IJRIT International Journal of Research in Information Technology, Volume 2, Issue 12, December 2014, Pg. 01-08

International Journal of Research in Information Technology (IJRIT)

www.ijrit.com

ISSN 2001-5569

Secure Accessibility to Multiple Services with Single Sign on in Distributed Environments Sudharani Pudi1, A.Ganesh Kumar2 1

Department of CSE, Gokul Institute of Technology and Sciences, Piridi village. Bobbili mandalam ,Vizianagaram dt. Jntu kakinada university A.P, India [email protected]

2

Department of CSE, Gokul Institute of Technology and Sciences, Piridi village. Bobbili mandalam ,Vizianagaram dt. Jntu kakinada university A.P, India [email protected]

_____________________________________________________________________________________________________

Abstract Sign on has been around since the inception of web applications. Security plays an important role as the monetary transactions are taken place over Internet through sophisticated web applications. Accessing multiple services of an enterprise in distributed environment with a single sign on has become popular concept of late. This concept is adapted by many enterprises including Google and Microsoft. This provides great flexibility to end users while help enterprises to simplify authentication process. However, there are security concerns here as the failure of security does mean exposing all services to adversaries. Many researchers contributed towards single sign on mechanisms and their analysis for fool proof security. In this paper we make an empirical study by building a prototype application and implementing single sign on. Our empirical results revealed that the proposed solution is very useful in the real world applications used by enterprises.

Index Terms – Information Security, authentication, distributed computing, SSO

1. Introduction With the advent of distributed computing and its prevailing existence in the real world organizations are having virtual collaborations. Companies can have business collaborations so as to get maximum benefits. It is evident in all sectors like banking, insurance, e-Commerce and so on. Many organizations can collaborate to form chain of businesses. This way Supply Chain Management (SCM) came into existence. User authentication plays pivotal role in securing applications. Security mechanisms such as authentication, authorization, confidentiality, non-repudiation are important to have complete security to applications. However, authentication is a common practice in all real world enterprise applications. Recently due to the collaborations, the practice of using SSO became common.

Sudharani Pudi, IJRIT- 1

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 12, December 2014, Pg. 01-08

Figure 1 – Schematic overview of single sign on As can be seen in Figure 1, it is evident that the authentication takes place only once and user can gain access to multiple organizations and services through the federated SSO. This will be very convenient to end users as they do not need to remember and protect multiple credentials. Each organization and service does not need separate credential and a common credential can help in accessing all services of all organizations associated with the federation. Many researches came into existence to study the feasibility and security strength of SSO. Many researchers such a Lee and Chang [1], Wu and Hsu [2], Yang et al. [3], Mangipudi and Katti [4], Hsu and Chuang [5] focused on security issues and SSO problems. The authentication problem has attracted many researchers in general computer networks [6], industrial networks [7] and RFID systems [8], [9]. In [10] SSO mechanism was introduced by the researchers where the credentials are used for short period of time. However, SSO scheme needs three important qualities such as credential privacy, soundness, and unforgeability. A generic SSO scheme was proposed in [11] while the zero knowledge (ZO) scheme was proposed in [12]. In [13] an SSO scheme was proposed by Chang-Lee. However, Chang-Lee scheme was proved to be insecure later. The reason behind this is that it causes impersonation attack, and credential recovery attack. To overcome this drawback Wang et al. [14] made security analysis on SSO in distributed environments. In this paper we built a prototype application that implements SSO scheme to demonstrate the proof of concept. The proposed application has provision for working on attacks that are used to test the soundness of the SSO scheme. The remainder of the paper is structured as follows. Section II provides review of literature on prior works. Section III describes the proposed system. Section IV presents experimental results while section V concludes the paper besides providing directions for future work. 2. Proposed

System

The proposed SSO scheme is based on the mechanisms presented in [14]. The proposed SSO scheme has three phases such as initialization phase, registration phase and user identification phase. In the initialization phase security mechanisms are initialized. In the registration phase each user is given unique identity and each service provider is also given unique identity. These identities are used in the further communication. In the user identification phase, each user has to deal with resource access based on the underlying security mechanisms. Between user and service provider there is a series of communications as part of user identification as presented in Figure 2.

Sudharani Pudi, IJRIT- 2

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 12, December 2014, Pg. 01-08

Figure 2 – User identification phase [14] As can be seen in Figure 2, it is evident that the user identification is carried out between two phases as part of the scheme. The scheme facilitates secure communication between two parties and thus it becomes part of the SSO scheme.

3. Implementation We built a prototype application that demonstrates the concept of single sign on. The proposed scheme has been applied to an application where multiple parties are involved and multiple services are provided with SSO scheme.

Figure 2 – Activities of various users of the application

Sudharani Pudi, IJRIT- 3

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 12, December 2014, Pg. 01-08

As can be seen in Figure 2, it is evident that the application has provision for various users such as normal user, SCPC user and service provider. The normal user has provision for various operations after SSO process. They include viewing files, signature, file request, receiving file and logging out. The SCPC user has provision for activities like generating signature, verifying signature, block impersonation attack, block credential removal attack and logging out. The service provider user has provision for operations like uploading files, viewing files, requesting for files, sending files and logging out. Before implementing these activities in web application besides implementation of SSO scheme backend schema was identified through normalization process. 3.1 Backend MY SQL is used for backend. MY SQL is an RDBSM that is meant for storing the data generated by the proposed application. There are many tables for managing data being generated by the application including the tables that deal with SSO credentials. File management, user management and SSO related credentials are stored in corresponding tables. These tables are accessed from frontend application in order to demonstrates the SSO mechanisms, the attacks on the SSO scheme and other genral operations of the applications as required.

Figure 3 – Backend schema As can be seen in Figure 3, it is evident that the backend schema has several tables and each table contains related attributes. The schema has been normalized in order to have compact tables that provide clear storage provisions in the backend. 3.2 Prototype Application We built a prototype application that interacts with backend as per the user needs. The application is built in Java technologies like Servlets and JSP. JDBC is used for interacting with the MY SQL and the application is meant for dmeonstratign the normal operations and also the soundness of the SSO scheme in the presence of various attacks. UI for SCPC user is as presented in Figure 4.

Sudharani Pudi, IJRIT- 4

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 12, December 2014, Pg. 01-08

Figure 4 – UI for SCPC user activities As can be seen in Figure 4, it is evident that the SCPC user can perform activities like viewing user details, provider details, and testing the soundness of the SSO scheme by launching attacks such as impersonation attack and credential attack.

Figure 5 – UI for service provider user As can be seen in Figure 5, it is evident that the service provider user can provide various operations like uploading files, viewing file details, requesting details and even launching credential attack for testing the soundness of SSO schme.

Sudharani Pudi, IJRIT- 5

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 12, December 2014, Pg. 01-08

Figure 6 – UI for normal user As can be seen in Figure 6, it is evident that the normal end user can have operations like viewing files, making file request and so on. These operations are performed by end user after due SSO process and with single sign on users can perform various operations and jump to related services as well. 4. Experimental

Results

Experients are made in terms of testing the soundnesss of the proposed application. Two attacks such as credential attack and impersonation attack are made around 100 times and the average prevention capabilities are recorded. The results of the proposed application are comkpared with existing solution. The results are presented in Figure 7.

100 99 98 Credential Attack Prevention

97 96

Impersanation attack prevention

95 94 93 92 Existing

Proposed

Figure 7 – Attack prevention capabilities of proposed system

Sudharani Pudi, IJRIT- 6

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 12, December 2014, Pg. 01-08

As can be seen in Figure 7, it is evident that the proposed SSO scheme and the application demonstrates the soundness of the technique. There is 100% security evident with respect to the SSO scheme implemented in this paper while the existing solution is vulnerable to credential and impersonation attacks.

5. Conclusions

and Future Work

In this paper, we study the soundness of SSO schemes. SSO allows users to have single credential to have provision to visit multiple sites or to perform multiple activities. This will help in distributed computing environment to gain access to multiple service providers. This can avoid remembering many credentials as well. Single credential authentication has its advantages but when the credential is compromised, security is lost. Therefore it is essential to ensure that the credential is not disclosed. In this paper our focus was on making review on the SSO schemes and building a new SSO scheme that overcomes the drawbacks of existing scheme. The existing scheme was proved to be inefficient with attacks such as credential attack and impersonation attack. We built a prototype application to implement the SSO scheme and also demonstrate the soundness of SSO scheme for accessing multiple services using a single credential. In future we intend to implement SSO to real time applications.

