Skip to main content
SpringerLink
Log in
Book cover

Nordic Conference on Secure IT Systems

NordSec 2012: Secure IT Systems pp 169–183Cite as

A Hybrid Approach for Highly Available and Secure Storage of Pseudo-SSO Credentials

  • Conference paper

  • 971 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7617))

Abstract

We present a novel approach for password/credential storage in Pseudo-SSO scenarios based on a hybrid password hashing/password syncing approach that is directly applicable to the contemporary Web. The approach supports passwords without requiring modification of the server side and thus is immediately useful; however, it may still prove useful for storing more advanced credentials in future SSO and identity management scenarios, and offers a high password security, high availability and integration of secure elements while providing familiar interaction paradigms at a low cost.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. LastPass: LastPass - Password Manager, Formular ausfüller, Password Management, http://lastpass.com/

  2. Halderman, J.A., Waters, B., Felten, E.W.: A convenient method for securely managing passwords. In: Proceedings of the 14th International Conference on World Wide Web, pp. 471–479. ACM, Chiba (2005)

    Chapter  Google Scholar 

  3. Herley, C., Van Oorschot, P.: A Research Agenda Acknowledging the Persis-tence of Passwords. IEEE Security & Privacy (forthcoming, 2012)

    Google Scholar 

  4. Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity manage-ment architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, vol. 68, pp. 143–152. Australian Computer Society, Inc., Ballarat (2007)

    Google Scholar 

  5. Jøsang, A., Fritsch, L., Mahler, T.: Privacy Policy Referencing. In: Katsikas, S., Lopez, J., Soriano, M. (eds.) TrustBus 2010. LNCS, vol. 6264, pp. 129–140. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  6. Zibuschka, J., Roßnagel, H.: Implementing Strong Authentication Interoperabil-ity with Legacy Systems. In: Policies and Research in Identity Management (IDMAN 2007), pp. 149–160. Springer (2008)

    Google Scholar 

  7. Anderson, R.: The eternity service. In: Pragocrypt 1996, pp. 242–252 (1996)

    Google Scholar 

  8. Dhamija, R., Dusseault, L.: The Seven Flaws of Identity Management: Usability and Security Challenges. IEEE Secur. Privacy Mag. 6, 24–29 (2008)

    Article  Google Scholar 

  9. Smith, R.E.: The Strong Password Dilemma. Computer 18 (2002)

    Google Scholar 

  10. Pashalidis, A., Mitchell, C.: A Taxonomy of Single Sign-On Systems. Information Security and Privacy, 249–264 (2003)

    Google Scholar 

  11. Password Sitter: Home, http://www.passwordsitter.de/

  12. Putting Sxipper Down – Dick Hardt dot org, http://dickhardt.org/2011/03/putting-sxipper-down/

  13. Gabber, E., Gibbons, P.B., Matias, Y., Mayer, A.J.: How to Make Personalized Web Browising Simple, Secure, and Anonymous. In: Proceedings of the First Inter-national Conference on Financial Cryptography, pp. 17–32. Springer (1997)

    Google Scholar 

  14. Convergence | Beta, http://convergence.io/

  15. Mahemoff, M.: Ajax Design Patterns. O’Reilly Media, Inc. (2006)

    Google Scholar 

  16. jsSHA - SHA Hashes in JavaScript, http://jssha.sourceforge.net/

  17. Yao, F.F., Yin, Y.L.: Design and Analysis of Password-Based Key Derivation Functions. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 245–261. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  18. Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  19. RLR UK Ltd.: Secure Secret Sharing, https://www.rlr-uk.com/tools/SecSplit/SecureSplit.aspx

  20. Feild, H.: Shamir’s Secret Sharing Scheme, http://ciir.cs.umass.edu/~hfeild/ssss/index.html

  21. Brown, A.S., Bracken, E., Zoccoli, S., Douglas, K.: Generating and remember-ing passwords. Applied Cognitive Psychology 18, 641–651 (2004)

    Article  Google Scholar 

  22. Miller, G.A.: The Magical Number Seven, Plus or Minus Two: Some Limits on Our Capacity for Processing Information. Psychological Review 63, 81–97 (1956)

    Article  Google Scholar 

  23. Florencio, D., Herley, C.: A large-scale study of web password habits. Proceed-ings of the 16th International Conference on World Wide Web, New York, NY, USA, pp. 657–666 (2007)

    Google Scholar 

  24. Chinitz, J.: Single Sign-On: Is It Really Possible? Information Security Journal: A Global Perspective 9, 1 (2000)

    Google Scholar 

  25. Ives, B., Walsh, K.R., Schneider, H.: The domino effect of password reuse. Commun. ACM 47, 75–78 (2004)

    Article  Google Scholar 

  26. LeahScape: PasswordMaker, http://passwordmaker.org/

  27. Recordon, D., Reed, D.: OpenID 2.0: a platform for user-centric identity management. In: Proceedings of the Second ACM Workshop on Digital Identity Management, pp. 11–16. ACM, Alexandria (2006)

    Chapter  Google Scholar 

  28. Cameron, K., Jones, M.B.: Design Rationale behind the Identity Metasystem Architecture. ISSE/SECURE 2007 Securing Electronic Business Processes, 117–129 (2007)

