 Department of Computer Science and Engineering, Sasurie Academy of Engineering, Coimbatore-641653, India  Abstract  -   Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. SSO scheme should meet at least three basic security requirements, unforgeability, credential privacy, and soundness. Chang and Lee which uses the RSA cryptosystem scheme are actually insecure, as it fails to meet credential privacy and soundness of authentication. Specifically, there are two impersonation attacks. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the user’s credential and then to impersonate the user to access resources and services offered by other service providers. In another attack, an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. To overcome these two attacks, Chang and Lee reviewed and uses the RSA VES (Verifiable Encryption Signature).To Enhance the security of SSO the AES (Advanced Encryption Algorithm) is used for encryption and decryption.   Index terms  - Authentication, Attacks, Decryption, Encryption, Single Sign on, RSA  1.INTRODUCTION w ith the widespread use of distributed computer Networks, it has become common to allow users to access various network services offered by distributed service providers Identification of user is an important access control mechanism for client  –  server networking architectures. The goal of a single sign on platform is to eliminate individual sign on  procedures by centralizing user authentication and identity management at a central identity provider. In a single sign-on solution, the user should seamlessly authenticated to his multiple user accounts (across different systems) once he proves his identity to the identity provider. Nevertheless, in many current solutions, the user is required to repeat sign on for each service using the same set of credentials, which are validated at the identity provider by each service. Intuitively, an   SSO scheme should meet at least three basic security requirements, i.e., unforgeability, credential privacy, and soundness. Unforgeability demands that, except the trusted authority, even a collusion of users and service  providers are not able to forge a valid credential for a new user. Credential privacy guarantees that colluded dishonest service providers should not be able to fully recover a user‟s credential and then impersonate  The user to log in to other service providers. Soundness means that an unregistered user without a credential should not be able to access the services offered by service providers.   User authentication [3], [4] plays a crucial role in distributed computer networks to verify the legacy of a user and then can be granted to access the services requested. To prevent bogus servers, users usually need to authenticate service providers. After mutual authentication, a session key may be negotiated to keep the confidentiality of data exchanged between a user and a provider [4], [5], [6]. In many scenarios, the anonymity of legal users should be protected as well [4], [7], [6]. These protocols offer varying degrees of efficiency. This paper aims to ensure more security to the existing Chang Lee SSO scheme. It also aims to add additional security during data transfer between user and provider. It also proposes further research into more efficient enhancements to the current work. The main objective of this paper is to enhance security for single sign-on solutions and eliminate the need for users to repeatedly prove their identities to different applications and hold different credentials for each application.   2 SECURE SINGLE SIGN ON MECHANISM The Chang  –  Lee scheme [19] is actually insecure by presenting two impersonation attacks, i.e. credential recovering attack and impersonation attack without credentials. In the first attack, a malicious service  provider who has communicated with a legal user twice can successfully recover the user‟s credential. Then, the malicious service provider can impersonate the user to access resources and services provided by other service providers. The other attack may enable an outside attacker without any valid credential to impersonate a legal user or even a nonexistent user to have free access to the services. These two attacks imply that the Chang  –  Lee SSO scheme fails to meet credential privacy and soundness, which are essential requirements for SSO schemes and authentication protocols. We also identify the flaws in their security arguments in order to explain why it is possible to mount our attacks against their scheme. Similar attacks can also be applied to the Hsu  –  Chuang scheme [12], on which the Chang  –  Lee scheme is based. Finally, to avoid these two impersonation attacks, we  propose an improved SSO scheme to enhance the user authentication phase of the Chang-Lee scheme. To this end, we employ the efficient RSA-based verifiable encryption of signatures (VES) proposed  by