REFERENCES [1] W. B. Lee and C. C. Chang, “User identification and key distribution maintaining anonymity for distributed computer networks,” Comput. Syst. Sci. Eng., vol. 15, no. 4, pp. 113–116, 2000. [2] W. Juang, S. Chen, and H. Liaw, “Robust and efficient password authenticated key agreement using smart cards,” IEEE Trans. Ind. Electron., vol. 15, no. 6, pp. 2551–2556, Jun. 2008. [3] Y. Yang, S. Wang, F. Bao, J. Wang, and R. H. Deng, “New efficient user identification and key distribution scheme providing enhanced security,” Comput. Security, vol. 23, no. 8, pp. 697–704, 2004. [4] K. V. Mangipudi and R. S. Katti, “A secure identification and key agreement protocol with user anonymity (SIKA),” Comput. Security, vol. 25, no. 6, pp. 420–425, 2006. [5] C.-L. Hsu and Y.-H. Chuang, “A novel user identification scheme with key distribution preserving user anonymity for distributed computer networks,” Inf. Sci., vol. 179, no. 4, pp. 422–429, 2009. [6] H.-M. Sun, Y.-H. Chen, and Y.-H. Lin, “oPass: A user authentication protocol resistant to password stealing and password reuse attacks,” IEEE Trans. Inf. Forensics Security, vol. 7, no. 2, pp. 651–663, Apr.2012. [7] A. Valenzano, L. Durante, and M. Cheminod, “Review of security issues in industrial networks,” IEEE Trans. Ind. Inf., vol. PP, no. 99, 2012, DOI 10.1109/TII/2012.2198666. [8] B. Fabian, T. Ermakova, and C. Muller, “SHARDIS: A privacy-enhanced discovery service for RFID-based product information,” IEEE Trans. Ind. Inf., vol. 8, no. 3, pp. 707–718, Aug. 2012. [9] B. Wang and M. Ma, “A server independent authentication scheme for RFID systems,” IEEE Trans. Ind. Inf., vol. 8, no. 3, pp. 689–696, Aug. 2012. [10] “Security Forum on Single http://www.opengroup.org/security/l2-sso.htm

Sign-On,”

The

Open

Group

[Online].

Available:

[11] J. Han, Y. Mu, W. Susilo, and J. Yan, “A generic construction of dynamic single sign-on with strong security,” in Proc. SecureComm’, 2010, pp. 181–198, Springer. [12] U. Feige, A. Fiat, and A. Shamir, “Zero-knowledge proofs of identity,” J. Crytography, vol. 1, no. 2, pp. 77–94, 1988.

Sudharani Pudi, IJRIT- 7

IJRIT International Journal of Research in Information Technology, Volume 2, Issue 12, December 2014, Pg. 01-08

[13] C.-C. Chang and C.-Y. Lee, “A secure single sign-on mechanism for distributed computer networks,” IEEE Trans. Ind. Electron., vol. 59, no. 1, pp. 629–637, Jan. 2012. [14] Guilin Wang, Jiangshan Yu, and Qi Xie. (2013). Security Analysis of a Single Sign-On Mechanism for Distributed Computer Networks. IEEE. 9 (1), p294-302.

AUTHORS

Sudharani Pudi is currently working towards her M.Tech degree in Gokul Institute of Technology and Sciences, Piridi village, Bobbili mandalam ,Vizianagaram dt, A.P, India. Her research interests include Data Mining and cloud computing.

A.Ganesh Kumar is working as an Assistant professor Gokul Institute of Technology and Sciences, Piridi village, Bobbili mandalam ,Vizianagaram dt, A.P,India. His main research interests are data mining and big data mining.

Sudharani Pudi, IJRIT- 8

Secure Accessibility to Multiple Services with Single ...

With the advent of distributed computing and its prevailing existence in the ... sectors like banking, insurance, e-Commerce and so on. .... and cloud computing.
Download PDF
2MB Sizes 1 Downloads 194 Views
Report

