user is actually loosing any right of accessto all the systems.The most common Single Sign Onconfigurations involve the use of SmartCards, OTP tokens and Kerberos protocol.Kerberos is the easiest way to utilize theSingle Sign On concept since it isimplemented in most operating systemscurrently in use,There are actually three types of SingleSign-On services available :
Integrated Windows Single Sign On -allows connection of multiple networkapplications using a commonauthentication mechanism. An exampleis using the Kerberos protocol at thenetwork level.
Extranet Single Sign On (Web SingleSign On) - allows accessing Internetresources using a single set of credentials. Examples of this option areOpen ID or Microsoft Passport Network.
Server-Based Intranet Single Sign On -allows integration of severalheterogeneous applications that do notnecessarily use the sameauthentication mechanism.
Enterprise Single Sign On - designed tominimize the number of authentications of a client in variousapplications. Provides ability to sendencrypted user credentials across thenetwork.The following protocols are used in OpenIDimplementations: Diffie - HellmanCryptographic Protocol, Secure HashAlgorithm and Yadis.
was developed in 1976 andpublished in the article "New Directions inCryptography" by Whitfield Diffie andMartin Hellman. It is the first practicalmethod by which two distinct entities canestablish a secret key using an insecureconnection. It is using an asymmetricencryption algorithm so each entity owns apublic and a private key .The original algorithm implementationinvolves the use of a multiplicative group
, where p is a prime number andg is a primitive element
main vulnerability is an attack of the “manin the middle” type. The solution to this
problem is the Diffie Hellman protocol withauthentication known as Station-to-Stationprotocol (STS), developed by Diffie, vanOorschot and Wiener in 1992. Immunity isachieved by allowing the entities toauthenticate using digital signatures andcertificates.
Secure Hash Algorithm
is a dispersioncryptographic function recommended byNIST , . There are several versionsof this algorithm:
Secure Hash Algorithm - 1: Theoriginal version with a 160-bit output,developed by the NSA (NationalSecurity Agency).
Secure Hash Algorithm - 2: Versionswith output of 224, 256, 384 and 512bits.
Secure Hash Algorithm - 3: thedeveloping standard. Selecting the newalgorithm will finish in 2012 at the endof the competition organized by NIST.The result of the function is obtained atthe end of an iteration consisting of 64/80steps.Dispersion functions offer the possibility tomake certain the integrity and authenticityof messages. This is the main reason whythese functions are used with digitalsignatures. Secure Hash Algorithm - 1 isused by the TLS, SSL, PGP, SSH, IPsecand DSS cryptographic algorithms.Secure Hash Algorithms are vulnerable toa series of attacks, like the following:
Finding the corresponding hashmessage by brute force ("preimageattack")
Finding two messages that have thesame hash (collisions).
Attacks of "meet-in-the-middle" typethat reduce the number of operationsneeded to "break" the function.
is a protocol used to discover webservices like OpenID, OAuth and XDIconnected to a Yadis ID. Although it wasdesigned to discover authenticationservices, Yadis can easily be used withother types. The identifier may be a URLor an XRI that conducts to a URL. Usingthe protocol it is possible to obtain adescriptor of the service in the shape of aXRDS document. In OpenID, Yadis is usedin the discovery phase of an authenticationservice provider.