Ateniese [21] to verifiably and securely encrypt a user‟s credential. In fact, Ateniese‟s VES was srcinally introduced to realize fair exchange. TABLE  NOTATIONS    2.1 BASIC OPERATIONS Authentication The process of verifying the user‟s identity, making sure that the user is who he claims to be. This can be based on login & password combination or Smart card, biometrics, etc. Authorization The process of verifying whether a user is  privileged to access a particular resource. Credentials Credentials are the details provided by a user during the process of authentication into an application. They can    be login and password, fingerprint, smart card etc.Single sign on function that plays an essential role in protecting today's  businesses from personal information leaks and security threats. 3. PROPOSED SCHEME Single sign on mechanism with RSA-VES cryptographic algorithm is a proper and appropriate method to prevent the two types of attacks such as credential recovering attack(fake service providers) and Impersonation attack without credentials(Fake users). 3.1 INITIALIZATION The user when request for server, to login to server and get service choose the unique identity and sends the ID to the third party server. The third party selects two prime number p and q.The third party server sets its RSA parameter such as private and public key pair(e,d) where „e‟ is  prime number. It also generates the prime number for Diffie-Hellman key exchange. Third party also chooses a cryptographic hash function. 3.2 REGISTRATION The third party server upon receiving the register request, it issues an user credential. The user credential calculated as RSA‟s signature.  Each service provider has unique identity and it should maintain a pair of signing/verifying keys for a secure signature scheme. Verification function is used verify the signature with the public key. Fig 1: Proposed Scheme 3.3 AUTHENTICATION PHASE In this phase, RSA-VES(Rivest,Shamir and Adelman-Verifiable Encryption Signature) is employed to authenticate a user, and normal signature is used for service provider authentication. The user sends a service request with nonce to service provider.Upon receiving the request, server calculates its session key and issues a signature and then sends the message which contain session keysignature, nonce value which is selected by service provider. The client upon receiving the message from service provider, the client terminates the conversation if the verification is failed. Otherwise, the client accepts service provider because the signature is valid.The client selects a random number and generates the session key. The client computes the evidence showing that the credential has    encrypted using public key. Finally the client encrypts his/her identity, new nonce value and server‟s nonce using session key to get cipher text. To verify the client, the service provider uses the session key sent by client to decrypt the message sent by client to recover the client ID, nonce value of client and server. If the verification fails, the service provider aborts the conversation. Otherwise , the service provider accepts the client and believes that they shared the same session key by sending the message to client. After the client receives the verify message from service provider, it checks the verify is equal to nonce value created by client. If this true, the client  believes that they shared the same session key. Otherwise it terminates the conversation. 3.4 ENCRYPTION AND DECRYPTION PHASE: Encryption and Decryption between user and provider is ensured using AES algorithm which is more secure than DES and there are currently no known non-brute-force attacks against AES. Data which is send from each provider to user is encrypted and send to the user, then the user decrypts it and the srcinal data is retrieved. All these encryption and decryption are done using the more secure Advanced Encryption Algorithm  4. METHODOLOGY In the existing system, different security schemes are proposed by many researchers. In the  proposed system, various Client-Server programs are written to implement the project using web application. This work uses the multithreading features of language to run in parallel for different  providers. Chang-Lee algorithm is used for user identification phase. But, it is using a less secure DES algorithm. This paper user a more secure AES algorithm to enhance the security features. So, this scheme is more secure than Chang-Lee scheme. 5. ADVANTAGES OF SSO • Users need only one password for access to all applications and systems. • Users can access the corporate network at the start of their workday. • Users have immediately have access to all necessary password-protected applications. • Users don't need to remember multiple passwords. • Users dont have to write down their passwords. • Users don't have to guess passwords, which  potentially expose applications to unauthorized users.   