KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Trustworthy Mutual Attestation Protocol for Local True Single Sign-On System: Proof of Concept and Performance Evaluation

  • Khattak, Zubair Ahmad (Department of Computer and Information Sciences, Universiti Teknologi PETRONAS Bandar Seri Iskandar) ;
  • Manan, Jamalul-Lail Ab (Advanced Analysis and Modeling Cluster, MIMOS Berhad Technology Park Malaysia) ;
  • Sulaiman, Suziah (Department of Computer and Information Sciences, Universiti Teknologi PETRONAS Bandar Seri Iskandar)
  • Received : 2011.12.03
  • Accepted : 2012.06.16
  • Published : 2012.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

In a traditional Single Sign-On (SSO) scheme, the user and the Service Providers (SPs) have given their trust to the Identity Provider (IdP) or Authentication Service Provider (ASP) for the authentication and correct assertion. However, we still need a better solution for the local/native true SSO to gain user confidence, whereby the trusted entity must play the role of the ASP between distinct SPs. This technical gap has been filled by Trusted Computing (TC), where the remote attestation approach introduced by the Trusted Computing Group (TCG) is to attest whether the remote platform integrity is indeed trusted or not. In this paper, we demonstrate a Trustworthy Mutual Attestation (TMutualA) protocol as a proof of concept implementation for a local true SSO using the Integrity Measurement Architecture (IMA) with the Trusted Platform Module (TPM). In our proposed protocol, firstly, the user and SP platform integrity are checked (i.e., hardware and software integrity state verification) before allowing access to a protected resource sited at the SP and releasing a user authentication token to the SP. We evaluated the performance of the proposed TMutualA protocol, in particular, the client and server attestation time and the round trip of the mutual attestation time.