    Google Scholar 

  29. Neuman, B.C., Ts’o, T.: Kerberos: an authentication service for computer net-works. IEEE Communications Magazine 32, 33–38 (1994)

    Article  Google Scholar 

  30. Facebook’s OpenID Goes Live, http://www.allfacebook.com/2009/05/facebooks-openid-live/

  31. Hühnlein, D., Roßnagel, H., Zibuschka, J.: Diffusion of Federated Identity Management. In: SICHERHEIT 2010. GI, Berlin (2010)

    Google Scholar 

  32. Boyd, D.: Facebook’s Privacy Trainwreck. Convergence: The International Journal of Research into New Media Technologies 14, 13–20 (2008)

    Article  Google Scholar 

  33. de Clerq, J.: Single Sign-on Architectures. In: Proceedings of Infrastructure Security, International Conference, Bristol, UK, pp. 40–58 (2002)

    Google Scholar 

  34. Dimitriadis, C.K., Polemi, D.: Application of Multi-criteria Analysis for the Creation of a Risk Assessment Knowledgebase for Biometric Systems. In: Zhang, D., Jain, A.K. (eds.) ICBA 2004. LNCS, vol. 3072, pp. 724–730. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  35. Karp, A.H.: Site-Specific Passwords (2003), http://www.hpl.hp.com/techreports/2002/HPL-2002-39R1.html

  36. Summers, W.C., Bosworth, E.: Password policy: the good, the bad, and the ugly. In: Proceedings of the Winter International Symposium on Information and Communication Technologies, Cancun, Mexico, pp. 1–6 (2004)

    Google Scholar 

  37. Kolter, J., Kernchen, T., Pernul, G.: Collaborative Privacy – A Community-Based Privacy Infrastructure. In: Gritzalis, D., Lopez, J. (eds.) SEC 2009. IFIP AICT, vol. 297, pp. 226–236. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  38. LastPass: LastPass Security Notification, http://blog.lastpass.com/2011/05/lastpass-security-notification.html

  39. Josephson, W.K., Sirer, E.G., Schneider, F.B.: Peer-to-Peer Authentication with a Distributed Single Sign-On Service. In: Voelker, G.M., Shenker, S. (eds.) IPTPS 2004. LNCS, vol. 3279, pp. 250–258. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  40. Chen, T., Zhu, B.B., Li, S., Cheng, X.: ThresPassport – A Distributed Single Sign-On Service. In: Huang, D.-S., Zhang, X.-P., Huang, G.-B. (eds.) ICIC 2005. LNCS, vol. 3645, pp. 771–780. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  41. Brasee, K., Kami Makki, S., Zeadally, S.: A Novel Distributed Authentication Framework for Single Sign-On Services. In: IEEE International Conference on Sensor Networks, Ubiquitous and Trustworthy Computing, SUTC 2008. pp. 52–58. IEEE (2008)

    Google Scholar 

  42. Zhong, S., Liao, X., Zhang, X., Lin, J.: A Novel Distributed Single Sign-On Scheme with Dynamically Changed Threshold Value. In: Fifth International Conference on Information Assurance and Security, IAS 2009. pp. 563–566. IEEE (2009)

    Google Scholar 

  43. Password Manager, Form Filler, Password Management | RoboForm Password Manager, http://www.roboform.com/

  44. vecna/Rabbisteg - GitHub, https://github.com/vecna/Rabbisteg

  45. Steganography in Javascript – Blog, http://antimatter15.com/wp/2010/06/steganography-in-javascript/

  46. Sandler, D., Wallach, D.S.: <input type=“password”> must die! W2SP 2008: Web 2.0 Security and Privacy 2008. IEEE Computer Society, Oakland (2008)

    Google Scholar 

  47. Leon, P.G., Cranor, L.F., McDonald, A.M., McGuire, R.: Token attempt: the misrepresentation of website privacy policies through the misuse of p3p compact policy tokens. In: Proceedings of the 9th Annual ACM Workshop on Privacy in the Electronic Society, pp. 93–104. ACM Press, New York (2010)

    Chapter  Google Scholar 

  48. Maler, E., Reed, D.: The Venn of Identity: Options and Issues in Federated Iden-tity Management. IEEE Secur. Privacy Mag. 6, 16–23 (2008)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer IAO, Stuttgart, Germany

    Jan Zibuschka

  2. Norsk Regnesentral, Oslo, Norway

    Lothar Fritsch

Authors
  1. Jan Zibuschka
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lothar Fritsch
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Oslo, Gaustadalléen 23b, 0373, Oslo, Norway

    Audun Jøsang

  2. Blekinge Institute of Technology, Valhallavägen 1, 37179, Karlskrona, Sweden

    Bengt Carlsson

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Zibuschka, J., Fritsch, L. (2012). A Hybrid Approach for Highly Available and Secure Storage of Pseudo-SSO Credentials. In: Jøsang, A., Carlsson, B. (eds) Secure IT Systems. NordSec 2012. Lecture Notes in Computer Science, vol 7617. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-34210-3_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-34210-3_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-34209-7

  • Online ISBN: 978-3-642-34210-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation