Abstract
We present a novel approach for password/credential storage in Pseudo-SSO scenarios based on a hybrid password hashing/password syncing approach that is directly applicable to the contemporary Web. The approach supports passwords without requiring modification of the server side and thus is immediately useful; however, it may still prove useful for storing more advanced credentials in future SSO and identity management scenarios, and offers a high password security, high availability and integration of secure elements while providing familiar interaction paradigms at a low cost.
Keywords
- Single sign-on
- authentication
- syncing
- hashing
This is a preview of subscription content, access via your institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
LastPass: LastPass - Password Manager, Formular ausfüller, Password Management, http://lastpass.com/
Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479. ACM, Chiba (2005)
Herley, C., Van Oorschot, P.: A Research Agenda Acknowledging the Persis-tence of Passwords. IEEE Security & Privacy (forthcoming, 2012)
Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity manage-ment architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, vol. 68, pp. 143–152. Australian Computer Society, Inc., Ballarat (2007)
Jøsang, A., Fritsch, L., Mahler, T.: Privacy Policy Referencing. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 129–140. Springer, Heidelberg (2010)
Zibuschka, J., Roßnagel, H.: Implementing Strong Authentication Interoperabil-ity with Legacy Systems. In: Policies and Research in Identity Management (IDMAN 2007), pp. 149–160. Springer (2008)
Anderson, R.: The eternity service. In: Pragocrypt 1996, pp. 242–252 (1996)
Dhamija, R., Dusseault, L.: The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Secur. Privacy Mag. 6, 24–29 (2008)
Smith, R.E.: The Strong Password Dilemma. Computer 18 (2002)
Pashalidis, A., Mitchell, C.: A Taxonomy of Single Sign-On Systems. Information Security and Privacy, 249–264 (2003)
Password Sitter: Home, http://www.passwordsitter.de/
Putting Sxipper Down – Dick Hardt dot org, http://dickhardt.org/2011/03/putting-sxipper-down/
Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.J.: How to Make Personalized Web Browising Simple, Secure, and Anonymous. In: Proceedings of the First Inter-national Conference on Financial Cryptography, pp. 17–32. Springer (1997)
Convergence | Beta, http://convergence.io/
Mahemoff, M.: Ajax Design Patterns. O’Reilly Media, Inc. (2006)
jsSHA - SHA Hashes in JavaScript, http://jssha.sourceforge.net/
Yao, F.F., Yin, Y.L.: Design and Analysis of Password-Based Key Derivation Functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005)
Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)
RLR UK Ltd.: Secure Secret Sharing, https://www.rlr-uk.com/tools/SecSplit/SecureSplit.aspx
Feild, H.: Shamir’s Secret Sharing Scheme, http://ciir.cs.umass.edu/~hfeild/ssss/index.html
Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remember-ing passwords. Applied Cognitive Psychology 18, 641–651 (2004)
Miller, G.A.: The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information. Psychological Review 63, 81–97 (1956)
Florencio, D., Herley, C.: A large-scale study of web password habits. Proceed-ings of the 16th International Conference on World Wide Web, New York, NY, USA, pp. 657–666 (2007)
Chinitz, J.: Single Sign-On: Is It Really Possible? Information Security Journal: A Global Perspective 9, 1 (2000)
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47, 75–78 (2004)
LeahScape: PasswordMaker, http://passwordmaker.org/
Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM, Alexandria (2006)
Cameron, K., Jones, M.B.: Design Rationale behind the Identity Metasystem Architecture. ISSE/SECURE 2007 Securing Electronic Business Processes, 117–129 (2007)
Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer net-works. IEEE Communications Magazine 32, 33–38 (1994)
Facebook’s OpenID Goes Live, http://www.allfacebook.com/2009/05/facebooks-openid-live/
Hühnlein, D., Roßnagel, H., Zibuschka, J.: Diffusion of Federated Identity Management. In: SICHERHEIT 2010. GI, Berlin (2010)
Boyd, D.: Facebook’s Privacy Trainwreck. Convergence: The International Journal of Research into New Media Technologies 14, 13–20 (2008)
de Clerq, J.: Single Sign-on Architectures. In: Proceedings of Infrastructure Security, International Conference, Bristol, UK, pp. 40–58 (2002)
Dimitriadis, C.K., Polemi, D.: Application of Multi-criteria Analysis for the Creation of a Risk Assessment Knowledgebase for Biometric Systems. In: Zhang, D., Jain, A.K. (eds.) ICBA 2004. LNCS, vol. 3072, pp. 724–730. Springer, Heidelberg (2004)
Karp, A.H.: Site-Specific Passwords (2003), http://www.hpl.hp.com/techreports/2002/HPL-2002-39R1.html
Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of the Winter International Symposium on Information and Communication Technologies, Cancun, Mexico, pp. 1–6 (2004)
Kolter, J., Kernchen, T., Pernul, G.: Collaborative Privacy – A Community-Based Privacy Infrastructure. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 226–236. Springer, Heidelberg (2009)
LastPass: LastPass Security Notification, http://blog.lastpass.com/2011/05/lastpass-security-notification.html
Josephson, W.K., Sirer, E.G., Schneider, F.B.: Peer-to-Peer Authentication with a Distributed Single Sign-On Service. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 250–258. Springer, Heidelberg (2005)
Chen, T., Zhu, B.B., Li, S., Cheng, X.: ThresPassport – A Distributed Single Sign-On Service. In: Huang, D.-S., Zhang, X.-P., Huang, G.-B. (eds.) ICIC 2005. LNCS, vol. 3645, pp. 771–780. Springer, Heidelberg (2005)
Brasee, K., Kami Makki, S., Zeadally, S.: A Novel Distributed Authentication Framework for Single Sign-On Services. In: IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, SUTC 2008. pp. 52–58. IEEE (2008)
Zhong, S., Liao, X., Zhang, X., Lin, J.: A Novel Distributed Single Sign-On Scheme with Dynamically Changed Threshold Value. In: Fifth International Conference on Information Assurance and Security, IAS 2009. pp. 563–566. IEEE (2009)
Password Manager, Form Filler, Password Management | RoboForm Password Manager, http://www.roboform.com/
vecna/Rabbisteg - GitHub, https://github.com/vecna/Rabbisteg
Steganography in Javascript – Blog, http://antimatter15.com/wp/2010/06/steganography-in-javascript/
Sandler, D., Wallach, D.S.: <input type=“password”> must die! W2SP 2008: Web 2.0 Security and Privacy 2008. IEEE Computer Society, Oakland (2008)
Leon, P.G., Cranor, L.F., McDonald, A.M., McGuire, R.: Token attempt: the misrepresentation of website privacy policies through the misuse of p3p compact policy tokens. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, pp. 93–104. ACM Press, New York (2010)
Maler, E., Reed, D.: The Venn of Identity: Options and Issues in Federated Iden-tity Management. IEEE Secur. Privacy Mag. 6, 16–23 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zibuschka, J., Fritsch, L. (2012). A Hybrid Approach for Highly Available and Secure Storage of Pseudo-SSO Credentials. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-34210-3_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34209-7
Online ISBN: 978-3-642-34210-3
eBook Packages: Computer ScienceComputer Science (R0)
