期刊名称:International Journal of Innovative Research in Science, Engineering and Technology
印刷版ISSN:2347-6710
电子版ISSN:2319-8753
出版年度:2015
卷号:4
期号:2
页码:281
DOI:10.15680/IJIRSET.2015.0402135
出版社:S&S Publications
摘要:Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in a distributed computer network. Recently, Chang and Lee proposed a new SSO scheme and claimed its security by providing well -organized security arguments. In this paper we demonstrate their scheme is actually insecure as it fails to meet credential privacy and soundness of authentication. Here, we present two impersonation attacks. The first attack allo ws a malicious service provider, who has successfully communicated with a legal user twice, to recover the user's credential and then to impersonate the user to access resources and services offered by other service providers. In another attack, an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. We identify the flaws in their security arguments to explain why attacks are possible against their SSO scheme. Our attacks also apply to another SSO scheme proposed by Hsu and Chuang, which inspired the design of the Chang–Lee scheme. Moreover, by employing an efficient verifiable encryption of RSA signatures proposed by Attendees, we propose an improvement for repairing the Chang– Lee scheme. We promote the formal stud y of the soundness of authentication as one open problem.
