计算机科学

计算机科学 ›› 2015, Vol. 42 ›› Issue (4): 106-110.doi: 10.11896/j.issn.1002-137X.2015.04.020

• 信息安全 • 上一篇    下一篇

基于可转换代理签密的SAML跨域单点登录认证协议

王冠众,张 斌,费晓飞,熊厚仁   

  1. 解放军信息工程大学三院 郑州450001,解放军信息工程大学三院 郑州450001,解放军信息工程大学三院 郑州450001,解放军信息工程大学三院 郑州450001
  • 出版日期:2018-11-14 发布日期:2018-11-14
  • 基金资助:
    本文受河南省基础研究计划项目(142300413201)资助

SAML Cross-domain Single Sign-on Authentication Protocol Based on Convertible Proxy Signcryption

WANG Guan-zhong, ZHANG Bin, FEI Xiao-fei and XIONG Hou-ren   

  • Online:2018-11-14 Published:2018-11-14

PDF (PC)

425

摘要: 可转换代理签密算法具有保护用户隐私、抗重放攻击、抗抵赖性等优势,基于该算法提出一种SAML跨域单点登录协议(SSPCPS)。通过用户与异构域服务器直接交互认证,简化了跨域单点登录认证过程。用户身份票据由双方公钥结合用户随机选取的参数而生成,以密文形式传输,攻击者即使窃取该令牌也无法调用服务。用户利用代理签名密钥对摘要进行签密,在减少计算量的同时也可保证用户隐私安全。SSPCPS协议基于DH算法协商会话密钥,简化了会话密钥分发过程并降低了管理成本。使用CK安全模型证明了本协议的安全性并进行了性能分析,结果表明协议具有前向保密性、消息完整性等特点,同时在生成票据计算量和计算时间方面优于SSPPS协议、Juang方案、Kerberos机制等。

关键词: 代理签密,单点登录,安全断言标记语言,认证

Abstract: Convertible proxy signcryption algorithm has the advantages of protecting user privacy,anti-replay attack,anti-disavowal etc.A SAML cross-domain single sign-on authentication protocol (SSPCPS) was proposed based on the algorithm.Through user and heterogeneous domain server interacting and authenticating directly,the protocol simplifies the process of SSO authentication.User token is generated by combining selected random parameters with the public key,and is transferred in the secret form,improving the security of protocol.The attacker cannot use the service,even though the token is stolen.Proxy signature key is used to signcrypt the digest,reducing the amount of computation,and ensuring the privacy of user as well.Session key is negotiated based on DH algorithm,simplifying the distribution process as well as reducing the management cost.The security of the protocol was proved by CK security model and performance analysis was presented.The result indicates that the protocol holds the features of forward secrecy,message integrity,etc,and the amount of computation and the computation time of generating token are better than SSPPS protocol,Juang scheme and Kerberos scheme,etc.

Key words: Proxy signcryption,Sigle-sign-on,SAML,Authentication

[1] Armando A,Carbone R,Compagna L,et al.An authentication flaw in browser-based single sign-on protocols:Impact and remediations[J].Computers & Security,2012,3:41-58
[2] Lutz D J,Stiller B.Combining identity federation with payment:the SAML-based payment protocol[C]∥2010 IEEE/IFIP Network Operations and Management Symposium(NOMS).2010:495-502
[3] 唐利娟.SAML及SSO研究与企业化SSO框架设计[D].济南:山东大学,2011
[4] 陈天玉.基于Web Service的单点登录认证模型的研究与实现[D].长沙:湖南大学,2010
[5] 何倩,王芳,柴华昕,等.Web服务认证技术综述[J].桂林电子科技大学学报,2013,33(3):246-252
[6] 邱罡,张崇,周利华.基于可信计算的Web单点登录方案[J].计算机科学,2010,37(9):121-123
[7] 尹星.基于SAML的单点登录模型及安全的研究与实现[D].镇江:江苏大学,2005
[8] 王曦,张斌.基于代理签名的SAML单点登录协议[J].计算机工程,2012,38(16):130-133
[9] 王亚弟,束妮娜,韩继红,等.密码协议形式化分析[M].北京:机械工业出版社,2007:169-180
[10] 谢琪,吴吉义,等.云计算中基于可转换代理签密的可证安全的认证协议[J].中国科学,2012,42(3):303-313
[11] 孙华,郑雪峰.一种可证安全的有效无证书签密方案[J].计算机科学,2013,40(11):112-116
[12] Nicolosi A,Krohn M,Dodis Y,et al.Proactive two-party signatures for user authentication[C]∥Proceedings of the Network and Distributed System Security Symposium.San Diego,2003
[13] Chen L,Chen Z,Smart N P.Identity-based key agreement protocols from pairings[J].Int J Inf Sec,2007,6:213-241
[14] Canetti R,Krawczyk H.Analysis of key-exchange protocols and their use for building secure channels[C]∥Advances in Cryptogy(EUROCYPT’01).London:Springer-Verlag,2001:453-474
[15] Bellare M,Canetti R,Krawczyk H.A modular approach to the design and analysis of authentication and key-exchange protocols[J].30th STOC.1998:419-428
[16] Mitchell C J,Ward M,Wilson P.Key control in key agree- ment protocols[J].Electronics Letters,1998,34:980-981
[17] Guhe C G.An identity-based key-exchange protocol[C]∥Proceedings of the Eurocrypt 89.Belgium,1990:29-37
[18] Juang W S,Chiu J Y,Chang H Y.A secure and efficient delegation-based authentication scheme in public clouds[C]∥The 1st Cross-Straits Conference On Information Security.Hangzhou,2011:96-102
[19] Clom,Michael.Pairing Calculation on super singular GenusCurves[C]∥Proceedings of the 13th International Conference on Selected Areas in Cryptography(SAC’06).2006
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发