Abstract
We present a novel approach for password/credential storage in Pseudo-SSO scenarios based on a hybrid password hashing/password syncing approach that is directly applicable to the contemporary Web. The approach supports passwords without requiring modification of the server side and thus is immediately useful; however, it may still prove useful for storing more advanced credentials in future SSO and identity management scenarios, and offers a high password security, high availability and integration of secure elements while providing familiar interaction paradigms at a low cost.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
LastPass: LastPass - Password Manager, Formular ausfüller, Password Management, http://lastpass.com/
Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479. ACM, Chiba (2005)
Herley, C., Van Oorschot, P.: A Research Agenda Acknowledging the Persis-tence of Passwords. IEEE Security & Privacy (forthcoming, 2012)
Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity manage-ment architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, vol. 68, pp. 143–152. Australian Computer Society, Inc., Ballarat (2007)
Jøsang, A., Fritsch, L., Mahler, T.: Privacy Policy Referencing. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 129–140. Springer, Heidelberg (2010)
Zibuschka, J., Roßnagel, H.: Implementing Strong Authentication Interoperabil-ity with Legacy Systems. In: Policies and Research in Identity Management (IDMAN 2007), pp. 149–160. Springer (2008)
Anderson, R.: The eternity service. In: Pragocrypt 1996, pp. 242–252 (1996)
Dhamija, R., Dusseault, L.: The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Secur. Privacy Mag. 6, 24–29 (2008)
Smith, R.E.: The Strong Password Dilemma. Computer 18 (2002)
Pashalidis, A., Mitchell, C.: A Taxonomy of Single Sign-On Systems. Information Security and Privacy, 249–264 (2003)
Password Sitter: Home, http://www.passwordsitter.de/
Putting Sxipper Down – Dick Hardt dot org, http://dickhardt.org/2011/03/putting-sxipper-down/
Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.J.: How to Make Personalized Web Browising Simple, Secure, and Anonymous. In: Proceedings of the First Inter-national Conference on Financial Cryptography, pp. 17–32. Springer (1997)
Convergence | Beta, http://convergence.io/
Mahemoff, M.: Ajax Design Patterns. O’Reilly Media, Inc. (2006)
jsSHA - SHA Hashes in JavaScript, http://jssha.sourceforge.net/
Yao, F.F., Yin, Y.L.: Design and Analysis of Password-Based Key Derivation Functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005)
Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)
RLR UK Ltd.: Secure Secret Sharing, https://www.rlr-uk.com/tools/SecSplit/SecureSplit.aspx
Feild, H.: Shamir’s Secret Sharing Scheme, http://ciir.cs.umass.edu/~hfeild/ssss/index.html
Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remember-ing passwords. Applied Cognitive Psychology 18, 641–651 (2004)
Miller, G.A.: The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information. Psychological Review 63, 81–97 (1956)
Florencio, D., Herley, C.: A large-scale study of web password habits. Proceed-ings of the 16th International Conference on World Wide Web, New York, NY, USA, pp. 657–666 (2007)
Chinitz, J.: Single Sign-On: Is It Really Possible? Information Security Journal: A Global Perspective 9, 1 (2000)
Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47, 75–78 (2004)
LeahScape: PasswordMaker, http://passwordmaker.org/
Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM, Alexandria (2006)
Cameron, K., Jones, M.B.: Design Rationale behind the Identity Metasystem Architecture. ISSE/SECURE 2007 Securing Electronic Business Processes, 117–129 (2007)
Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer net-works. IEEE Communications Magazine 32, 33–38 (1994)
Facebook’s OpenID Goes Live, http://www.allfacebook.com/2009/05/facebooks-openid-live/
Hühnlein, D., Roßnagel, H., Zibuschka, J.: Diffusion of Federated Identity Management. In: SICHERHEIT 2010. GI, Berlin (2010)
Boyd, D.: Facebook’s Privacy Trainwreck. Convergence: The International Journal of Research into New Media Technologies 14, 13–20 (2008)
de Clerq, J.: Single Sign-on Architectures. In: Proceedings of Infrastructure Security, International Conference, Bristol, UK, pp. 40–58 (2002)
Dimitriadis, C.K., Polemi, D.: Application of Multi-criteria Analysis for the Creation of a Risk Assessment Knowledgebase for Biometric Systems. In: Zhang, D., Jain, A.K. (eds.) ICBA 2004. LNCS, vol. 3072, pp. 724–730. Springer, Heidelberg (2004)
Karp, A.H.: Site-Specific Passwords (2003), http://www.hpl.hp.com/techreports/2002/HPL-2002-39R1.html
Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of the Winter International Symposium on Information and Communication Technologies, Cancun, Mexico, pp. 1–6 (2004)
Kolter, J., Kernchen, T., Pernul, G.: Collaborative Privacy – A Community-Based Privacy Infrastructure. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 226–236. Springer, Heidelberg (2009)
LastPass: LastPass Security Notification, http://blog.lastpass.com/2011/05/lastpass-security-notification.html
Josephson, W.K., Sirer, E.G., Schneider, F.B.: Peer-to-Peer Authentication with a Distributed Single Sign-On Service. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 250–258. Springer, Heidelberg (2005)
Chen, T., Zhu, B.B., Li, S., Cheng, X.: ThresPassport – A Distributed Single Sign-On Service. In: Huang, D.-S., Zhang, X.-P., Huang, G.-B. (eds.) ICIC 2005. LNCS, vol. 3645, pp. 771–780. Springer, Heidelberg (2005)
Brasee, K., Kami Makki, S., Zeadally, S.: A Novel Distributed Authentication Framework for Single Sign-On Services. In: IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, SUTC 2008. pp. 52–58. IEEE (2008)
Zhong, S., Liao, X., Zhang, X., Lin, J.: A Novel Distributed Single Sign-On Scheme with Dynamically Changed Threshold Value. In: Fifth International Conference on Information Assurance and Security, IAS 2009. pp. 563–566. IEEE (2009)
Password Manager, Form Filler, Password Management | RoboForm Password Manager, http://www.roboform.com/
vecna/Rabbisteg - GitHub, https://github.com/vecna/Rabbisteg
Steganography in Javascript – Blog, http://antimatter15.com/wp/2010/06/steganography-in-javascript/
Sandler, D., Wallach, D.S.: <input type=“password”> must die! W2SP 2008: Web 2.0 Security and Privacy 2008. IEEE Computer Society, Oakland (2008)
Leon, P.G., Cranor, L.F., McDonald, A.M., McGuire, R.: Token attempt: the misrepresentation of website privacy policies through the misuse of p3p compact policy tokens. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, pp. 93–104. ACM Press, New York (2010)
Maler, E., Reed, D.: The Venn of Identity: Options and Issues in Federated Iden-tity Management. IEEE Secur. Privacy Mag. 6, 16–23 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Zibuschka, J., Fritsch, L. (2012). A Hybrid Approach for Highly Available and Secure Storage of Pseudo-SSO Credentials. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-34210-3_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-34209-7
Online ISBN: 978-3-642-34210-3
eBook Packages: Computer ScienceComputer Science (R0)