Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
OpenID, A Single Sign-On Solution for E-Learning Applications

OpenID, A Single Sign-On Solution for E-Learning Applications

Ratings: (0)|Views: 79 |Likes:

More info:

Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/13/2012

pdf

text

original

 
 www.jmeds.eu
136
 
OpenID, a Single Sign-On Solution for E-learning Applications
Felician Alecu, Paul Pocatilu, George Stoica,Cristian Ciurea, Sergiu Capisizu
Economic Informatics Department, Academy of Economic StudiesPta. Romana 6, sector 1, Bucharest ProSoft Solutions,Bucharest ROMANIAalecu.felician@ie.ase.ro, ppaul@ase.ro, george.stoica@pss.ro,cristian.ciurea@ie.ase.ro, capisizu@mb.euroweb.ro
 Abstract 
:
The e-learning applications of today require a special focus on security. Distributed e- learningapplications have several modules user can access using different clients (desktop or mobile). The same user hasseveral accounts with different credentials. In this context, the SSO (Single Sign-On) solutions become veryattractive since the user has to log in once and can access all the needed resources without being promptedagain for the username and password. Using the OpenID standard for e-learning Web-based applications is agood and reliable solution because it supports both URL and XRI identifiers. This paper presents the maincharacteristics of OpenID standard and how this standard could be implemented for a distributed, Web-based, e-learning application.
Key-Words 
:
e-learning, security,
 
OpenID, Single Sign On, mobile applications
.
1. E-Learning Applications
 –
 Security Issues
In many fields, the security is the mostimportant quality characteristic of anapplication.Web-based applications are exposed tomany attacks and it is less expensive topay hackers to discover the vulnerabilitiesthan to launch in real environment anapplication that is not tested enough.In order to ensure the high security levelinside theirs information systems, manyorganizations engaged real hackers to testand discover the vulnerabilities of everynew application that will be launched inproduction.The same applies for the security of distributed learning applications that isvery important and challenging comparedwith standalone applications.There are several areas where the securityrequirements are high and they needspecial attention. These issues can bemanaged using several methods andtechniques like [10]:
 
different authentication levels;
 
password management;
 
data encryption;
 
location services.Each of actions from Table 1 requires acertain degree of security, depending onthe importance and data sensitivity.The databases with tests, marks and userscontain sensitive data and they need aspecial attention.The security requirements forexaminations, homework/projectassessment and user management arevery high due to the importance of dataand information they use. To increase the
users’ responsibility concerning the data
introduced in the database of the e-learning application, the password of everyuser must be encrypted, so that nobodycan read it, even the applicationadministrator.The specific features of e-learningapplications have represented criteria inchoosing the best encryption algorithm.In [6] is considered that the RSA, DES,MD5, SHA, Blowfish, Diffie-Hellman,ElGamal, and AES encryption algorithmsare the most efficient in the open sourceapplications and have goodimplementations.
 
Journal of Mobile, Embedded and Distributed Systems, vol. III, no. 3, 2011
 
ISSN 2067
 – 
4074
137
 Quizzes and content management havemedium security requirements, becausethe data manipulated is less sensitive.Feedback management and messaging forthese systems does not use sensitive data.
 
Table 1. Security concerns of m-learning applications
Action
 
Security requirements
 Online exams HighContent management Medium-HighFeedback management (forums) Low-MediumHomework/Projects Assessment HighQuizzes MediumUser management HighTable 1 presents some security concernsregarding the mobile learning solutions,based on [7].The minimum requirement is to useauthentication through users andpasswords. In order to increase thesecurity of e-learning applications, thesemust be protected against SQL injection,so that only authorized users can accessthem. The protection against SQL injectionis usually realized by minimizing the lettersentered by users in the textboxes forusername and password and by replacingthe special characters associated with anSQL statement.Wireless data communication can be easilymonitored, so high security need to beassured by using specific standards.Application testing has to include severalsecurity tests.
2. The Necessity of OpenID
Internet applications have alwayspresented major security vulnerabilities.The most important method of security isauthentication and authorization of users,but considering that the main model forestablishing identity is based on providinga username and password, this can easilydetermine that the authentication processis the main "bridgehead" for a possiblecomputer attack. Solutions to this probleminclude the use of SSL protocol that is lessvulnerable. But a new problem arises. Inthe context of developing Web 2.0applications (blogs, wikis, social networks)and their utilization on a large scale, usingseveral applications of this kind can affectthe ease of use. In these circumstances,the use of such facilities requires anadditional effort in managing credentials(different for each application). This is whyit appears the necessity of a system thatallows multiple authentications using asingle set of credentials. In this way, thesecurity of the entire process could beimproved.A solution to the problems described abovecould be the OpenID standard. Actually itis a protocol implemented by providerssuch Verisign, Yahoo, Google, Microsoftand many others. This solution enablesusers to use different authenticationservices based on digital identities,successfully implementing the concept of "single sign on" and ease of use [2].
3. How Single Sign On Works
As systems get into the business andactively participate in the developmentprocess, users and administrators havedifficulty in managing the activities.Typically, users are forced to log on intomultiple systems using different sets of passwords and user names. Administratorsmust manage user accounts so that theyare accessed in a coordinated manner thatdoes not affect the integrity of securitypolicies.The application administrator is dealingwith the access rights of each user, addingand deleting some users according withthe security rules.The concept of Single Sign On allows theaccess control to independent systems.This method allows the user toauthenticate once and gain access to allsystems without needing a new login. Thereversed process of the Single Sign Onauthentication is the Single Sign Off 
 running the logout procedure once the
 
