Advertisement

A Hybrid Approach for Highly Available and Secure Storage of Pseudo-SSO Credentials

  • Jan Zibuschka
  • Lothar Fritsch
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7617)

Abstract

We present a novel approach for password/credential storage in Pseudo-SSO scenarios based on a hybrid password hashing/password syncing approach that is directly applicable to the contemporary Web. The approach supports passwords without requiring modification of the server side and thus is immediately useful; however, it may still prove useful for storing more advanced credentials in future SSO and identity management scenarios, and offers a high password security, high availability and integration of secure elements while providing familiar interaction paradigms at a low cost.

Keywords

Single sign-on authentication syncing hashing 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    LastPass: LastPass - Password Manager, Formular ausfüller, Password Management, http://lastpass.com/
  2. 2.
    Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479. ACM, Chiba (2005)CrossRefGoogle Scholar
  3. 3.
    Herley, C., Van Oorschot, P.: A Research Agenda Acknowledging the Persis-tence of Passwords. IEEE Security & Privacy (forthcoming, 2012)Google Scholar
  4. 4.
    Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity manage-ment architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, vol. 68, pp. 143–152. Australian Computer Society, Inc., Ballarat (2007)Google Scholar
  5. 5.
    Jøsang, A., Fritsch, L., Mahler, T.: Privacy Policy Referencing. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 129–140. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  6. 6.
    Zibuschka, J., Roßnagel, H.: Implementing Strong Authentication Interoperabil-ity with Legacy Systems. In: Policies and Research in Identity Management (IDMAN 2007), pp. 149–160. Springer (2008)Google Scholar
  7. 7.
    Anderson, R.: The eternity service. In: Pragocrypt 1996, pp. 242–252 (1996)Google Scholar
  8. 8.
    Dhamija, R., Dusseault, L.: The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Secur. Privacy Mag. 6, 24–29 (2008)CrossRefGoogle Scholar
  9. 9.
    Smith, R.E.: The Strong Password Dilemma. Computer 18 (2002)Google Scholar
  10. 10.
    Pashalidis, A., Mitchell, C.: A Taxonomy of Single Sign-On Systems. Information Security and Privacy, 249–264 (2003)Google Scholar
  11. 11.
    Password Sitter: Home, http://www.passwordsitter.de/
  12. 12.
    Putting Sxipper Down – Dick Hardt dot org, http://dickhardt.org/2011/03/putting-sxipper-down/
  13. 13.
    Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.J.: How to Make Personalized Web Browising Simple, Secure, and Anonymous. In: Proceedings of the First Inter-national Conference on Financial Cryptography, pp. 17–32. Springer (1997)Google Scholar
  14. 14.
    Convergence | Beta, http://convergence.io/
  15. 15.
    Mahemoff, M.: Ajax Design Patterns. O’Reilly Media, Inc. (2006)Google Scholar
  16. 16.
    jsSHA - SHA Hashes in JavaScript, http://jssha.sourceforge.net/
  17. 17.
    Yao, F.F., Yin, Y.L.: Design and Analysis of Password-Based Key Derivation Functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)MathSciNetzbMATHCrossRefGoogle Scholar
  19. 19.
    RLR UK Ltd.: Secure Secret Sharing, https://www.rlr-uk.com/tools/SecSplit/SecureSplit.aspx
  20. 20.
    Feild, H.: Shamir’s Secret Sharing Scheme, http://ciir.cs.umass.edu/~hfeild/ssss/index.html
  21. 21.
    Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remember-ing passwords. Applied Cognitive Psychology 18, 641–651 (2004)CrossRefGoogle Scholar
  22. 22.
    Miller, G.A.: The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information. Psychological Review 63, 81–97 (1956)CrossRefGoogle Scholar
  23. 23.
    Florencio, D., Herley, C.: A large-scale study of web password habits. Proceed-ings of the 16th International Conference on World Wide Web, New York, NY, USA, pp. 657–666 (2007)Google Scholar
  24. 24.
