Skip to main content

A Hybrid Approach for Highly Available and Secure Storage of Pseudo-SSO Credentials

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7617)

Abstract

We present a novel approach for password/credential storage in Pseudo-SSO scenarios based on a hybrid password hashing/password syncing approach that is directly applicable to the contemporary Web. The approach supports passwords without requiring modification of the server side and thus is immediately useful; however, it may still prove useful for storing more advanced credentials in future SSO and identity management scenarios, and offers a high password security, high availability and integration of secure elements while providing familiar interaction paradigms at a low cost.

Keywords

  • Single sign-on
  • authentication
  • syncing
  • hashing

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-642-34210-3_12
  • Chapter length: 15 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-642-34210-3
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   72.00
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. LastPass: LastPass - Password Manager, Formular ausfüller, Password Management, http://lastpass.com/

  2. Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479. ACM, Chiba (2005)

    CrossRef  Google Scholar 

  3. Herley, C., Van Oorschot, P.: A Research Agenda Acknowledging the Persis-tence of Passwords. IEEE Security & Privacy (forthcoming, 2012)

    Google Scholar 

  4. Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity manage-ment architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, vol. 68, pp. 143–152. Australian Computer Society, Inc., Ballarat (2007)

    Google Scholar 

  5. Jøsang, A., Fritsch, L., Mahler, T.: Privacy Policy Referencing. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 129–140. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  6. Zibuschka, J., Roßnagel, H.: Implementing Strong Authentication Interoperabil-ity with Legacy Systems. In: Policies and Research in Identity Management (IDMAN 2007), pp. 149–160. Springer (2008)

    Google Scholar 

  7. Anderson, R.: The eternity service. In: Pragocrypt 1996, pp. 242–252 (1996)

    Google Scholar 

  8. Dhamija, R., Dusseault, L.: The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Secur. Privacy Mag. 6, 24–29 (2008)

    CrossRef  Google Scholar 

  9. Smith, R.E.: The Strong Password Dilemma. Computer 18 (2002)

    Google Scholar 

  10. Pashalidis, A., Mitchell, C.: A Taxonomy of Single Sign-On Systems. Information Security and Privacy, 249–264 (2003)

    Google Scholar 

  11. Password Sitter: Home, http://www.passwordsitter.de/

  12. Putting Sxipper Down – Dick Hardt dot org, http://dickhardt.org/2011/03/putting-sxipper-down/

  13. Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.J.: How to Make Personalized Web Browising Simple, Secure, and Anonymous. In: Proceedings of the First Inter-national Conference on Financial Cryptography, pp. 17–32. Springer (1997)

    Google Scholar 

  14. Convergence | Beta, http://convergence.io/

  15. Mahemoff, M.: Ajax Design Patterns. O’Reilly Media, Inc. (2006)

    Google Scholar 

  16. jsSHA - SHA Hashes in JavaScript, http://jssha.sourceforge.net/

  17. Yao, F.F., Yin, Y.L.: Design and Analysis of Password-Based Key Derivation Functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  18. Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)

    MathSciNet  MATH  CrossRef  Google Scholar 

  19. RLR UK Ltd.: Secure Secret Sharing, https://www.rlr-uk.com/tools/SecSplit/SecureSplit.aspx

  20. Feild, H.: Shamir’s Secret Sharing Scheme, http://ciir.cs.umass.edu/~hfeild/ssss/index.html

  21. Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remember-ing passwords. Applied Cognitive Psychology 18, 641–651 (2004)

    CrossRef  Google Scholar 

  22. Miller, G.A.: The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information. Psychological Review 63, 81–97 (1956)

    CrossRef  Google Scholar 

  23. Florencio, D., Herley, C.: A large-scale study of web password habits. Proceed-ings of the 16th International Conference on World Wide Web, New York, NY, USA, pp. 657–666 (2007)

    Google Scholar 

  24. Chinitz, J.: Single Sign-On: Is It Really Possible? Information Security Journal: A Global Perspective 9, 1 (2000)

    Google Scholar 

  25. Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47, 75–78 (2004)

    CrossRef  Google Scholar 

  26. LeahScape: PasswordMaker, http://passwordmaker.org/

  27. Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM, Alexandria (2006)

