论文信息 - A federated identity management system with centralized trust and unified Single Sign-On

A federated identity management system with centralized trust and unified Single Sign-On

Federated identity management (FIM) is an effective technology that allows multiple organizations to share resources with each other. Proposed FIM solutions have faced deployment and maintenance barriers caused by lack of effective trust management mechanism. In this paper, we present a FIM system with a centralized trust management component named TSP. TSP can automatically establish trust relationship between federation parties in runtime with inexpensive overhead. We also propose a new interaction mode, indirect authentication exchange, to unify network access authentication with application level Single Sign-On (SSO) as an integrated one-step authentication. With the features of centralized trust management and indirect authentication exchange, FIM system can be more easily and flexibly deployed and maintained. We have implemented a prototype to demonstrate the feasibility of proposed features.

[1] Licia Florio,et al. Eduroam: past, present and future , 2005, TNC.

[2] Jeff Hodges,et al. Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[3] Elvinia Riccobene,et al. Formal Analysis of the Kerberos Authentication System , 1997, J. Univers. Comput. Sci..

[4] Lawrence C. Paulson,et al. Kerberos Version 4: Inductive Analysis of the Secrecy Goals , 1998, ESORICS.

[5] Sam Hartman,et al. The Perils of Unauthenticated Encryption: Kerberos Version 4 , 2004, NDSS.

[6] Drummond Reed,et al. OpenID 2.0: a platform for user-centric identity management , 2006, DIM '06.

[7] Leif Johansson,et al. Dynamic Security Assertion Markup Language: Simplifying Single Sign-On , 2008, IEEE Security & Privacy.

[8] Peter Thompson,et al. Liberty ID-FF Architecture Overview , 2003 .

[9] Steven M. Bellovin,et al. Limitations of the Kerberos authentication system , 1990, CCRV.

[10] Virendra Kumar,et al. Extended Abstract: Provable-Security Analysis of Authenticated Encryption in Kerberos , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[11] Theodore Y. Ts'o,et al. Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[12] Antonio F. Gómez-Skarmeta,et al. Bootstrapping a Global SSO from Network Access Control Mechanisms , 2007, EuroPKI.

[13] Thomas D. Wu. A Real-World Analysis of Kerberos Password Security , 1999, NDSS.