Abstract
User authentication in most systems is done by the principle: registration with unique user name and presentation of a secret, e. g., a password or a private cryptographic key, respectively. To obtain a trustworthy method, combinations of hardware token with user certificates and keys secured by a PIN have to be applied.
The main problem of hardware tokens is consumer acceptance. Thus, hardware tokens have to be provided with added values.
This paper proposes such an add-on, namely a client-based approach which allows single sign-on for multiple client applications possibly distributed over several servers without modifications on server side. Where-as current client based hardware token approaches store passwords for authenticating the user to the applications, the approach presented here uses the user certificate stored in the token. A method is provided so that the PIN of the token has to be put in only once and not each time an application is called. Authorization information is taken from a central data base. Thus, the value added to the hardware token consists of both a much more secure authentication method than authentication by user name and secret and single sign-on. So the increase of the consumer acceptance comes along with more security: a win-win situation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
RSA Laboratories: PKCS #11: Cryptographic Token Interface Standard (2004), http://www.rsa.com/rsalabs/node.asp?id=2133
ITU-T: Recommendation X.509 Information technology - Open Systems Interconnection -The Directory: Authentication framework (1997)
Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 3280, IETF (April 2002)
Thomas, S.A.: SSL and TLS Essentials. Securing the Web. John Wiley & Sons, Chichester (2000)
Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Authentication Protocol. RFC 4252 (January 2006)
Thompson, M.R., Essiari, A., Mudumbai, S.: Certificate-based Authorization Policy in a PKI Environment. ACM Transactions on Infomation and System Security (August 2003)
Klensin, J.: Simple mail transfer protocol. RFC 2821, IETF (April 2001)
Myers, J., Rose, M.: Post office protocol - version 3. RFC 1939, IETF (May 1996)
Crispin, M.: Internet Message Access Protocol - Version 4rev1. RFC 3501, IETF (March 2003)
Hoffman, P.: SMTP service extension for secure SMTP over TLS. RFC 2487, IETF (January 1999)
Newman, C.: Using TLS with IMAP, POP3 and ACAP. RFC 2595, IETF (1999)
Petrov, R.: X.509v3 certificates for OpenSSH (March 2007), http://roumenpetrov.info/openssh/
Barrett, D.J., Silverman, R.E., Byrnes, R.G.: SSH, The Secure Shell: The Definitive Guide, 2nd edn. O’Reilly, Sebastopol (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wefel, S., Molitor, P. (2009). Client Hardware-Token Based Single Sign-On over Several Servers without Trusted Online Third Party Server. In: Park, J.H., Zhan, J., Lee, C., Wang, G., Kim, Th., Yeo, SS. (eds) Advances in Information Security and Its Application. ISA 2009. Communications in Computer and Information Science, vol 36. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02633-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-02633-1_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02632-4
Online ISBN: 978-3-642-02633-1
eBook Packages: Computer ScienceComputer Science (R0)