SINGLE SIGN ON SYSTEM

This report is provided to explain regarding the Single Sign-On system. In this report, it will give a thorough view on Single Sign-On focusing on the system purpose, scope of study, methodology, results and conclusion. For the purpose point of view, this system is a type of software authentication that enables a userto authenticate once and gainaccess to the resources of multiple software systems. This is to make sure that the user authentication process becomes easy as they don't have to enter multiple usernames and passwords for multiple systems. In order to achieve this objective, the scope of the system has to be analyzed first. For this system, it will only relate to the systemsthat are web-based applications. In other words, we can call this system as Single Sign-On Web Portal. For the methodology part, PHP language as well as Apache server will be used to complete this project. It is one of the most demanding types of programming language nowadays. This system will also be divided into 2 parts: user interface and administration interface. For the results part, this report will shown the work progress as well as the screenshot of the system interface. The discussions along the work progress will also being included. Last but not, for the conclusion part, this report will conclude all the work done and provide recommendation for system enhancement in the future. This report will be guidance through out the system, from the first it being planned until the end product comes out

Mk_accounts: an enterprise-wide account management tool for Unix operating systems

This masters project describes the development of a script called mk_accounts to aid account management tasks on Unix systems. At Cisco Systems within the Information Technology division, there was a need to improve the process by which user accounts were added, deleted or modified on Unix servers across the enterprise. After evaluating several alternatives, the decision was made to write a client-server script that could be rapidly deployed to all servers within the IT organization and operated from a central location. This script met all requirements in terms of security, availability, efficiency, scalability and flexibility. In addition, implementation was non-disruptive to the business, leveraged the existing infrastructure and was rapidly designed and deployed

Provably Secure Identity-Based Remote Password Registration

One of the most significant challenges is the secure user authentication. If it becomes breached, confidentiality and integrity of the data or services may be compromised. The most widespread solution for entity authentication is the password-based scheme. It is easy to use and deploy. During password registration typically users create or activate their account along with their password through their verification email, and service providers are authenticated based on their SSL/TLS certificate. We propose a password registration scheme based on identity-based cryptography, i.e. both the user and the service provider are authenticated by their short-lived identity-based secret key. For secure storage a bilinear map with a salt is applied, therefore in case of an offline attack the adversary is forced to calculate a computationally expensive bilinear map for each password candidate and salt that slows down the attack. New adversarial model with new secure password registration scheme are introduced. We show that the proposed protocol is based on the assumptions that Bilinear Diffie-Hellman problem is computationally infeasible, bilinear map is a one-way function and Mac is existentially unforgeable under an adaptive chosen-message attack

Interdomain User Authentication and Privacy

This thesis looks at the issue of interdomain user authentication, i.e. user authentication in systems that extend over more than one administrative domain. It is divided into three parts. After a brief overview of related literature, the first part provides a taxonomy of current approaches to the problem. The taxonomy is first used to identify the relative strengths and weaknesses of each approach, and then employed as the basis for putting into context four concrete and novel schemes that are subsequently proposed in this part of the thesis. Three of these schemes build on existing technology; the first on 2nd and 3rd-generation cellular (mobile) telephony, the second on credit/debit smartcards, and the third on Trusted Computing. The fourth scheme is, in certain ways, different from the others. Most notably, unlike the other three schemes, it does not require the user to possess tamper-resistant hardware, and it is suitable for use from an untrusted access device. An implementation of the latter scheme (which works as a web proxy) is also described in this part of the thesis. As the need to preserve one’s privacy continues to gain importance in the digital world, it is important to enhance user authentication schemes with properties that enable users to remain anonymous (yet authenticated). In the second part of the thesis, anonymous credential systems are identified as a tool that can be used to achieve this goal. A formal model that captures relevant security and privacy notions for such systems is proposed. From this model, it is evident that there exist certain inherent limits to the privacy that such systems can offer. These are examined in more detail, and a scheme is proposed that mitigates the exposure to certain attacks that exploit these limits in order to compromise user privacy. The second part of the thesis also shows how to use an anonymous credential system in order to facilitate what we call ‘privacy-aware single sign-on’ in an open environment. The scheme enables the user to authenticate himself to service providers under separate identifier, where these identifiers cannot be linked to each other, even if all service providers collude. It is demonstrated that the anonymity enhancement scheme proposed earlier is particularly suited in this special application of anonymous credential systems. Finally, the third part of the thesis concludes with some open research questions