Recommend Documents

Image Compression with Single and Multiple Linear Regressions
Keywords: Image Compression,Curve Fitting,Single Linear Regression,Multiple linear Regression. 1. Introduction. With the growth of ... in applications like medical and satellite images. Digital Images play a very .... In the proposed system, a curve
Image Compression with Single and Multiple Linear Regressions - IJRIT
Ernakulam, Kerala, India [email protected]. 2Assistant Professor, Computer Science, Model Engineering College. Ernakulam,, Kerala, India. Abstract.
Making a secure transition to the public cloud Services
Public-cloud adoption and implications for cybersecurity. 01. Redesigning a full set of cybersecurity controls for the public cloud. 04. 05. 06. 07. Developing a cloud-centric cybersecurity model. 03. 12. 52. 6. 5. 38. 22. Conclusion. How companies c
Making a secure transition to the public cloud - Services
Valley office, James. Kaplan is a partner in the New York office, and. Mike Newborn is CISO for McKinsey Digital. Labs in the Washington,. DC, office. .... One executive, for example, said, “I need to unify my IAM approach across on-premises and cl
Administrator Guide to Accessibility
Sep 1, 2012 - Apps for Business & Education. Administrator Guide to Accessibility. Google, Inc. 1600 Amphitheatre Parkway. Mountain View, CA 94043.
ocsb-employment-accessibility-persons-with-disabilities.pdf ...
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item.
ocsb-employment-accessibility-persons-with-disabilities.pdf ...
P O L I C Y : 1. The Board is an equal opportunity employer and supports the rights of all. persons with disabilities by providing equal employment opportunities in. accordance with the “Accessibility for Ontarians With Disabilities Act, 2005. (AOD
Secure Data Aggregation for Multiple Applications in ...
In order to overcome this, various data aggregation techniques have been proposed ... Keywords: Wireless Sensor Networks, Structure-free Data Aggregation.
Estimation of multiple phases from a single fringe ...
OCIS codes: (090.1995) Digital holography; (090.2880) Holographic interferometry;. (120.2650) Fringe analysis. References and links. 1. G. Pedrini, Y. L. Zou, and H. J. Tiziani, “Simultaneous quantitative evaluation of in-plane and out-of-plane def
Single Carrier Orthogonal Multiple Access Technique ...
of 2007, he is with Qualcomm/Flarion Technologies, Bedminster, NJ as a senior engineer. His ... Broadband wireless mobile communications suffer from multipath ...... In 2000, a unanimous approval of the technical specifications for 3G.
Comparing single and multiple carrier schemes using ...
... [email protected], {marcioft, mdm}@mackenzie.br ... The OFDM systems divide the available band- ... Block diagram of a typical COFDM system; CP: Cyclic.
Single Carrier Orthogonal Multiple Access Technique ...
much from him and I greatly appreciate all the advice and wisdom, big and small. ..... Figure 3.11: Spreading with the roles of data sequence and signature ...... refer to this phenomenon as multipath propagation and it causes fluctuation of the ...
End-to-end Secure Multi-hop Communication with ...
bi mod 2, i = 1...N. It is easy to see the relationship ∼ is an equivalence relationship. Therefore, it defines a partition over Λ. 1) Depending on the values of ai −bi ...
Interoperability with multiple instruction sets
Feb 1, 2002 - 712/209,. 712/210. See application ?le for complete search history. ..... the programmer speci?es the sorting order is to pass the address of a ...
Interoperability with multiple instruction sets
Feb 1, 2002 - ABSTRACT. Data processing apparatus comprising: a processor core hav ing means for executing successive program instruction. Words of a ...
SOT-23 1kHz to 30MHz Oscillator with Single ... - Linear Technology
Single Resistor Frequency Set – Design Note 262. Andy Crofts. 07/01/ .... The most straightforward application for the LTC1799 is as a constant-frequency ...
Secure Dependencies with Dynamic Level ... - Semantic Scholar
evolve due to declassi cation and subject current level ... object classi cation and the subject current level. We ...... in Computer Science, Amsterdam, The Nether-.
Secure Your Old Age by Aged Care Services in Melbourne.pdf ...
The charges are minimal and service is. trustworthy, which makes it the best contribution, one can make in their loved ones. life. Page 1 of 1. Secure Your Old Age by Aged Care Services in Melbourne.pdf. Secure Your Old Age by Aged Care Services in M
Speed and Secure Mobile Financial Services - F5 Networks
Use of mobile devices for financial services is exploding across the banking, trading, and insurance markets. ... What is the tag for this one? F5 Networks, Inc.
Semantics-based design for Secure Web Services
May 30, 2015 - these features in our examples, because their treatment can be directly inherited from λreq . Semantics of ...... 16, center) exposes the kinds of faults REP1,...,REPn the garage. May 30 ..... Alpha Works, 2003. [34] Li Gong.
Accessibility plan.pdf
The school nurse visits regularly to monitor. vulnerable pupils. Access to the curriculum. All areas of the curriculum should be available to pupils regardless of their disability. Page 3 of 4. Accessibility plan.pdf. Accessibility plan.pdf. Open. Ex
Wheel of Trust: A Secure Framework for Overlay-based Services
not interact with users or hosting any services. These functions .... id idk, where v is the data the user wishes to store and k is an identifier associated with v.
Federated Homes: Secure Sharing of Home Services
service which can be installed on a home-gateway device. The ... another. These devices require automatic network integration and support for discovery and ...