An implementation shall protect all security relevant information supplied to or generated by the implementation.   EXAMPLE:  Google Accounts allows a user to sign on to different services provided by Google using the same username/password pair. Another famous example is RSA SecurID [14], which a two factor authentication solution based on a OTP token and classical username/password credentials, allowing a user to sign on to several SecurID enabled services using the same token. However, a recent attack to EMC facilities exposed the overall fragility of this heuristic system. Even though their security was unaffected by current attacks, both solutions still require the user to repeatedly perform the sign on procedure. In most of current transparent single sign-on architectures, the user receives some kind of "authentication ticket" after he successfully signs on to the identity provider. When the user desires to sign on, he sends this ticket to the intended service provider or application, which then verifies it's validity by direct communication with the identity provider. This approach has several drawbacks, such as complex management and the requirement of secure online communication between applications and identity providers, which increases network traffic and processing loads small. CONCLUSION This paper proposes a secure single sign-on mechanism based on one-way hash functions and random nonces to solve the weaknesses described above and to decrease the overhead of the system. Encryption and Decryption of data sent between user and provider can improve security of communication. Encryption and Decryption process can be done using a more secure algorithm, ie, AES Encryption. AES is strong enough to be certified for use by the US govt. for top secret information. AES is federal information  processing standard and there are currently no known non-brute-force attacks against AES. Thus AES is given priority than other standards when security is taken into consideration. By using this sso scheme, users need only one password for secure access to all applications and systems and would lock out the hackers entering into the system. But there are some vulnerability problems and there should be a good  password, one that is very hard to crack. This paper  proposes further research into more efficient enhancements for security of single sign on for distributed computer networks. For third-party sites, credential generation and synced, cloud-based storage can be provided. Auto login, Smart cards, Biometrics are other methods to enhance security for single sign on mechanism for distributed computer networks. REFERENCES [1]. Weaver and M. W. Condtry, “ Distributing Internet services to the network‟s edge”, IEEE Trans. Ind. Electron., 50(3): 404-411, Jun. 2003. [2]. L. Barolli and F. Xhafa, “ JXTA-OVERLAY: A P2P platform for distributed, collaborative and ubiquitous computing ”, IEEE Trans. Ind.Electron., 58(6): 2163-2172, Oct. 2010. [3]. L. Lamport, “ Password authentication with insecure communication” ,Commun. ACM, 24(11): 770-772, Nov. 1981. [4]. Chin-Chen Chan g, “ A secure single mechanism for distributed computer networks ,” IEEE Trans. On Industrial Electronics ,vol. 59, no. 1, Jan 2012. [5]. W. B. Lee and C. C. Chang, “ User identification and key distribution maintaining anonymity for distributed computer networks ,” Computer Systems Science and Engineering, 15(4): 113-116, 2000. [6]. W. Juang, S. Chen, and H. Liaw, Robust and efficient password authenticated key agreement using smart cards, IEEE Trans. Ind. Electron.,15(6): 2551-2556, Jun. 2008. [7]. X. Li, W. Qiu, D. Zheng, K. Chen, and J. Li, “ Anonymity enhancement on robust and efficient  password-authenticated key agreement using smart cards ,” IEEE Trans. Ind. Electron., 57(2): 793-800, Feb. 2010. [8]. T.-S. Wu and C.- L. Hsu, “ Efficient user identification scheme with key distribution  preserving anonymity for distributed computer networks,” Computers and Security, 23(2): 120-125, 2004. [9]. Y. Yang, S. Wang, F. Bao, J. Wang, and R. H. Deng, “New efficient user identification and key distribution scheme pr  oviding enhanced security,” Computers and Security, 23(8): 697-704, 2004. [10]. K. V. Mangipudi and R. S. Katti, “ A secure identification and key agreement protocol with user anonymity (sika),” Computers and Security, 25(6): 420-425, 2006. [11]. C.-L. Hsu and Y.-H. Chuang, “A novel user identification scheme with key distribution  preserving user anonymity for distributed computer networks, ” Inf. Sci., 179(4): 422-429, 2009. [12]. Data Encryption Standard, NIST Std. FIPS PUB 46-2, 1988. [13]. Advanced Encryption Standard, NIST Std. FIPS PUB 197, 2001. [14]. W. Stallings, Cryptography and Network Security, 4th ed. Upper Saddle River, NJ: Pearson,  Nov. 2005, pp. 334  –  340.
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks