Confidence Analysis of a Solo Sign-On Device for Distributed Computer Networks

Published Online June 2014 in MECS

Solo sign-on (SSO) is a property of access control, with this property a user logs in once and gains access to all systems without being prompted to log in again at each of them in a distributed computer network.

In distributed computer networks, it has become common to allow users to access various network services offered by distributed service providers [3]. Consequently, user authentication (also called user identification) [1], [2] plays a crucial role in distributed computer networks to verify if a user is legal and can therefore be granted access to the services requested. To avoid bogus servers, users usually need to authenticate service providers. After mutual authentication, a session key may be obtained to keep the confidentiality of the data exchanged between a user and a service provider [10]. In many scenarios, the anonymity of legal users must be protected as well [2], [8], [9]. However, big challenge is to design efficient and secure authentication protocols in the complex computer network environments [10].

The SSO mechanism [13] has been introduced so that, after obtaining a credential from a trusted authority for a short for a new user. Credential privacy guarantees that malicious service provider’s period (say one day), each legal user’s authentication agent can use this single credential to complete authentication on behalf of the user and then access multiple service providers. Intuitively, an SSO scheme should meet at least three basic security requirements, i.e., unforgeability, credential privacy, and soundness. Unforgeability except the trusted authority, even a collusion of users and service providers are not able to make progress that valid credential should not able to fully recover a user’s credential and then impersonate the user to log in to other service providers. Soundness means that an unregistered user without a credential should not be able to access the services offered by service providers.

We intend to design a secure key agreement protocol for distributed computer networks, which is expected to inherit all the good virtues of the previous schemes and some added security properties. Here we summarize all these requirements to evaluate our new scheme as follows.

User Anonymity: The scheme should preserve the user’s identity, namely, a server could not tell a user’s identity. Once the connection between the user and the server has been established, the probability of the server to guess the user’s identity is 1/ n , where n is the number of ring members.

Security of Session Key: The scheme should preserve the security of session key, that is to say, when executing our improved protocol, except the correspondence patties nobody outside could acquire the session key.

Mutual Authentication: The scheme should assure that not only can the server verify the legal user, but the user can also verify the server. In authenticated protocols, mutual authentication is an important attribute, so our scheme should also be in favor of it perfectly.

Forward Secrecy and Backward Secrecy: The scheme should satisfy forward secrecy and backward secrecy, namely, if the session key generated in j period has been leaked, the attacker can’t forge any session key generated before j period or after j period. Therefore, the scheme should defeat some attacks like replay attack and so on.

The remainder of this paper is organized as follows. Section III reviews existing system [12]. After that, we present two attacks against the Chang–Lee scheme in Section IV. Then, the improved SSO scheme using VES is given in Section V. Finally, Section VI gives the conclusion.

• II.  Literature Survey

With the widespread use of distributed computer networks, it has become common to allow users to access various network services offered by distributed service providers. Consequently, user authentication also called user identification plays a crucial role in distributed computer networks to verify if a user is legal and can therefore be granted access to the services requested.

In 2000, Lee and Chang [2] proposed a user identification and key distribution scheme to maintain user anonymity in distributed computer networks. This user identification scheme is based on the security of the factoring problem and the one way hash function. Their scheme has the following advantages: (1) users can request services without revealing their identities to the public; (2) each user needs to maintain only one secret; (3) it is not required for service providers to record the password files for the users; (4) no master key updating is needed if a new service provider is added into the system. But this scheme is insecure against both impersonation attacks and identity disclosure attacks.

Later in 2004, Wu and Hsu [5] proposed scheme that overcomes drawbacks of Lee Chang scheme, that is not only effectively eliminates the security leaks of the Lee Chang scheme, but also reduces computational complexities and communication costs as compared with their scheme. The main objective of the Wu-Hsu scheme is to provide user identification and key exchange between parties at both ends of the communication, while preserving user anonymity from the public. We must point out that in scenarios such as a user requesting services from a service provider, anonymity of the service provider is not necessary since whom providing what service is a public knowledge. Participants involved in the Wu-Hsu scheme include a Smart Card Producing Centre (SCPC), users and service providers. The SCPC is responsible for setting up the system parameters and assigning a secret token to each user and each service provider. Based on the respective secret tokens, a user and a service provider can authenticate each other and exchange a common session key. But Wu and Hsu scheme has a serious weakness, by which the service provider can learn the secret token of the user who requests services from him.

Later Yang et al. [6] proposed a protocol that overcomes the weakness of Wu–Hsu’s protocol and achieves user anonymity, user identification and key agreement. As mentioned by Yang et al., these three protocols (Lee–Chang, Wu–Hsu and Yang) have the following attractive features apart from achieving user anonymity: (1) each user is required to maintain only one secret irrespective of the number of servers he is accessing; (2) the server is not required to maintain a list of passwords; (3) the system is scalable as new servers can be added without requiring to update the master key. Unfortunately, Yang’s scheme suffers from Denial-of-Service (DoS) attack.

In 2006, Mangipudi and Katti [8] proposed a Secure Identification and Key agreement protocol with user

Anonymity (SIKA) that overcomes the limitations of Yang et al scheme while achieving security features like identification, authentication, key agreement and user anonymity. This scheme showed that their protocol is as efficient as the previously proposed protocols with a modest increase in communicational and computational cost. But it is insecure under identity disclosure attack.

In 2009, Hsu and Chuang [9] showed that the schemes of both Yang et al. and Mangipudi–Katti were insecure under identity disclosure attack and proposed an RSA-based user identification scheme to overcome this weakness, they proposed scheme can easily overcomes DoS attack demonstrated by Mangipudi and Katti by appending a digital signature to the service provider’s message, outperforming the previously proposed schemes in terms of security, communication costs, and computational complexities. It, in fact, does not provide all of the security properties that they claimed and that Hsu–Chuang’s scheme might be vulnerable to impersonation attacks since it employs an analogous RSA signature to generate secret tokens.

Recently, Chang and Lee [12] proposed A Secure Single Sign-On Mechanism for Distributed Computer Networks. The concept of single sign-on can allow legal users to use the unitary token to access different service providers in distributed computer networks. Recently, some user identification schemes have been proposed for distributed computer networks. Unfortunately, most existing schemes cannot preserve user anonymity when possible attacks occur. Also, the additional time-synchronized mechanisms they use may cause extensive overhead costs. To overcome these drawbacks, Chang and Lee propose a secure single sign-on mechanism that is efficient, secure, and suitable for mobile devices in distributed computer networks. But their scheme is actually insecure as it fails to meet credential privacy and soundness of authentication. Specifically, we present two impersonation attacks. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the user’s credential and then to impersonate the user to access resources and services offered by other service providers. In another attack, an outsider without any credential may be able to enjoy network services freely by impersonating any legal user or a nonexistent user.

• III.    Existing System

• A.    System Initialization Phase:

The trusted authority SCPC first selects two large safe primes p and q then sets N=pq . After that, SCPC determines its RSA key pair (e,d) such that ed=1mod ^(N), where y(N)=(p-1)(q-1). SCPC chooses a generator g Є Z_n^*, where n is also a large prime number. Finally, SCPC publishes (e, g, n, N) keeps d as a secret, and erases (p, q) immediately once this phase has been completed.

Table 1. list of notations.

SCPC	Smart Card Producing Center
U i, P j	User and Service provider respectively
I D i , I D j	Unique identity of Ui and P j respectively
e x., d o	The public/private RSA key pair of identity X
S i	The credential of U i created by SCPC
Sx	The long term private key of SCPC
Sy	The public key of SCPC
E K (M)	A symmetric key encryption of plaintext M using a key K
D K (C)	A symmetric key decryption of plaintext C using a key K
σ j (SK j , M)	The signature σ j on M signed by P j with signing key SK j
Ver(PK j ,M,σ j )	Verifying signature σ j on M with public key Pk j
h (.)	A given one way hash function
||	The operation of concatenation

• B.    Registration Phase:

In this phase, each user U i chooses a unique identity ID j with a fixed bit-length and sends it to SCPC. After that, SCPC will return the credential S_i = (Id || h(ID_i))^d mod N, where || denotes a concatenation of two binary strings and h( . ) is a collision-resistant cryptographic oneway hash function. Here, both Id i and S i must be transferred via a secure channel. At the same time, each service provider P j with identity ID j should maintain its own RSA public parameters (e j , N j ) and private key d j as does by SCPC.

• C.    User Identification Phase:

To access the resources of service provider Pj, user Ui needs to go through the authentication protocol specified in Fig. 1. Here, k and t are random integers chosen by Pj and Ui respectively, n1, n2, and n3 are three random nonces and E (.) denotes a symmetric key encryption scheme which is used to protect the confidentiality of user Ui’s identity IDi.

• 1)    Upon receiving a service request message m1 from user U i , service provider P j generates and returns user message m2 which is made up primarily by its RSA signature on (Z, IDj, and n1). Once this signature is validated, it means that user has authenticated service provider P j successfully. Here, Z = (g^k mod n) is the temporal Diffie–Hellman (DH) key exchange material issued by P j .

• 2)    After that, user U_i correspondingly generates his/her temporal DH key exchange material w = (g^t mod n) and issues proof x= S i ^{h(Kij || w || n2)}, where K ij = h(ID i || k ij ) is the derived session key and K ij = (Z^t mod n) = (w^k mod n) = (g^kl mod n) is the raw key obtained by using the DH key exchange technique.

• 3)    Proof x= S i ^{h(Kij || w || n2)} is used to convince P j that does hold valid credential S i without revealing the value of S_i. Namely, after receiving message m3 service provider P j can confirm x’s validity by checking,

If (SID i ^{h (Kij || w || n2)} mod N) = (x^emod N), Where SID i = (Id || h (ID i )).

• 4)    If this quality holds, it means that user U i has been authenticated successfully by service provider P j . It is nothing but that proof x is designed in a particular way so that except U_i and P j , no one else can verify it as both U i ’s identity ID i and the newly established session key K ij are used to produce. This aims to achieve user anonymity as no eavesdropper can learn the values of ID i and K ij.

• 5)    Finally, message m4 (i.e. h (n3)) is employed to show that P j has obtained message m3 correctly, which implies the success of mutual authentication and session key establishment.

”     Z = gk mod n u=h(Z\\iDj\\^

• m, - (Z, v.n,) v = («11 й(и)) ^ mod ,V

и = KZ || IDj || n,)      *

v^ mod Nj =(« || /?(u)) mod Nj ky — Zl mod n

Ky^KIDjWk^

w - g1 mod и j = S/,'<^IMI"2im0d N у = Ек(ГО,\\П)\\п2) -J^^^L     , ky = w mod n

К^=Й(Ю,|1^)

№ II И) II n2) = %(>■)

511),=№,ШИ>^

SIDih

™,=(^)    ^ = А(«з)

Р"=Л(иэ) *

y=v

Fig. 1. Chang–Le’s user identification phase

• IV.    Attacks against the Chang–LEE Scheme

As we seen from the previous section, it seems that the Chang–Lee SSO scheme achieves secure mutual authentication, since server authentication is done by using traditional RSA signature issued by service provider Pj. Without valid credential Si it is impossible for an attacker to impersonate a legal user Ui by going through the user authentication procedure.

However, that the Chang–Lee scheme is actually not a secure SSO scheme because there are two potential effective and concrete impersonation attacks. The first attack is the “credential recovering attack” compromises the credential privacy in the Chang–Lee scheme as a malicious service provider is able to recover the credential of a legal user. The other attack is “impersonation attack without credentials,” demonstrates how an outside attacker may be able to freely make use of resources and services offered by service providers, since the attacker can successfully impersonate a legal user without holding a valid credential and thus violates the requirement of soundness for an SSO scheme. In real life, these attacks may put both users and service providers at high risk.

• A.    Credential Recovering Attack:

Intuitively, the Chang–Lee SSO scheme seems to satisfy the requirement of credential privacy since receiving credential proof x =(Si^h2 mod N), where h2 denotes h(Kij || w || n2) does not allow service provider Pj to recover user Ui’s credential Si by computing Si = (x^h2-1 mod N), where h2^-1 refers to (h2^-1 mod φ(N)). In fact, the difficulty of calculating h₂^-1 from the given (e, N, x, h₂) is the exact rationale why the RSA cryptosystem is secure, i.e., it should be intractable for an attacker to derive the RSA private key from the public key (and a given cipher text). This is because here we could treat (h2, h2^-1) as another RSA public/private key pair with respect to the same RSA modulus. Moreover, directly recovering Si from x = (Si^h2 mod N) also looks impossible as this seems equivalent to decrypt the RSA cipher text with respect to the public key h₂.

Nevertheless, there is a pitfall in the production of proof x = (Si^h2 mod N) as here the same credential Si is encrypted multiple times under different public keys h2 w.r.t the same RSA modulus N. Consequently, under the assumption that malicious service provider Pj has run the Chang–Lee SSO scheme with the same user Ui twice, Pj will be able to recover U_i’s credential S_i with high probability by using the extended Euclidean algorithm, Pj can solve Si from two equations (Si^h2 mod N) and x` = (Si<sup>h2`</sup> mod N). The details of this attack, which share some features of common-modulus attacks against RSA, are given as follows.

• 1)    After successfully running the Chang–Lee SSO scheme twice with the same user Ui, malicious service provider Pj stores all messages exchanged in these two instances, denoted as (IDi, x, Kij, w, n2….) for the first instance, and (ID_i, x`, K`_ij, w`, n`₂….) for the second instance.

• 2)    By denoting h2 = h(Kij || w || n2) and h`2 = h(K`ij || w` || n`2) , Pj first checks if h2 and h`2 are co-prime, i.e. if gcd(h2, h`2 ) = 1. If gcd(h2, h`2 ) = 1, Pj then runs the extended Euclidean algorithm to compute two integers a and b such that (a.h<sub>2</sub> + b.h`₂ = 1) . Finally, malicious Pj can recover Ui’s credential Si by computing

Si = x^a x`^b mod N.                               (1)

Equation (1) is justified by the following equalities:

x^ax`^b mod N = (Si^h2)^a. (Si^h2) ^b mod N

= Si^a.h2+b.h`2 mod N = Si¹ mod N

= Si

• 3)    If gcd(h2, h`2 ) ≠ 1, Pj then needs to run more instances with Ui so that it can get two instances such that gcd(h2, h`2 ) = 1.

• B.    Impersonation Attack without Credentials:

The soundness of the Chang–Lee SSO scheme, which seems to be satisfy this security requirement as well. The main reason is that to get valid proof x satisfying (SID_i^h2 mod N) for a random hash output h2 , there seems no other way but to compute x by x = (SIDi^h2.e-1 mod N) , i.e. x= (SIDi^d)^h2 or x = ((Si)^h2 mod N). Therefore, an attacker should not be able to log in to any service provider if it does not have the knowledge of either SCPC’s RSA private key d or user Ui’s credential Si.

However, the Chang-Lee SSO scheme cannot guarantee its security w.r.t. the soundness. This is also the essential reason why the current focus of research in information security is on formal proofs which rigorously show the security of cryptosystems. Indeed, no one can formally prove that without knowing either SCPC’s RSA private key d or user Ui’s credential Si, it is unfeasible to compute a proof x that passes through authentication, as an outside attacker is able to get a shortcut if the SCPC’s RSA public key e is a small integer so that e’s binary length is less than the output length of hash function h, i.e., |e| < |h (.)|. The attack is explained in detail as follows.

• 1)    To impersonate legal user Ui with identity IDi for accessing service provider Pj, an attacker E first sends request message m1 normally, as Ui does.

• 2)    Upon receiving message m2 from Pj, then checks Pj’s signature and chooses a random integer t to compute (k_ij, K_ij, w). Before moving on to the next step, attacker E needs to check whether h (Kij || w || n2) is divisible by e. If not, E has to choose another t or start a new session to satisfy this condition.

• 3)    As h(Kij || w || n2) is divisible by e, let     h(Kij|| w

||n2) =e.b for some integer b Є Z . Now, E sets x = (SIDi^b mod N), where SIDi = (IDi || h(IDi)).

• 4)    Finally, E can impersonate user Ui to pass the authentication by sending m3 = (w, x, y) to Pj, since Pj will notice that SID_i^{h(Kij || w || n2)} mod N = x^e modN = SID_i^b.e mod N = x^e mod N . This is because we have: SIDi^{h(Kij || w || n2)} mod N = SIDi^b.emod N.

In the above attack we assume that e is a small integer and attacker E may know the value of one legal user’s identity IDi. This is reasonable as explained below. On the one hand, in the system initialization phase ChangLee scheme just specifies that the trusted party SCPC needs to set its RSA key pair (e, d) but does not give any limitation on the length of public exponent e. So, e could be a small integer with binary length less than the output length of hash function h, i.e., |e| < |h (.)|. Moreover, in practice this is likely to happen due to the following two reasons: (a) to speed up the RSA signature verification, some security standards (e.g. PKCS [15]) and popular web sites (e.g. Wikipedia [14]) suggest that e can be set as 3 or 65537 and (b) as Chang-Lee scheme is claimed to be efficient even for mobile devices in distributed networks, using small exponent e can provide further computational advantage for these devices as they usually have limited resources for computation and storage.

• V.    Proposed Improvement

To overcome the flaws in the Chang-Lee scheme, we now propose an improvement by employing an RSA-based verifiable encryption of signatures (RSA-VES), which is an efficient primitive introduced for realizing fair exchange of RSA signatures. VES comprises three parties: a trusted party and two users say Alice and Bob. The basic idea of VES is that Alice who has a key pair of signature scheme signs a given message and encrypts the resulting signature under the trusted party’s public key, and uses a non-interactive zero-knowledge (NZK) proof to convince Bob that she has signed the message and the trusted party can recover the signature from the cipher text. After validating the proof, Bob can send his signature for the same message to Alice. For the purpose of fair exchange, Alice should send her signature in plaintext back to Bob after accepting Bob’s signature. If she refuses to do so, however, Bob can get her signature from the trusted party by providing Alice’s encrypted signature and his own signature, so that the trusted party can recover Alice’s signature and sends it to Bob, meanwhile, forwards Bob’s signature to Alice. Thus, fair exchange is achieved.

• A.    System Initialization Phase

SCPC selects two large safe primes p and q to set N= pq. Namely, there are two primes p' and q' such that p= 2p' + 1 and q= 2q' + 1. SCPC now sets its RSA public/private key pair (e, d) such that ed = 1 mod 2p'q', where e is a prime. Let QN be the subgroup of squares in Z*N whose order is G =p'q' unknown to the public but its bit-length lG= |N| - 2 is publicly known. SCPC randomly picks generator g of QN, selects an ElGamal decryption key u, and computes the corresponding public key y = g^u mod N. In addition, for completing the Diffie-Hellman key exchange SCPC chooses generator g' Є Z*N, where n is another large prime number. SCPC also chooses a cryptographic hash function h (.): {0, 1}* -> {0, 1} ^k, where security parameter k satisfies 160 <= k <= |N|-1.

Another security parameter e >1 is chosen to control the tightness of the ZK proof. Finally, SCPC publishes (e, N, h (.), g, y, g', n), and keeps (d, u) secret.

• B.    Registration Phase

In this phase, upon receiving a register request, SCPC gives Ui fixed-length unique identity IDi and issues credential S_i = h (ID_i) ^2d mod N. Si calculated as SCPC’s RSA signature on h (ID_i)² is an element of Q_N, which will be the main group we are calculating. Each service provider with identity IDi should maintain a pair of signing/verifying keys for a secure signature scheme (not necessarily RSA). σj(SKj, Msg) denotes the signature σj on message Msg signed by Pj using signing key SKj. Ver (PKj, Msg, σj) denotes verifying of signature σj with public key PKj, which outputs “1” or “0” to indicating if the signature is valid or invalid, respectively.

• C.    Authentication Phase

In this phase, RSA-VES is employed to authenticate a user, while a normal signature is used for service provider authentication. The details are illustrated in Fig. 2 and further explained as follows.

Fig. 2. Improved user identification phase

• 1)    Ui sends a service request with nonce n1 to service provider Pj.

• 2)    Upon receiving (Req, n1), Pj calculates its session key material Z = g^k mod n where k Є Z*n is a

random number, sets u = Z||IDj||n1, issues a signature v= σj(SKj, u) and then sends m2 = (Z,v, n2) to the user, where n2 is a nonce selected by Pj .

• 3)    Upon receiving m2= (Z, v, n2), Ui sets u= (Z|| Idj || n1). Ui terminates the conversation if Ver(PKj, u,v) = 0 . Otherwise, Ui accepts service provider Pj

because the signature v is valid. In this case, Ui selects a random number t Є Z*u to compute w =gt mod n, kij = Zt mod n, and the session keyKij = h (IDj || kij). For user authentication, Ui first encrypts his/her credential Si as (P1 = Si. yr mod N, P2 = gr mod N), where r is is a random integer with binary length lG. Next, Ui computes two commitments a=

(ye) r1 mod N and b=gr1 mod N, where r1 Є ± {0, 1}

Є (lG+k)

is also a random number. After that, Ui computes the evidence showing that credential Si has been encrypted in (P1, P2) under public key y. For this purpose, Ui calculates c= h (Kij|| w || n2 ||yer || P2 ||ye ||g ||a ||b) and s = r1 –c.r. Then, x = (P1, P2, a, b, c, s) is the NIZK proof for user authentication. In fact, it is precisely, the processes of generating which is the proof part of RSA-VES. Finally, encrypts his/her identity IDi, new nonce n3, and Pj’s nonce n2 using session key Kij to get cipher text CT = EKij (IDi || n3 ||n2), and thereafter sends m3 = (w, x, CT) to service provider Pj.

• 4)    To verify U_i, P_i calculates k_ij = wk mod n , the session key K_ij = h (IDj || k_ij) , and then uses k_ij to decrypt CT and recover (IDi, n3, n2). Then,

computes y^er =P1^e/h (IDj)² mod N, a = (y^e)^s. (y^er)^c mod N, b= g^s . Pc² mod N, and checks if (c, s) Є {0, 1} ^k. ± {0, 1} ^{Є (lG+k) +1} and c= h(Kij|| w || n2 ||y^er || P2 ||y^e ||g ||a ||b). If the output is negative, Pj aborts the conversation. Otherwise, Pj accepts Ui and believes that they have shared the same session key K_ij by sending U_im4 = (V) where V= h (n3).

• 5)    After Ui receives V, he checks if V= h (n3). If this is true, then Ui believes that they have shared the same session key Kij. Otherwise, Ui terminates the conversation

Security Analysis:

The security analysis of the improved SSO scheme is focusing on the security of the user authentication part, especially soundness and credential privacy due to two reasons. First, the unforgeability of the credential is guaranteed by the unforgeability of RSA signatures, and the security of service provider authentication is ensured by the unforgeability of the secure signature scheme chosen by each service provider. On the other hand, other security properties (e.g., user anonymity and session key privacy) are preserved, since these properties have been formally proved and the corresponding parts of the Chang–Lee scheme are kept unchanged. Soundness requires that without holding valid credential S* corresponding to a target user U*, an attacker, who could be a collusion of users and service providers, has at most a negligible probability of generating proof x* and going through user authentication by impersonating user U*.

The soundness of the above improved SSO scheme relies on the soundness of the NIZK proof, which also guarantees the soundness of RSA-VES. Namely, if the user authentication part is not sound, i.e., an attacker can present valid proof x* without holding the corresponding credential S* in non-negligible probability, then this implies the NIZK proof of proving equality of two discrete logarithms in a group of unknown order is not sound.

Credential privacy or credential irrecoverableness requires that there would be a negligible probability of an attacker recovering a valid credential from the interactions with a user. Again this property can be deduced from the signature hiding property of RSA-VES. Signature hiding means that an attacker cannot extract a signature from VES without help from the user who encrypted the signature or the trusted authority who can decrypt a VES. So, if this improved SSO scheme fails to meet credential privacy, it implies that RSA-VES fails to satisfy signature hiding. In fact, soundness and signature hiding are the two core security properties to guarantee the fairness of digital signature exchange using VES.

• VI.    Conclusion

In this paper, we identified two effective impersonation attacks on Chang and Lee’s single sign-on (SSO) scheme. The first attack shows that their scheme cannot protect the privacy of a user’s credential, and thus, a malicious service provider can impersonate a legal user in order to enjoy the resources and services from other service providers. The second attack violates the soundness of authentication by giving an outside attacker without credential the chance to impersonate even a non-existent user and then freely access resources and services provided by service providers.

We also studied why their SSO scheme is not strong enough to guarantee the security for well-organized security arguments. In addition, we employed an efficient verifiable encryption of RSA signatures and we proposed that RSA-VES for an improved Chang–Lee scheme to achieve soundness and credential privacy.

As future work, it provides interests for researchers to formally define authentication soundness and constructing efficient and provably secures SSO schemes.