Keywords

References

  1. Andreas Pashalidis and Chris Mitchell, "Single sign-on using trusted platform," in Proc. of 6th Int. Conf. on Information Security, pp.54-68, Oct.2003.
  2. Reiner Sailer, Xiaolan Zhang, Trent Jaeger and Leendert van Doorn, "Design and implementation of a TCG-based Integrity Measurement Architecture," in Proc. of 13th USENIX Security Symposium, pp.223-238, Aug.2004.
  3. T. A. Parker, "Single sign-on systems-the technologies and the products," in Proc. of European Convention on Security and Detection, pp.151-155, May.1995.
  4. Andreas Pashalidis and Chris Mitchell, "A taxonomy of single sign-on systems," in Proc. of 8th Australian Conf. on Information Security and Privacy, pp.249-264, Jul.2003.
  5. R. Oppliger, "Microsoft .net passport: A security analysis," IEEE Computer, vol.36, no.7, pp-29-35, Jul.2003. https://doi.org/10.1109/MC.2003.1212687
  6. Liberty Alliance Project. http://www.projectliberty.org/
  7. Mark Needleman, "The shibboleth authentication/ authorization system," Journal Serials Review, vol.30, no.3, pp.252-253, Aug.2004. https://doi.org/10.1016/j.serrev.2004.05.006
  8. Trusted Computing Group (TCG). http://www.trustedcomputinggroup.org
  9. Sandeep Bajikar, "Trusted Platform Module (TPM) based Security on Notebooks PCs-White Paper," Technical Report, Intel Corporation, Jun.2002.
  10. TCG, "Trusted Computing Group (TCG) specification architecture overview," revision 1.4, pp.11-12, Technical Report, Aug.2007.
  11. John Hughes and Eve Maler, "Security Assertion Markup Language (SAML) 2.0 technical overview," Technical Report, Jul.2004.
  12. S. Pearson, Trusted Computing Platforms: TCPA Technology in Context, 1st Edition, Prentice Hall, New Jersey, 2002.
  13. Trusted Computing Platform Alliance (TCPA): Trusted Platform Module Protection Profile, v 1.9.7, Jul.2002.
  14. Eimear Gallery and Chris Mitchell, "Trusted computing: security and application," J. Cryptologia, vol. 33, no. 3, pp.217-245, Jul.2009. https://doi.org/10.1080/01611190802231140
  15. Donald Eastlake and Paul Jones, "RFC 3174 - US Secure Hash Algorithm 1 (SHA1)," September 2001. http://www.openrfc.org/rfc/3174.pdf
  16. S. Garriss, R. C'aceres, S. Berger, R. Sailer, L. Doorn and X. Zhang, "Towards trustworthy kiosk computing," in Proc. of 8th IEEE Workshop on Mobile Computing Systems and Applications, pp.41-45, Mar.2007.
  17. Ahmad-Reza Sadeghi and Christian Stuble, "Property-based attestation for computing platforms: caring about properties, not mechanisms," in Proc. of the 2004 Workshop on New Security Paradigms, pp.67-77, Sep. 2004.
  18. Tamleek Ali and Mohammad Numan, "Incorporating remote attestation for end-to-end protection in web communication paradigm," in Proc. of the 3rd Int. Conf. on Internet Technologies and Applications, Sep.2009.
  19. Trusted Computing for the java (tm) Platform. http://trustedjava.sourceforge.net/
  20. TCG, "Trusted Platform Module (TPM) specification v1.2 enhances security," Jun.2004.
  21. Tim Bray et al., "Extensible markup language (xml)," Technical Report, Aug.1997. http://www.w3pdf.com/W3cSpec/XML/2/REC-xml11-20060816.pdf
  22. Institute of Applied Information Processing and Communication, Graz University of Technology, Austria. http://www.iaik.tugraz.at/content/about_iaik/
  23. Massom Alam, Xinwen Zhang, Mohammad Nauman and Tamleek Ali, "Behavioral attestation for web services (BA4WS)," in Proc. of ACM Workshop on Secure Web Services, pp.21-28, Oct.2008.
  24. David Chaum, "Blind signatures for untraceable payments," in Proc. of Crypto '82, pp.199-203, 1982.
  25. Zubair Ahmad Khattak, Jamalul-lail Ab Manan and Suziah Sulaiman, "Analysis of open environment sign-in schemes- privacy enhanced & trustworthy approach," Journal Advances in Information Technology, vol.2, no.2, pp.109-121, 2011.
  26. Arkajit Dey and Stephen Weis, "PseudoID: Enhancing privacy in federated login," in Proc. of the 10th Hot Topics in Privacy Enhancing Technologies, pp.95-107, Jul.2010.
  27. Masoom Alam, Xinwen Zhang, Mohammad Nauman, Tamleek Ali and Jean-Pierre Seifert, "Model-based behavioral attestation," in Proc. of the 13th ACM Symposium on Access Control Models and Technologies, pp.175-184, Jun.2012.
  28. Erine Brickell, Jan Camenisch and Liqun Chen, "Direct anonymous attestation," in Proc. of the 11th ACM conference on Computer and communications security, pp. 132-145, Oct.2004.
  29. Jaehong Park and Ravi Sandhu, "Towards usage control models: beyond traditional access control," in Proc. of the 7th ACM Symposium on Access Control Models and Technologies, pp. 57-64, Jun.2002.
  30. Zubair Ahmad Khattak, Jamalul-lail Ab Manan and Suziah Sulaiman, "Proof of concept implementation of trustworthy mutual attestation architecture for local true SSO," in Proc. of the 10th Int. Conf. on Security and Management, pp. 721-724, Jul. 2011.
  31. Reiner Sailer, Leendert van Doorn and James Ward, "The Role of TPM in Enterprise Security," Technical Report, IBM Research, Oct.2004.
  32. S. Balfe, E. Gallery, C. Mitchell and K. Paterson, "Crimeware and Trusted Computing," in Crimeware Understanding New Attacks and Defenses, pp. 457-472, Apr.2008.
  33. Jing Zhan, Huanguo Zhang and Fei Yan, "Building Trusted Sub-domain for the Grid with trusted computing," in 3rd SKLOIS Conf. on Information Security and Cryptology, pp. 463-471, Sep.2007.
  34. Ramon Caceres and Reiner Sailer, "Trusted mobile computing," in Proc. of IFIP Networking Workshop on Security and Privacy in Mobile and Wireless Networking, May 2006.
  35. Z. A. Khattak, J-L. Manan and S. Sulaiman, "Security, trust and privacy framework for federated single sign-on environment," in Proc. of the 5th Int. Conf. on Information Technology and Multimedia, pp. 1-6, Nov.2011.
  36. Mittal Bhiogade, "Secure Socket Layer," in Proc. of the Informing Science and Information Technology Education Conference, pp. 85-90, Jun.2002.