    CrossRef  Google Scholar 

  28. Cameron, K., Jones, M.B.: Design Rationale behind the Identity Metasystem Architecture. ISSE/SECURE 2007 Securing Electronic Business Processes, 117–129 (2007)

    Google Scholar 

  29. Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer net-works. IEEE Communications Magazine 32, 33–38 (1994)

    CrossRef  Google Scholar 

  30. Facebook’s OpenID Goes Live, http://www.allfacebook.com/2009/05/facebooks-openid-live/

  31. Hühnlein, D., Roßnagel, H., Zibuschka, J.: Diffusion of Federated Identity Management. In: SICHERHEIT 2010. GI, Berlin (2010)

    Google Scholar 

  32. Boyd, D.: Facebook’s Privacy Trainwreck. Convergence: The International Journal of Research into New Media Technologies 14, 13–20 (2008)

    CrossRef  Google Scholar 

  33. de Clerq, J.: Single Sign-on Architectures. In: Proceedings of Infrastructure Security, International Conference, Bristol, UK, pp. 40–58 (2002)

    Google Scholar 

  34. Dimitriadis, C.K., Polemi, D.: Application of Multi-criteria Analysis for the Creation of a Risk Assessment Knowledgebase for Biometric Systems. In: Zhang, D., Jain, A.K. (eds.) ICBA 2004. LNCS, vol. 3072, pp. 724–730. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  35. Karp, A.H.: Site-Specific Passwords (2003), http://www.hpl.hp.com/techreports/2002/HPL-2002-39R1.html

  36. Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of the Winter International Symposium on Information and Communication Technologies, Cancun, Mexico, pp. 1–6 (2004)

    Google Scholar 

  37. Kolter, J., Kernchen, T., Pernul, G.: Collaborative Privacy – A Community-Based Privacy Infrastructure. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 226–236. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  38. LastPass: LastPass Security Notification, http://blog.lastpass.com/2011/05/lastpass-security-notification.html

  39. Josephson, W.K., Sirer, E.G., Schneider, F.B.: Peer-to-Peer Authentication with a Distributed Single Sign-On Service. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 250–258. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  40. Chen, T., Zhu, B.B., Li, S., Cheng, X.: ThresPassport – A Distributed Single Sign-On Service. In: Huang, D.-S., Zhang, X.-P., Huang, G.-B. (eds.) ICIC 2005. LNCS, vol. 3645, pp. 771–780. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  41. Brasee, K., Kami Makki, S., Zeadally, S.: A Novel Distributed Authentication Framework for Single Sign-On Services. In: IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, SUTC 2008. pp. 52–58. IEEE (2008)

    Google Scholar 

  42. Zhong, S., Liao, X., Zhang, X., Lin, J.: A Novel Distributed Single Sign-On Scheme with Dynamically Changed Threshold Value. In: Fifth International Conference on Information Assurance and Security, IAS 2009. pp. 563–566. IEEE (2009)

    Google Scholar 

  43. Password Manager, Form Filler, Password Management | RoboForm Password Manager, http://www.roboform.com/

  44. vecna/Rabbisteg - GitHub, https://github.com/vecna/Rabbisteg

  45. Steganography in Javascript – Blog, http://antimatter15.com/wp/2010/06/steganography-in-javascript/

  46. Sandler, D., Wallach, D.S.: <input type=“password”> must die! W2SP 2008: Web 2.0 Security and Privacy 2008. IEEE Computer Society, Oakland (2008)

    Google Scholar 

  47. Leon, P.G., Cranor, L.F., McDonald, A.M., McGuire, R.: Token attempt: the misrepresentation of website privacy policies through the misuse of p3p compact policy tokens. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, pp. 93–104. ACM Press, New York (2010)

    CrossRef  Google Scholar 

  48. Maler, E., Reed, D.: The Venn of Identity: Options and Issues in Federated Iden-tity Management. IEEE Secur. Privacy Mag. 6, 16–23 (2008)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zibuschka, J., Fritsch, L. (2012). A Hybrid Approach for Highly Available and Secure Storage of Pseudo-SSO Credentials. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34210-3_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34209-7

  • Online ISBN: 978-3-642-34210-3

  • eBook Packages: Computer ScienceComputer Science (R0)