 www.jmeds.eu
138
 user is actually loosing any right of accessto all the systems.The most common Single Sign Onconfigurations involve the use of SmartCards, OTP tokens and Kerberos protocol.Kerberos is the easiest way to utilize theSingle Sign On concept since it isimplemented in most operating systemscurrently in use,There are actually three types of SingleSign-On services available [3]:
 
Integrated Windows Single Sign On -allows connection of multiple networkapplications using a commonauthentication mechanism. An exampleis using the Kerberos protocol at thenetwork level.
 
Extranet Single Sign On (Web SingleSign On) - allows accessing Internetresources using a single set of credentials. Examples of this option areOpen ID or Microsoft Passport Network.
 
Server-Based Intranet Single Sign On -allows integration of severalheterogeneous applications that do notnecessarily use the sameauthentication mechanism.
 
Enterprise Single Sign On - designed tominimize the number of authentications of a client in variousapplications. Provides ability to sendencrypted user credentials across thenetwork.The following protocols are used in OpenIDimplementations: Diffie - HellmanCryptographic Protocol, Secure HashAlgorithm and Yadis.
Diffie-Hellman
was developed in 1976 andpublished in the article "New Directions inCryptography" by Whitfield Diffie andMartin Hellman. It is the first practicalmethod by which two distinct entities canestablish a secret key using an insecureconnection. It is using an asymmetricencryption algorithm so each entity owns apublic and a private key [8].The original algorithm implementationinvolves the use of a multiplicative group
modulo p
, where p is a prime number andg is a primitive element
modulo p
. The
main vulnerability is an attack of the “manin the middle” type. The solution to this
problem is the Diffie Hellman protocol withauthentication known as Station-to-Stationprotocol (STS), developed by Diffie, vanOorschot and Wiener in 1992. Immunity isachieved by allowing the entities toauthenticate using digital signatures andcertificates.
Secure Hash Algorithm
is a dispersioncryptographic function recommended byNIST [1], [9]. There are several versionsof this algorithm:
 
Secure Hash Algorithm - 1: Theoriginal version with a 160-bit output,developed by the NSA (NationalSecurity Agency).
 
Secure Hash Algorithm - 2: Versionswith output of 224, 256, 384 and 512bits.
 
Secure Hash Algorithm - 3: thedeveloping standard. Selecting the newalgorithm will finish in 2012 at the endof the competition organized by NIST.The result of the function is obtained atthe end of an iteration consisting of 64/80steps.Dispersion functions offer the possibility tomake certain the integrity and authenticityof messages. This is the main reason whythese functions are used with digitalsignatures. Secure Hash Algorithm - 1 isused by the TLS, SSL, PGP, SSH, IPsecand DSS cryptographic algorithms.Secure Hash Algorithms are vulnerable toa series of attacks, like the following:
 
Finding the corresponding hashmessage by brute force ("preimageattack")
 
Finding two messages that have thesame hash (collisions).
 
Attacks of "meet-in-the-middle" typethat reduce the number of operationsneeded to "break" the function.
Yadis
is a protocol used to discover webservices like OpenID, OAuth and XDIconnected to a Yadis ID. Although it wasdesigned to discover authenticationservices, Yadis can easily be used withother types. The identifier may be a URLor an XRI that conducts to a URL. Usingthe protocol it is possible to obtain adescriptor of the service in the shape of aXRDS document. In OpenID, Yadis is usedin the discovery phase of an authenticationservice provider.

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->