With the popularization of Internet applications, more and more people start to use the services provided on the Internet. However, most of the Web sites currently providing services use user names and passwords to identify users, which makes it necessary for users to enter their username and password frequently. Obviously this kind of authentication has the disadvantage: with the increase of user network identity, users need to remember more than one group of user names, passwords, which give users the burden of memory; another frequent input user name, password, will correspondingly increase the user password password is cracked probability. In order to change this situation, single sign-on technology emerged. The core idea of single sign-on technology is to make some kind of connection between each service website through certain ways, users only need to login in one of the authentication sites, you can achieve global login, when users visit other sites, do not need to log on again, their identity can be verified. We can see the use of single sign-on technology, users only need to remember a group of user names, passwords, and log on to multiple sites only needs to enter a user name, password, which makes users can be more secure and efficient use of various services on the Internet.
General model for single sign-on
In a single sign-on general model, there are generally three parts: (1) the User (2) the identity provider (3) the service provider. As shown in Figure 1.
A user is an individual who uses a single sign-on service through a browser. An identity provider provides an individual authentication service in a single sign-on equivalent to an authoritative authority. A service provider is an organization that specifically provides a service to a user. The user registers the identity with the identity provider, and when the user makes a single sign-on, it needs to log in to the identity provider, authenticate, and mark the login information for the user by the identity provider. Typically, a user's login at the identity provider is called a global login. When a user is logged on globally, when accessing another service provider, the service provider that is accessed first interacts directly with the identity provider to inquire whether the user is globally logged on and, if it is determined that the user is logged on globally, to allow the user to access the service provided by him or redirect the user to the identity provider. Log on globally.
In a specific single sign-on implementation, the identity provider and service provider interact in different ways. If Microsoft's Passport single sign-on uses the encrypted authentication information in the redirect information to interact, the Free Alliance single sign-on specification uses the Security Declaration Markup Language (SAML) to interact. The following article introduces the current two major single sign-on protocols: Microsoft Passport Single sign-on protocol and Free Alliance specification to further elaborate the single sign-on technology.
Microsoft Passport Single Sign-on protocol
1.1 Microsoft Passport Services
Referring to the Microsoft Passport Single sign-on protocol, we will naturally introduce the Microsoft Passport service first. At Microsoft's Www.passport.com site we can see the terms and notices of Microsoft's passport usage. Microsoft Passport is a Web service run by Microsoft, which makes it easier for users to log on to the site and perform e-commerce transactions. Microsoft's Passport services are part of the. NET strategy, allowing users access to many Web sites through a single login. Microsoft claims that Passport is designed to make it easier, faster and safer for members to use the Internet and online shopping, and it has been supported by many famous online stores including 1-800-flowers, CostCo, OfficeMax and Victoria Secret. Microsoft's Passport service is essentially a centrally-managed single sign-on service controlled by Microsoft. Microsoft's Hotmail, Messenger and ISP services (MSN) have joined the mechanism, with about 200 million accounts currently available.
1.2 Microsoft Passport Single sign-on protocol
In the Microsoft Passport Service model, there are three principals: (1) Users who use a Web browser (assuming that the user has registered for a Passport service), (2) the service provider (a Web site that provides a service to the user), and (3) a Passport login server. The Passport login server holds the user's authentication information as well as the user's personal information, and the service provider can obtain the user's personal information from the Passport login server on the premise of the user's permission.
The Microsoft Passport Single sign-on protocol process is as follows [1]: When a user accesses a service provider Web site through a browser, if the site needs to authenticate the user, the user's browser is redirected to the Passport login server. The next Passport logon server provides a login page to the user via an SSL connection, which is redirected back to the service provider Web site after the user logs on to the server. The authentication information is included in the redirect message at this time. The authentication information is encrypted using the Triple DES encryption algorithm, which is negotiated in advance by the Passport login server and the service provider website. After verifying the authenticity of the authentication information on the service provider Web site, the user is considered to have successfully logged on. A detailed flowchart can be seen in Figure 2.
