Client Hardware-Token Based Single Sign-On over Several Servers without Trusted Online Third Party Server

  • Sandro Wefel
  • Paul Molitor
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 36)

Abstract

User authentication in most systems is done by the principle: registration with unique user name and presentation of a secret, e. g., a password or a private cryptographic key, respectively. To obtain a trustworthy method, combinations of hardware token with user certificates and keys secured by a PIN have to be applied.

The main problem of hardware tokens is consumer acceptance. Thus, hardware tokens have to be provided with added values.

This paper proposes such an add-on, namely a client-based approach which allows single sign-on for multiple client applications possibly distributed over several servers without modifications on server side. Where-as current client based hardware token approaches store passwords for authenticating the user to the applications, the approach presented here uses the user certificate stored in the token. A method is provided so that the PIN of the token has to be put in only once and not each time an application is called. Authorization information is taken from a central data base. Thus, the value added to the hardware token consists of both a much more secure authentication method than authentication by user name and secret and single sign-on. So the increase of the consumer acceptance comes along with more security: a win-win situation.

Keywords

Consumer Acceptance Password Authentication Base Authentication Revocation List Authorization Information 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in to check access.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    RSA Laboratories: PKCS #11: Cryptographic Token Interface Standard (2004), http://www.rsa.com/rsalabs/node.asp?id=2133
  2. 2.
    ITU-T: Recommendation X.509 Information technology - Open Systems Interconnection -The Directory: Authentication framework (1997)Google Scholar
  3. 3.
    Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 3280, IETF (April 2002)Google Scholar
  4. 4.
    Thomas, S.A.: SSL and TLS Essentials. Securing the Web. John Wiley & Sons, Chichester (2000)Google Scholar
  5. 5.
    Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Authentication Protocol. RFC 4252 (January 2006)Google Scholar
  6. 6.
    Thompson, M.R., Essiari, A., Mudumbai, S.: Certificate-based Authorization Policy in a PKI Environment. ACM Transactions on Infomation and System Security (August 2003)Google Scholar
  7. 7.
    Klensin, J.: Simple mail transfer protocol. RFC 2821, IETF (April 2001)Google Scholar
  8. 8.
    Myers, J., Rose, M.: Post office protocol - version 3. RFC 1939, IETF (May 1996)Google Scholar
  9. 9.
    Crispin, M.: Internet Message Access Protocol - Version 4rev1. RFC 3501, IETF (March 2003)Google Scholar
  10. 10.
    Hoffman, P.: SMTP service extension for secure SMTP over TLS. RFC 2487, IETF (January 1999)Google Scholar
  11. 11.
    Newman, C.: Using TLS with IMAP, POP3 and ACAP. RFC 2595, IETF (1999)Google Scholar
  12. 12.
    Petrov, R.: X.509v3 certificates for OpenSSH (March 2007), http://roumenpetrov.info/openssh/
  13. 13.
    Barrett, D.J., Silverman, R.E., Byrnes, R.G.: SSH, The Secure Shell: The Definitive Guide, 2nd edn. O’Reilly, Sebastopol (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Sandro Wefel
    • 1
  • Paul Molitor
    • 1
  1. 1.Institute for Computer ScienceMartin-Luther-University Halle-WittenbergHalleGermany

Personalised recommendations