Abstract
User authentication in most systems is done by the principle: registration with unique user name and presentation of a secret, e. g., a password or a private cryptographic key, respectively. To obtain a trustworthy method, combinations of hardware token with user certificates and keys secured by a PIN have to be applied.
The main problem of hardware tokens is consumer acceptance. Thus, hardware tokens have to be provided with added values.
This paper proposes such an add-on, namely a client-based approach which allows single sign-on for multiple client applications possibly distributed over several servers without modifications on server side. Where-as current client based hardware token approaches store passwords for authenticating the user to the applications, the approach presented here uses the user certificate stored in the token. A method is provided so that the PIN of the token has to be put in only once and not each time an application is called. Authorization information is taken from a central data base. Thus, the value added to the hardware token consists of both a much more secure authentication method than authentication by user name and secret and single sign-on. So the increase of the consumer acceptance comes along with more security: a win-win situation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
RSA Laboratories: PKCS #11: Cryptographic Token Interface Standard (2004), http://www.rsa.com/rsalabs/node.asp?id=2133
ITU-T: Recommendation X.509 Information technology - Open Systems Interconnection -The Directory: Authentication framework (1997)
Housley, R., Polk, W., Ford, W., Solo, D.: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. RFC 3280, IETF (April 2002)
Thomas, S.A.: SSL and TLS Essentials. Securing the Web. John Wiley & Sons, Chichester (2000)
Ylonen, T., Lonvick, C.: The Secure Shell (SSH) Authentication Protocol. RFC 4252 (January 2006)
Thompson, M.R., Essiari, A., Mudumbai, S.: Certificate-based Authorization Policy in a PKI Environment. ACM Transactions on Infomation and System Security (August 2003)
Klensin, J.: Simple mail transfer protocol. RFC 2821, IETF (April 2001)
Myers, J., Rose, M.: Post office protocol - version 3. RFC 1939, IETF (May 1996)
Crispin, M.: Internet Message Access Protocol - Version 4rev1. RFC 3501, IETF (March 2003)
Hoffman, P.: SMTP service extension for secure SMTP over TLS. RFC 2487, IETF (January 1999)
Newman, C.: Using TLS with IMAP, POP3 and ACAP. RFC 2595, IETF (1999)
Petrov, R.: X.509v3 certificates for OpenSSH (March 2007), http://roumenpetrov.info/openssh/
Barrett, D.J., Silverman, R.E., Byrnes, R.G.: SSH, The Secure Shell: The Definitive Guide, 2nd edn. O’Reilly, Sebastopol (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wefel, S., Molitor, P. (2009). Client Hardware-Token Based Single Sign-On over Several Servers without Trusted Online Third Party Server. In: Park, J.H., Zhan, J., Lee, C., Wang, G., Kim, Th., Yeo, SS. (eds) Advances in Information Security and Its Application. ISA 2009. Communications in Computer and Information Science, vol 36. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-02633-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-642-02633-1_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-02632-4
Online ISBN: 978-3-642-02633-1
eBook Packages: Computer ScienceComputer Science (R0)