The Microsoft Passport Single sign-on protocol uses the Kerberos authentication mechanism to complete the identity authentication work. Kerberos is an open system-oriented authentication mechanism that provides trusted Third-party services for network communications. In the Kerberos authentication mechanism, whenever a user (client) requests a service from a service program (server), the user and service program first authenticates the other's identity to Kerberos requirements, and the authentication is based on the user (client) and service program (server) Based on the trust of Kerberos. When applying for authentication, both client and server can be viewed as users of the Kerberos authentication service and, in order to differentiate themselves from other services, the Kerberos user is collectively known as Principle,principle, which can be either a user or a service. When the user logs on to the workstation, Kerberos authenticates the user, and the authenticated user is able to receive the appropriate service throughout the logon hours. Kerberos neither relies on the user to log on the terminal, also does not depend on the service which the user requests the security mechanism, it itself provides the authentication server to complete the user authentication work [7]. Simply put, Kerberos enables user authentication through centralized storage of security information and distributed "tickets". Specifically, the Microsoft Passport service implements user authentication through the following steps:
user opens the client application or browser, turns on the login interface, and enters a username and password. The login action causes the client application or Web site to request a login confirmation certificate (i.e. "Ticket-granting-ticket", TGT) to Microsoft Passport. Microsoft Passport authenticates user username, password, issue TGT, confirm login has been successful. The TGT is cached for a certain period of time, subject to a certain security restriction clause. The client application or Web site submits a TGT to Microsoft Passport and requests a "session certificate" to be issued. Microsoft Passport uses a TGT to verify that the client's identity is valid, and then issue a "session certificate" to the appropriate Web service. The client submits a session certificate to the requested Web service, and after confirmation, the client begins to exchange information with the Web service, and all data is encrypted by the "session certificate" to ensure security.
1.3 Microsoft Passport Summary
Although Microsoft Passport has provided many years of service, its security has been questioned. First, the central co-ordination model is the most popular question. Because the core authentication server and user personal Information Server are all controlled by Microsoft, plus its technical details are not disclosed, and no basis for a certain standard, causing people to worry about the user's personal data leaked. Second, Microsoft's passport system has been hacked repeatedly by individuals or hackers. All this limits the further expansion of Microsoft's Passport Services.
Ii. norms of the Free Alliance
4.1 Free Federation (Liberty Alliance)
The Free Alliance is the name of a union institution, the aim of the alliance is to create an open, joint, single signature identification solution that can be achieved by any device connected to the Internet, which aims to achieve a single sign-on authentication anytime, anywhere, for the purpose of transactions using the Internet, and the formulation of relevant standards. Membership of the agency is available to all commercial and non-commercial organizations. The founding companies to join the agency have service providers, automotive manufacturing, financial services, travel industry, digital media, retail, telecommunications and technology-related industries well-known enterprises. At present, the Free Alliance consists of more than 170 manufacturers, including Sun, Nokia, Anglo Express and so on, they are responsible for providing technical specifications and business guidance as a cross enterprise identity certification services. Liberty itself does not produce applications, which are developed by technology vendors such as Sun, Novell, PeopleSoft, and HP to develop compatible applications that support liberty standards. The Free-Alliance specification allows different service providers to join a federated Trust network [6].
The main objectives of the Free Alliance are as follows: three.
enables individual consumers and business users to keep personal information safe. Based on this, we can promote the services that have no information monopoly, and are able to use each other and across multiple networks. Develop an open standard for achieving "single sign-on". This allows users to use their services after any 1 WWW sites have been authenticated without having to accept other site certifications. Establish a network authentication open standard that all devices connected to the Internet can use. This allows the mobile phone, car equipment and credit cards and other various terminals can be security certification.
4.2 Free Alliance Specification
The Free Alliance released the outline of the single sign-on architecture "Liberty Alliance Federated Receptacle Identity Architecture" and its development blueprint on March 11, 2003, local time. The Free Alliance claims that the architecture can solve many of the technical hurdles that hinder web authentication services.
