一种基于多种身份认证方式单点登录系统的实现
|
摘要
随着互联网web应用的发展,企业内部的应用系统也大量增加,单点登录技术(Single Sign On)将多个不同应用服务的身份认证和登录系统进行集中管理,对于简化网络用户登录多个应用、提高网络安全性有非常现实的意义。
本文在分析了国内、外各种单点登录系统的实现模型及其优缺点的基础上,提出了一种基于多种认证方式的单点登录系统模型,该系统模型采用认证中心统一信息库存储用户认证信息,可以支持用户名/口令认证,一次性口令认证,CHAP认证三种认证方式;采用了基于时间戳的数字签名技术,结合非对称性加密,有效地防止了非法用户对数据的伪造和篡改,实现了用户、认证服务器、应用服务器三者间信息的安全传递。通过理论分析和实验验证该系统具有良好的可部署性、扩展性和安全性。
论文的主要工作如下:
1.对现有的单点登录系统的设计模型进行了概述并分析了它们的优缺点。
2.提出并实现了一种基于多种认证方式的单点登录系统,给出了该系统的整体模型和实现流程。
3.详细给出了认证服务器、应用服务器中实现认证的接口,重点分析和设计了认证过程中认证服务器、应用服务器和用户的信息传输互动过程。
4.对实现的单点登录系统进行了安全性能分析,并指出了该系统的优缺点以及今后的研究方向。
With the development of World Wide Web, Internet applications increased greatly. SSO (Single Sign On) system integrated different application system to a centralized management system and can simplify users' logon. This has real sense to improve network security.
By analyzing various domestic and foreign SSO systems, we proposed a SSO system to support different kinds of authentication ways. The SSO system stores users' information on Certificate Authority, which supports the username/password authentication, one time password authentication and CHAP authentication. The system uses timestamp based on Digital Signature Technology and asymmetric encryption algorithm. Thus it can effectively prevent the illegal users'data falsification and can ensure user's information transmission security. And experiment proves the system has a good deployment, scalability and security property.
The main contributions of the thesis are:
1. Analyzed some of the existed SSO system.
2. Proposed a SSO system based on various authentication and introduced process flow of the SSO system.
3. Gives detailed realization interface of certification servers and application servers. Elaborate the information transmission of user, certificate authority and application server.
4. After analyzed the safety of the SSO system, we pointed out its future research direction.
本文在分析了国内、外各种单点登录系统的实现模型及其优缺点的基础上,提出了一种基于多种认证方式的单点登录系统模型,该系统模型采用认证中心统一信息库存储用户认证信息,可以支持用户名/口令认证,一次性口令认证,CHAP认证三种认证方式;采用了基于时间戳的数字签名技术,结合非对称性加密,有效地防止了非法用户对数据的伪造和篡改,实现了用户、认证服务器、应用服务器三者间信息的安全传递。通过理论分析和实验验证该系统具有良好的可部署性、扩展性和安全性。
论文的主要工作如下:
1.对现有的单点登录系统的设计模型进行了概述并分析了它们的优缺点。
2.提出并实现了一种基于多种认证方式的单点登录系统,给出了该系统的整体模型和实现流程。
3.详细给出了认证服务器、应用服务器中实现认证的接口,重点分析和设计了认证过程中认证服务器、应用服务器和用户的信息传输互动过程。
4.对实现的单点登录系统进行了安全性能分析,并指出了该系统的优缺点以及今后的研究方向。
With the development of World Wide Web, Internet applications increased greatly. SSO (Single Sign On) system integrated different application system to a centralized management system and can simplify users' logon. This has real sense to improve network security.
By analyzing various domestic and foreign SSO systems, we proposed a SSO system to support different kinds of authentication ways. The SSO system stores users' information on Certificate Authority, which supports the username/password authentication, one time password authentication and CHAP authentication. The system uses timestamp based on Digital Signature Technology and asymmetric encryption algorithm. Thus it can effectively prevent the illegal users'data falsification and can ensure user's information transmission security. And experiment proves the system has a good deployment, scalability and security property.
The main contributions of the thesis are:
1. Analyzed some of the existed SSO system.
2. Proposed a SSO system based on various authentication and introduced process flow of the SSO system.
3. Gives detailed realization interface of certification servers and application servers. Elaborate the information transmission of user, certificate authority and application server.
4. After analyzed the safety of the SSO system, we pointed out its future research direction.
引文
[1]Dr.Bhavani Thuraisingham, Network and Web Security and E-commerce and Other Applications Panel Chair's Position Paper IEEE,2000:P206-210.
[2]G. Gaskell, M. Looi. Integrating Smart Cards into Authentication System. Advance in Cryptology-EUROCRYPT 1995 Proceedings, Berlin:Spring Verlag,2001:271-281.
[3]T. Tsuji, A. Shimizu. An impersonation Attack on One-Time Password Authentication Protocol OSPA. IEICE Transactions on Communications,2003, E86-B(7):2182-2185.
[4]索望.一次性口令身份认证方案的设计与实现.四川大学优秀硕士学位论文,2005.
[5]Wenbo Mao. Modern Cryptography:Theory And Practice. Prentice Hall PTR, 2003.
[6]张宝力.电子政务身份认证技术解决.计算机安全.2007,11(5):34-37.
[7]Simon Chu,Douglas N.Good, MatthewR.Mamajek, etal. Web-based Single Sign-on Solutions:an 550 Product Matrix. Computer Security Journal,2004,16(1):39-49.
[8]imon Chu, Douglas N. Good, Matthew R. Mamajek, etal. Web-based Singie Sign-on Solutions:an SSO Product Matrix. Computer Security Journal,2000, 16(1):39-49.
[9]龚力柱.基于GSS_API的单点登录系统的研究与实现.西北工业大学优秀硕士学位论文,2006.3.
[10]由雪梅.基于PKI的单点登录系统研究与设计.山东大学优秀硕士学位论文,2007.
[11]Wenbo Mao. Modern Cryptography:Theory And Practice. Prentice Hall PTR, 2003.
[12]Andrew Conry-Murray. Microsoft's Passport to Controversy. Network Magazine. 2002,17(3):4649.
[13]Dae-Hee Seo, Im-Yeong Lee. Single Sign-on Authentication Model Using MAS(Multiagent System). Communications, Computers and Signal Processing. 2003,2:692-695.
[14]Mohammad Peyravian, Nevenko Zunic. Methods for Protecting Password Transmission. Computers & Security,2000,19(5):466-469.
[15]陈晓东.基于微软护照协议的单点登录系统的研究.华中科技大学优秀硕士学位论文,2004.
[16]R.Butler, D.Engert. Design and Deployment of a National Scale Atlthentication Infrastructure. IEEE Computer.2005,33(12):60-66.
[17]Dave Aitel, The Hacker's Handbook:The Strategy Behind Breaking into and Defending Networks.Auerbach Publications.2006,1:P189-200.
[18]W. Stallings. Network Security Essentials:Applications and Standards. Pretice-Hall, Inc.,2000.
[19]YANG Wu-ying. Research on A Mutual Dynamic Password Authentication System. Knowledge and Technology of Com.2006.11 (3):170-171.
[20]孟艳红.网络通信系统中数据安全及身份认证的设计与实现.沈阳工业大学优秀硕士学位论文,2004.
[21]苑卫国.网络身份认证技术研究和VIKEY身份认证系统的实现.西北工作大学优秀硕士学位论文,2003.
[22]RFC1508.Generic Seeurity Serviee Application Programming Interafee (GSSAPI) v2.0,1997,1.
[23]Hsien-Chu Wu, Min-Shiang Hwang, Chia-Hsin Liu. A Secure Strong-Password Authentication Protocol. Fundamenta Informaticae. IOS Press.2005,68 (5): 399-406.
[24]W. C. Ku, H. C. Tsai, S. M. Chen. Two simple attacks on Lin-Shen-Hwang's strong-password authentication protocol. ACM Operating Systems Review, 2003,11,37(4):26-31.
[25]任传轮.分布环境下身份认证和授权管理的研究.北京邮电大学博士学位论文,2007.
[26]Sumalatha Adabala, A. Matsunaga. Single Sign-on in In-VIGO:Role-based Access Via Delegation Mechanisms Using Short-lived User Identities. Parallel and Distributed Processing Symposium.2004,1:22-23.
[27]A. Pashalidis, G Mitchell. Using GSM/UMTS for Single Sign-on. Mobile Future and Symposium on Trends in Communications.2003,12:138-145.
[28]郭燚.单点登录系统的研究与实现.西北工作大学优秀硕士学位论文,2007.
[29]Gary Geiger. Net My Service and.Net Passport User Authentication Overview MSDN Library,2001.9.
[30]Thomas Gro 13.Security Analysis of the SAML, Single Sign-on Browser/Artifact Profile[EBIOL]. http://www.acsac.org/2003/papers/73.pdf.2003.
[31]Sumalatha Adabala, A. Matsunaga. Single Sign-on in In-VIGO:Role-based Access Via Delegation Mechanisms Using Short-lived User Identities. Parallel and Distributed Processing Symposium,2004,1:22-23.
[32]马亚娜.WEB环境下的认证技术研究.南京理工大学博士学位论文.2003.
[33]Netscape. Persistent Client State Http Cookies. http://wp.netscape.com/newsref/std/cookie spec.html.2003.
[34]D. Kristol,L. Montulli. HTTP State Management Mechanism RFC2109. Bell Laboratories Lucent Technologies, Netscape Communications.1997,2.
[35]Tseng, Yuh-Min. On the Security of an Efficient Two-pass Key Agreement Protocol. Computer Standards & Interfaces.2004,26(4):371-374.
[36]Park,J.S., Sandhu. Secure cookies on the Web. Internet Computing, IEEE 2000, 4(4):36-44.
[37]陈十.Session技术讲座.http://www.sec 120.com/news/Tech/,2006.12.
[38]Chang,C.-S., Z. Liu. A Bandwidth Sharing Theory for a Large Number of HTTP-Like Connections Networking. IEEE/ACM Transactions on,2003, 12:952-962.
[39]Park, J.S., Sandhu, R. Secure cookies on the Web. Internet ComPuting, IEEE 2000, 4(4):36-44.
[40]Andrew Conry-Murray. Microsoft's Passport to Controversy. Network Magazine,2002,17(3):46-49.
[41]孙雷.信息门户单点登录系统的研究与实现.大连海事大学,2006.
[42]Dae-Hee Seo,Im-Yeong Lee. Single Sign-on Authentication Model Using MAS(Multiagent System). Communications, Computers and Signal Processing, 2003,2:692-695.
[43]David P. Kormann, Aviel D. Rubin. Risks of the Passport Single Signon Protocol. Computer Networks.2000,33(6):51-58.
[44]德措吉.一种基于身份联合的Web单点登录系统的设计与实现.北京邮电大学,2007.
[45]A. Pashalidis, C. Mitchell. Using GSM/UMTS for Single Sign-on. Mobile Future and Symposium on Trends in Communications,2003,12:138-145.
[46]A.K.Jain, R.M.Bolle and Spankanti, Biometrics, Personal Identifieation in a Networded Society, Kluwer Academic Publishers,1999.
[2]G. Gaskell, M. Looi. Integrating Smart Cards into Authentication System. Advance in Cryptology-EUROCRYPT 1995 Proceedings, Berlin:Spring Verlag,2001:271-281.
[3]T. Tsuji, A. Shimizu. An impersonation Attack on One-Time Password Authentication Protocol OSPA. IEICE Transactions on Communications,2003, E86-B(7):2182-2185.
[4]索望.一次性口令身份认证方案的设计与实现.四川大学优秀硕士学位论文,2005.
[5]Wenbo Mao. Modern Cryptography:Theory And Practice. Prentice Hall PTR, 2003.
[6]张宝力.电子政务身份认证技术解决.计算机安全.2007,11(5):34-37.
[7]Simon Chu,Douglas N.Good, MatthewR.Mamajek, etal. Web-based Single Sign-on Solutions:an 550 Product Matrix. Computer Security Journal,2004,16(1):39-49.
[8]imon Chu, Douglas N. Good, Matthew R. Mamajek, etal. Web-based Singie Sign-on Solutions:an SSO Product Matrix. Computer Security Journal,2000, 16(1):39-49.
[9]龚力柱.基于GSS_API的单点登录系统的研究与实现.西北工业大学优秀硕士学位论文,2006.3.
[10]由雪梅.基于PKI的单点登录系统研究与设计.山东大学优秀硕士学位论文,2007.
[11]Wenbo Mao. Modern Cryptography:Theory And Practice. Prentice Hall PTR, 2003.
[12]Andrew Conry-Murray. Microsoft's Passport to Controversy. Network Magazine. 2002,17(3):4649.
[13]Dae-Hee Seo, Im-Yeong Lee. Single Sign-on Authentication Model Using MAS(Multiagent System). Communications, Computers and Signal Processing. 2003,2:692-695.
[14]Mohammad Peyravian, Nevenko Zunic. Methods for Protecting Password Transmission. Computers & Security,2000,19(5):466-469.
[15]陈晓东.基于微软护照协议的单点登录系统的研究.华中科技大学优秀硕士学位论文,2004.
[16]R.Butler, D.Engert. Design and Deployment of a National Scale Atlthentication Infrastructure. IEEE Computer.2005,33(12):60-66.
[17]Dave Aitel, The Hacker's Handbook:The Strategy Behind Breaking into and Defending Networks.Auerbach Publications.2006,1:P189-200.
[18]W. Stallings. Network Security Essentials:Applications and Standards. Pretice-Hall, Inc.,2000.
[19]YANG Wu-ying. Research on A Mutual Dynamic Password Authentication System. Knowledge and Technology of Com.2006.11 (3):170-171.
[20]孟艳红.网络通信系统中数据安全及身份认证的设计与实现.沈阳工业大学优秀硕士学位论文,2004.
[21]苑卫国.网络身份认证技术研究和VIKEY身份认证系统的实现.西北工作大学优秀硕士学位论文,2003.
[22]RFC1508.Generic Seeurity Serviee Application Programming Interafee (GSSAPI) v2.0,1997,1.
[23]Hsien-Chu Wu, Min-Shiang Hwang, Chia-Hsin Liu. A Secure Strong-Password Authentication Protocol. Fundamenta Informaticae. IOS Press.2005,68 (5): 399-406.
[24]W. C. Ku, H. C. Tsai, S. M. Chen. Two simple attacks on Lin-Shen-Hwang's strong-password authentication protocol. ACM Operating Systems Review, 2003,11,37(4):26-31.
[25]任传轮.分布环境下身份认证和授权管理的研究.北京邮电大学博士学位论文,2007.
[26]Sumalatha Adabala, A. Matsunaga. Single Sign-on in In-VIGO:Role-based Access Via Delegation Mechanisms Using Short-lived User Identities. Parallel and Distributed Processing Symposium.2004,1:22-23.
[27]A. Pashalidis, G Mitchell. Using GSM/UMTS for Single Sign-on. Mobile Future and Symposium on Trends in Communications.2003,12:138-145.
[28]郭燚.单点登录系统的研究与实现.西北工作大学优秀硕士学位论文,2007.
[29]Gary Geiger. Net My Service and.Net Passport User Authentication Overview MSDN Library,2001.9.
[30]Thomas Gro 13.Security Analysis of the SAML, Single Sign-on Browser/Artifact Profile[EBIOL]. http://www.acsac.org/2003/papers/73.pdf.2003.
[31]Sumalatha Adabala, A. Matsunaga. Single Sign-on in In-VIGO:Role-based Access Via Delegation Mechanisms Using Short-lived User Identities. Parallel and Distributed Processing Symposium,2004,1:22-23.
[32]马亚娜.WEB环境下的认证技术研究.南京理工大学博士学位论文.2003.
[33]Netscape. Persistent Client State Http Cookies. http://wp.netscape.com/newsref/std/cookie spec.html.2003.
[34]D. Kristol,L. Montulli. HTTP State Management Mechanism RFC2109. Bell Laboratories Lucent Technologies, Netscape Communications.1997,2.
[35]Tseng, Yuh-Min. On the Security of an Efficient Two-pass Key Agreement Protocol. Computer Standards & Interfaces.2004,26(4):371-374.
[36]Park,J.S., Sandhu. Secure cookies on the Web. Internet Computing, IEEE 2000, 4(4):36-44.
[37]陈十.Session技术讲座.http://www.sec 120.com/news/Tech/,2006.12.
[38]Chang,C.-S., Z. Liu. A Bandwidth Sharing Theory for a Large Number of HTTP-Like Connections Networking. IEEE/ACM Transactions on,2003, 12:952-962.
[39]Park, J.S., Sandhu, R. Secure cookies on the Web. Internet ComPuting, IEEE 2000, 4(4):36-44.
[40]Andrew Conry-Murray. Microsoft's Passport to Controversy. Network Magazine,2002,17(3):46-49.
[41]孙雷.信息门户单点登录系统的研究与实现.大连海事大学,2006.
[42]Dae-Hee Seo,Im-Yeong Lee. Single Sign-on Authentication Model Using MAS(Multiagent System). Communications, Computers and Signal Processing, 2003,2:692-695.
[43]David P. Kormann, Aviel D. Rubin. Risks of the Passport Single Signon Protocol. Computer Networks.2000,33(6):51-58.
[44]德措吉.一种基于身份联合的Web单点登录系统的设计与实现.北京邮电大学,2007.
[45]A. Pashalidis, C. Mitchell. Using GSM/UMTS for Single Sign-on. Mobile Future and Symposium on Trends in Communications,2003,12:138-145.
[46]A.K.Jain, R.M.Bolle and Spankanti, Biometrics, Personal Identifieation in a Networded Society, Kluwer Academic Publishers,1999.