Terry Fleury
Jim Basney
ABSTRACT
Single sign-on is critical for the usability of distributed systems. While there are several authentication mechanisms which support single sign-on (e.g. Kerberos and X.509), it may be difficult to modify a particular legacy application to utilize an authentication scheme other than username/password. Asimple solution for single sign-on involves transmitting a user's password over the network. However, it is undesirable to expose a user's private password in an insecure environment. This paper describes our effort to create "session passwords" which are short-lived passwords transmitted in lieu of a user's private password. Our implementation utilizes the MyProxy X.509 credential service as an authentication service. We demonstrate our solution in the MAEviz application portal, a Java Web Start application for earthquake risk management and analysis.
- Automated Learning Group, NCSA, MAEviz Introduction & Tutorial, Sep. 2004. http://algdocs.ncsa.uiuc.edu/TU-20040901-1.pdfGoogle Scholar
- Basney, J., Humphrey, M., and Welch, V., The MyProxy Online Credential Repository, Software: Practice and Experience, Volume 35, Issue 9, July 2005, pp. 801--816. Google ScholarDigital Library
- Cantor, S., Hodges, J., Kemp, J., and Thompson, P., Liberty ID-FF Architecture Overview, Version 1.2-errata-v1.0, Liberty Alliance Project Website, 2005. http://www.projectliberty.org/specsGoogle Scholar
- Counterman, C., Glenn, G., Gollub, R., Norton, M., Severance, C., Speelmon, L., Sakai Java Framework, Version 1.5, Technical Report Sakai Project, Mar. 5, 2005. http://www.sakaiproject.org/Google Scholar
- Elnashai, A.S., Director, MAE Center Launches New Website, Inside MAE, Winter 2006, Vol. 9, No. 1, 2006, p.6. http://mae.cee.uiuc.edu/Google Scholar
- Herrick, A., Java Network Launching Protocol & API Specification (JSR-00056), Java Cummunity Process Website, 2005. http://jcp.org/aboutJava/communityprocess/mrel/jsr056/index2.htmlGoogle Scholar
- Housley, R., Polk, W., Ford, W., Solo, D., Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, Internet Engineering Task Force Request For Comments 3280, IETF Website, 2002. http://www.ietf.org/rfc/rfc3280.txt Google ScholarDigital Library
- Khan, F. Simplify Enterprise Java Authentication with Single Sign-on, IBM Website, Sep. 9, 2003. http://www-128.ibm.com/developerworks/java/library/j-gss-sso/Google Scholar
- Marinilli, M., Java Deployment with JNLP and WebStart, Sams Publishing, Indianapolis, IN, 2001. Google ScholarDigital Library
- Microsoft Corp., Microsoft .NET Passport Review Guide, Jan. 2004. http://www.microsoft.com/net/services/passport/review_guide.aspGoogle Scholar
- Newman, B.C. and Ts'o, T., Kerberos: An Authentication Service for Computer Networks, IEEE Communications, 32(9):33--38, Sept. 1994.Google ScholarDigital Library
- Novotny, J., Tuecke, S., and Welch, V., An Online Credential Repository for the Grid: MyProxy, Proceedings of the Tenth International Symposium on High Performance Distributed Computing (HPDC-10), IEEE Press, August 2001. http://myproxy.ncsa.uiuc.edu/ Google ScholarDigital Library
- Osbaldeston, R. and Bauer, G., Unofficial Java Web Start/JNLP FAQ: http://lopica.sourceforge.net/faq.htmlGoogle Scholar
- Pubcookie Website: http://www.pubcookie.org/Google Scholar
- Schwidder, J., Talbott, T., Myers, J., Bootstrapping to a Semantic Grid, Proceedings of the Semantic Infrastructure for Grid Computing Applications Workshop, IEEE/ACM International Symposium on Cluster Computing and the Grid (CCGRID), Cardiff, UK, May 9-12, 2005. http://www.scidac.org/SAM/fd Google ScholarDigital Library
- Shibboleth Website: http://shibboleth.internet2.edu/Google Scholar
- Tuecke, S., Welch, V., Engert, D., Pearlman, L., Thompson, M., Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile, Internet Engineering Task Force Request For Comments 3820, IETF Website, 2004. http://www.ietf.org/rfc/rfc3820.txtGoogle Scholar
Index Terms
- Single sign-on for java web start applications using myproxy
Recommendations
A Novel Distributed Authentication Framework for Single Sign-On Services
SUTC '08: Proceedings of the 2008 IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (sutc 2008)In this paper we present a novel single sign-on scheme known as Secure Distributed Single Sign-On (SeDSSO). SeDSSO provides secure fault-tolerant authentication using threshold key encryption with a distributed authentication service. The authentication ...
A Single Sign-On Model for Web Services Based on Password Scheme
CICSYN '09: Proceedings of the 2009 First International Conference on Computational Intelligence, Communication Systems and NetworksAt present, Internet users authenticate themselves using credentials to access different registered web services. These credentials are vulnerable to security threats in presence of active attackers. This imposes a burden on users to manage their ...
Secure Single Sign-On Schemes Constructed from Nominative Signatures
TRUSTCOM '13: Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and CommunicationsSingle Sign-on (SSO) allows users to only log on once and then access different services via automatic authentication by using the same credential. However, most existing SSO schemes do not satisfy security notions or require a high trust level on a ...
Comments