A Generic Construction of Dynamic Single Sign-on with Strong Security

  • Jinguang Han
  • Yi Mu
  • Willy Susilo
  • Jun Yan
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 50)


Single Sign-On (SSO) is a core component in a federated identity management (FIM). Dynamic Single Sign-on (DSSO) is a more flexible SSO where users can change their service requirements dynamically. However, the security in the current SSO and DSSO systems remain questionable. As an example, personal credentials could be illegally used to allow illegal users to access the services. It is indeed a challenging task to achieve strong security in SSO and DSSO. In this paper, we propose a generic construction of DSSO with strong security. We propose the formal definitions and security models for SSO and DSSO, which enable one to achieve the security of SSO and DSSO with the underlying (standard) security assumptions. We also provide a formal security proof on our generic DSSO scheme.


Single Sign-on Authentication Security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast ecryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  2. 2.
    Boneh, D., Shen, E., Waters, B.: Strongly unforgeable signatures based on computational diffie-hellman. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 229–240. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  3. 3.
    Camenisch, J., Herreweghen, E.V.: Design and Implementation of the idemix Anonymous Credential System. In: Atluri, V. (ed.) ACM CCS 2001, pp. 93–118. ACM, Innsbruck (2001)Google Scholar
  4. 4.
    Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Camenisch, J. and Pfitzmann, B.: Federated identity management. In: Petkovic, M. and Jonker, W. (eds.), Preceedings: Security, Privacy, and Trust in Modern Data Management. Data-Centric Systems and Applications, vol. 2851, pp 213–238. Springer, Heidelberg (2007)Google Scholar
  6. 6.
    Cameron, K.: The laws of identity. Architect of Identity. Microsoft Corporation (2005)Google Scholar
  7. 7.
    Chen, T., Zhu, B.B., Li, S., Cheng, X.: Threspassport-A distributed single sign-on service. In: Huang, D.-S., Zhang, X.-P., Huang, G.-B. (eds.) ICIC 2005. LNCS, vol. 3645, pp. 772–780. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  9. 9.
    Dodis, Y., Fazio, N.: Public key trace and revoke scheme secure against adaptive chosen ciphertext attack. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 100–115. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  10. 10.
    Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  11. 11.
    Fiege, U., Fiat, A., Shamir, A.: Zero knowledge proofs of identity. In: ACM STOC 1987, pp. 210–217. ACM, New York (1987)Google Scholar
  12. 12.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. Journal of the Association for Comptuing Machinery 38(1), 691–729 (1991)MathSciNetzbMATHGoogle Scholar
  13. 13.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: ACM STOC 1985, pp. 291–304. ACM, Providence (1985)Google Scholar
  15. 15.
    Josephson, W.K., Sirer, E.G., Schneider, F.B.: Peer-to-peer authentication with a distributed single sign-on service. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 250–258. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Kormann, D.P., Rubin, A.D.: Risks of the passport single signon protocol. Computer Networks 33(1), 51–58 (2000)CrossRefGoogle Scholar
  17. 17.
  18. 18.
    Liberty Alliance. Liberty ID-WSF Authentication Service and Single Sign-On Service Specification Version: v2.0,
  19. 19.
    Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 184–199. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  20. 20.
    OECD. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Datal (1980),
  21. 21.
  22. 22.
    Oppliger, R.: Microsoft .Net passport: a security analysis. Computer 36(7), 29–35 (2003)Google Scholar
  23. 23.
    Oppliger, R.: Microsoft. Net passport and identity managemen. Information Security Technical Report 9(1), 26–34 (2004)Google Scholar
  24. 24.
    Pashalidis, A., Mitchell, C.J.: A taxonomy of single sign-on systems. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 249–265. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Pashalidis, A., Mitchell, C.J.: Single sign-on using trusted platforms. In: Safavi-Naini, R., Seberry, J. (eds.) ISC 2003. LNCS, vol. 2851, pp. 54–68. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Pashalidis, A., Mitchell, C.J.: Using GSM/UMTS for single sign-on. In: IEEE SympoTIC 2003, pp. 138–145. IEEE, Bratislava (2003)Google Scholar
  27. 27.
    Perlman, R., Kaufman, C.: User-centric PKI. In: Seamons, K., McBurnett, N., Polk, T. (eds.) IDtrust 2008, pp. 59–71. ACM, Gaithersburg (2008)Google Scholar
  28. 28.
    Rehmant, R.U.: Get Ready for OpenID. Conformix Technologies Inc. (2008)Google Scholar
  29. 29.
    Sahai, A., Waters, B.: Fuzzy Identity-Based Encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  30. 30.
    Spantzely, A.B., Camenisch, J., Gross, T., Dieter Sommer, D.: User centricity: a taxonomy and open issues. In: ACM DIM 2006, pp. 1–10. ACM, Alexandria (2006)Google Scholar
  31. 31.
    Suriadi, S., Foo, E., Jsang, A.: A user-centric federated single sign-on system. Journal of Network and Computer Applications 32(2), 388–401 (2009)CrossRefGoogle Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2010

Authors and Affiliations

  • Jinguang Han
    • 1
    • 3
  • Yi Mu
    • 1
  • Willy Susilo
    • 1
  • Jun Yan
    • 2
  1. 1.School of Computer Science and Software EngineeringCentre for Computer and Information Security ResearchAustralia
  2. 2.School of Information Systems and TechnologyUniversity of WollongongAustralia
  3. 3.College of ScienceHohai UniversityNanjingChina

Personalised recommendations