The Liberal Alliance publishes a two-stage code that supports the framework-the Free Alliance norm. In the first phase, in July 2002, the Free Alliance released the specification set "Liberty Alliance Identity Federation Framework (ID-FF, Free Alliance)" as the basis for the alliance's user management, and was revised in January 2003. ID-FF supports the association or link of multi-user information that already has a relationship, so that users can log in at one time to enjoy the services provided by many enterprises. In the second phase, the Free Alliance strengthened ID-FF within 2003 years and published the Identity Web Services Framework (ID-WSF, Unified Web Service Framework). Id-wsf unveiled a summary of key technologies needed to build web-based services based on mutual authentication. The Liberal Alliance considers this web service to be consistent with specific work purposes and to protect personal privacy and system security in sharing user information. In addition, the Free Alliance will also provide a id-wsf based spec set "Liberty Alliance Identity Services Interface Specifications (Id-sis, Free Federation Uniform Service Interface Specification)". In this way, the enterprise can use standard methods to provide feature registration/contact address/calendar/location information and alarm services, etc. [3].
4.3 Free Alliance-specific agreements
Four specific protocols are defined in the Free Alliance specification [2]:
single sign-on and identity union name registration identity Joint termination Declaration single point Exit
As with Microsoft Passport, the Free Alliance specific agreement also has three main bodies, respectively:
Principal (principals), (similar to Microsoft Passport users) service provider (Providers) identity provider (identity Providers)
A service provider, similar to a service provider in Microsoft Passport, refers to a Web site that provides a service to a user. The identity provider in the Free Alliance is a special service provider, it provides identity authentication, subject information access control and other services to other subjects, although its role is equivalent to the Passport login server in Microsoft Passport, but the difference is that the identity provider in the Free Alliance is not unique, It can be multiple and independent, and this is fundamentally different from Microsoft Passport's centrally-managed single sign-on service.
Here we discuss the single sign-on and identity union in the Free Alliance specific agreement. Single sign-on and Identity union are the most complex agreements in the Free Alliance. The protocol relies heavily on the Security Declaration Markup Language (SAML). First let's take a look at SAML. SAML is not a new technology. Rather, it is a language that makes a single XML description that allows the exchange of information generated by different security systems. SAML works in the standard industry transport protocol environment, such as HTTP, SMTP, and FTP, and also serves a wide variety of XML file Exchange frameworks, such as soap and BizTalk. One of the most prominent benefits of SAML is the ability to enable users to move through the Internet for security certificates. SAML works as follows [5]:
users to submit certificates to the certification authority. The certification authority asserts the user's certificate and produces an authentication declaration and one or more attribute declarations (such as user information). The user immediately gets the authentication and identification flags from the SAML assertion. The user attempts to access a protected resource using this SAML flag (authentication declaration). User access requests for protected resources are intercepted by PEP (Policy enforcement Point), while the user's SAML flag (authentication Declaration) is submitted to attribute management by PEP. Attribute management or PDP (Policy Decision Point) produces a decision based on its own policy criteria. If an approved user accesses the protected resource, a property declaration attached to the SAML flag (the authentication declaration) is generated. The user's SAML flag (authentication Declaration) can be presented to trusted business partners in a single sign-on manner.
The following is a brief introduction to the process of the Free Alliance single Sign-on Protocol, which is roughly the same as the Microsoft Passport Single sign-on protocol, with the difference that the identity provider in the Free Alliance does not pass the authentication message to the service provider by redirecting the message. It is done by interacting with the service provider through SAML. The specific process can refer to Figure 3.
4.4 Summary of Free Alliance norms
Unlike Microsoft's passport, the Free Alliance specification is based on the Oasis industry standard, not a centrally-integrated single sign-on model, but a relatively fair model in which multiple independent identity providers can exist. But the free-alliance code is still at the research stage, and its high complexity has led to the absence of a molded application service like Microsoft's Passport Services.
Single sign-on system with personal domain name as identity
The following is an introduction to the Microsoft Passport and the Free Alliance of the single Sign-on Protocol research, design and development of a personal domain name as an identity of the single sign-on system. The system development environment is: Operating system Linux 9, scripting language PHP5, database MySQL.
The system consists of three parts: (a) IDP server (personal Domain name authentication server) (b) SP1 Server (Service Provider 1) (c) SP2 Server (service Provider 2). IDP is equivalent to a passport in the login server, the role is to authenticate the user identity, SP1, SP2 for the simulation of the two service providers.
As we can see from the above, Microsoft Passport and Free Alliance set up a dedicated authentication server to ensure the uniqueness and credibility of the login account in its single sign-on system. In the author's design of the single sign-on system directly using personal domain name as identity, that is, through the personal Domain Name authentication server to ensure that the login account of the uniqueness and credibility. As we all know, the domain name is similar to the number on the Internet, is used to identify and locate the computer on the Internet hierarchical character identification, and the computer's Internet Protocol (IP) address corresponds. Similarly, the individual domain name which is open to the individual is like the identity card on the internet, also has the uniqueness, the authoritative characteristic. Therefore, the personal domain name as a single sign-on login system, not only to ensure the credibility of the identity of the single sign-on system, but also reduce the development costs of single sign-on system, which is conducive to the promotion of single sign-on system.
This system single sign-on process is as follows: The user can register the personal domain name as the login account in the IDP, uses as the single sign-on password. Users in the IDP can be a direct global login, in SP1, SP2 can also be linked to the IDP login page for global login. After the user has logged in globally, IDP Cookie,cookie The encrypted information in the user's browser to indicate that the user is logged on globally. After global logon, when a user accesses an SP, the SP automatically redirects the browser to the IDP and asks the IDP whether the user is logged on globally, and the IDP checks the cookie in the user's browser to determine if the user is logged in, and then the IDP redirects the user's browser back to the SP, and contains validation information in the redirection information, the SP determines whether the user is logged on globally by reading the validation information. If the decision is passed, the user is allowed access to its services, and if the judgment fails, the SP points the user to the SP login interface. In addition, in IDP, SP1, SP2 provides the global exit function, the user performs the global exit operation, IDP will clear the user browser cookies.
IDP uses the same symmetric encryption algorithm and encryption key for each SP to encrypt the authentication information. In addition, to prevent the SP from being replayed, each time the SP interacts with the IDP, the SP produces a random number and encrypts the random number, which is then included in the redirection information redirected to the IDP. The IDP obtains the random number by decrypting it and includes it in the authentication information, and then includes the encrypted information in the redirected information redirected to the SP. SP decryption, first of all to determine whether the random number is their own just generated, if not the thought that the redirection information for replay attacks, not processed.
Please refer to Figure 4 and Figure 5 for the detailed flowchart.
This system basically realizes the function of single sign-on, the way of verifying information between IDP and SP is similar to that of Microsoft Passport, the method of encrypting transmission is adopted; This system function is relatively unitary, mainly realizes single sign-on function, for identity Union, user personal Information access control function is not realized. The system is basically safe, user login submitted by means of HTTPS, and in the IDP interaction with the SP, also use the SP generated random number to avoid the replay attack. The disadvantage of this system is that the encryption of the cookie protection is not perfect, IDP and SP Interactive information is only the use of simple symmetric encryption algorithm encryption, and encryption functions, keys need both sides prior consultation. Therefore, the system does not apply to practical applications.
Concluding
With the rapid development of the Internet, a variety of Web services to provide Internet sites have sprung up, so people's demand for single sign-on will become increasingly strong. But is single sign-on feasible? This paper analyzes the two most mainstream single sign-on protocols: The Microsoft Passport Single sign-on protocol, which is not disclosed in the technical details, and the Free Alliance (Liberty Alliance) specification, which is still in the research phase, and the single sign-on system, which is based on the personal domain name identified by the author, Draw the following conclusions: Single sign-on technology is completely feasible, as long as the security of single sign-on system, as well as the integrity of the authentication server, single sign-on technology will be widely accepted, and in the Internet applications to provide people with a more convenient environment.
References
[1] David p. Kormann. Aviel D. Rubin.risks of the "Passport single Sign" on protocol[eb/ol].2000
[2] Susan Landau, Jeff Hodges. A Brief Introduction to Liberty[j-ol]. February 2003
[3] Liberty Alliance project.liberty Alliance Phase 2 Final specifications
[Eb/ol].http://www.projectliberty.org/specs/, 2003
[4] Ing. Radovan Seman. Internet applications Security[m]. November 2002
[5] ZDNet. SAML standards Improve network security [j-ol].2003 year July 1
[6] ZDNet. Depth Analysis: "Freedom League" or "Microsoft Passport"? [J-ol].2003 Year September 20
[7] Jiang. Kerberos: Open Network-oriented authentication services [d].1999 year December 21
Source: China Internet Network Information Center