Security Analysis of a Single Sign-On Mechanism For Distributed Computer Networks

Single sign on mechanisms allow users to sign on only once and have their identities automatically verified by each application or service they want to access afterwards. There are few practical and secure single sign on models, even though it is of great importance to current distributed application environments. Most of current application architectures require the user to memorize and utilize a different set of credentials (eg username/password or tokens) for each application he/she wants to access. However, this approach is inefficient and insecure with the exponential growth in the number of applications and services a user has to access both inside corporative environments and at the Internet. Single sign on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in distributed computer networks. Recently, Chang and Lee proposed a new SSO scheme and claimed its security by providing well organized security arguments. In this paper, however, it is shown that their scheme is actually insecure as it fails to meet security during communication, in order to provide a secure authentication digital signature with hash function is researched for future work.