    Chinitz, J.: Single Sign-On: Is It Really Possible? Information Security Journal: A Global Perspective 9, 1 (2000)Google Scholar
  25. 25.
    Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47, 75–78 (2004)CrossRefGoogle Scholar
  26. 26.
    LeahScape: PasswordMaker, http://passwordmaker.org/
  27. 27.
    Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM, Alexandria (2006)CrossRefGoogle Scholar
  28. 28.
    Cameron, K., Jones, M.B.: Design Rationale behind the Identity Metasystem Architecture. ISSE/SECURE 2007 Securing Electronic Business Processes, 117–129 (2007)Google Scholar
  29. 29.
    Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer net-works. IEEE Communications Magazine 32, 33–38 (1994)CrossRefGoogle Scholar
  30. 30.
  31. 31.
    Hühnlein, D., Roßnagel, H., Zibuschka, J.: Diffusion of Federated Identity Management. In: SICHERHEIT 2010. GI, Berlin (2010) Google Scholar
  32. 32.
    Boyd, D.: Facebook’s Privacy Trainwreck. Convergence: The International Journal of Research into New Media Technologies 14, 13–20 (2008)CrossRefGoogle Scholar
  33. 33.
    de Clerq, J.: Single Sign-on Architectures. In: Proceedings of Infrastructure Security, International Conference, Bristol, UK, pp. 40–58 (2002)Google Scholar
  34. 34.
    Dimitriadis, C.K., Polemi, D.: Application of Multi-criteria Analysis for the Creation of a Risk Assessment Knowledgebase for Biometric Systems. In: Zhang, D., Jain, A.K. (eds.) ICBA 2004. LNCS, vol. 3072, pp. 724–730. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  35. 35.
    Karp, A.H.: Site-Specific Passwords (2003), http://www.hpl.hp.com/techreports/2002/HPL-2002-39R1.html
  36. 36.
    Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of the Winter International Symposium on Information and Communication Technologies, Cancun, Mexico, pp. 1–6 (2004)Google Scholar
  37. 37.
    Kolter, J., Kernchen, T., Pernul, G.: Collaborative Privacy – A Community-Based Privacy Infrastructure. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 226–236. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  38. 38.
  39. 39.
    Josephson, W.K., Sirer, E.G., Schneider, F.B.: Peer-to-Peer Authentication with a Distributed Single Sign-On Service. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 250–258. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  40. 40.
    Chen, T., Zhu, B.B., Li, S., Cheng, X.: ThresPassport – A Distributed Single Sign-On Service. In: Huang, D.-S., Zhang, X.-P., Huang, G.-B. (eds.) ICIC 2005. LNCS, vol. 3645, pp. 771–780. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  41. 41.
    Brasee, K., Kami Makki, S., Zeadally, S.: A Novel Distributed Authentication Framework for Single Sign-On Services. In: IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, SUTC 2008. pp. 52–58. IEEE (2008)Google Scholar
  42. 42.
    Zhong, S., Liao, X., Zhang, X., Lin, J.: A Novel Distributed Single Sign-On Scheme with Dynamically Changed Threshold Value. In: Fifth International Conference on Information Assurance and Security, IAS 2009. pp. 563–566. IEEE (2009)Google Scholar
  43. 43.
    Password Manager, Form Filler, Password Management | RoboForm Password Manager, http://www.roboform.com/
  44. 44.
    vecna/Rabbisteg - GitHub, https://github.com/vecna/Rabbisteg
  45. 45.
  46. 46.
    Sandler, D., Wallach, D.S.: <input type=“password”> must die! W2SP 2008: Web 2.0 Security and Privacy 2008. IEEE Computer Society, Oakland (2008)Google Scholar
  47. 47.
    Leon, P.G., Cranor, L.F., McDonald, A.M., McGuire, R.: Token attempt: the misrepresentation of website privacy policies through the misuse of p3p compact policy tokens. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, pp. 93–104. ACM Press, New York (2010)CrossRefGoogle Scholar
  48. 48.
    Maler, E., Reed, D.: The Venn of Identity: Options and Issues in Federated Iden-tity Management. IEEE Secur. Privacy Mag. 6, 16–23 (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Jan Zibuschka
    • 1
  • Lothar Fritsch
    • 2
  1. 1.Fraunhofer IAOStuttgartGermany
  2. 2.Norsk RegnesentralOsloNorway

Personalised recommendations