Browse > Article
http://dx.doi.org/10.6109/jkiice.2016.20.8.1466

Certificate-based SSO Protocol Complying with Web Standard  

Yun, Jong Pil (Graduate School of Information Security, Korea University)
Kim, Jonghyun (Graduate School of Information Security, Korea University)
Lee, Kwangsu (Graduate School of Information Security, Korea University)
Abstract
Public key infrastructure(PKI), principle technology of the certificate, is a security technology providing functions such as identification, non-repudiation, and anti-forgery of electronic documents on the Internet. Our government and financial organizations use PKI authentication using ActiveX to prevent security accident on the Internet service. However, like ActiveX, plug-in technology is vulnerable to security and inconvenience since it is only serviceable to certain browser. Therefore, the research on HTML5 authentication system has been conducted actively. Recently, domestic bank introduced PKI authentication complying with web standard for the first time. However, it still has inconvenience to register a certification on each website because of same origin policy of web storage. This paper proposes the certificate based SSO protocol that complying with web standard to provide user authentication using certificate on several sites by going around same origin policy and its security proof.
Keywords
Public key infrastructure; Certificate; Same origin policy; Single sign on; Web standards;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Financial Services Connission, "Electronic Financial Transaction Act," 2016. [Internet]. Available: http://www.aw.go.kr/lsInfoP.do?lsiSeq=180500&efYd=20160127#AJAX
2 Fido Alliance, "Fido Specifications Overview," 2015. [Internet]. Available: https://fidoalliance.org/specifications/verview/
3 Korea Internet Security Agency, "The technical report for adoption and implementation of web standard-based authentication service," Technical Guideline of Korea certification authority central, 2014.
4 W3C, "Same Origin Policy," 2010. [Internet]. Available: https://www.w3.org/Security/wiki/Same_Origin_Policy#Same-Origin_Policy
5 W3C, "Web Storage," 2016. [Internet]. Available: http://www.w3.org/TR/2016/REC-webstorage-20160419/
6 H. Jani. "Single sign-on," Proc. Helsinki Uiniversity of Technology Seminar on Network Security, Nov. 1997.
7 R. Housley and W. Polk. et. al, "Internet X. 509 public key infrastructure certificate and certificate revocation list (CRL) profile," 2002.
8 ISO. Information Technology - Security Techniques - Entity Authentication Mechanisms - Part 3: Entity Authentication Using a Public Key Algorithm ISO/IEC 9798-3, 2nd edition, 1998.
9 M. Bellare and P. Rogaway, "Entity authentication and key distribution," Proceedings of the 13th annual international cryptology conference on Advances in cryptology. Springer-Verlag New York, Inc, pp. 232-249, Jan. 1994.
10 J. Katz and Y. Lindell, "Private-key encryption and pseudorandomness," in Introduction to Modern Cryptography, Chapman & Hall/CRC Cryptography and Network Security., ch.3, pp. 47-109, 2007.
11 W3C, "HTML5: A Vocabulary and Associated APIs for HTML and XHTML," 2014. [Internet]. Available: http://www.w3.org/TR/html5/
12 W3C, "Web Crypto API," 2014. [Internet]. Available: http://www.w3.org/TR/WebCryptoAPI/