Andreas Pashalidis (2003) Single sign-on using trusted platforms.
Full text access: Open
Network users today have to remember one username/password pair for every service they are registered with. One solution to the security and usability implications of this situation is Single Sign-On, a mechanism by which the user authenticates only once to an entity termed the ‘Authentication Service Provider’ (ASP) and subsequently uses disparate Service Providers (SPs) without necessarily re-authenticating. The information about the user’s authentication status is handled between the ASP and the desired SP in a manner transparent to the user. This paper demonstrates a method by which the end-user’s computing platform itself plays the role of the ASP. The platform has to be a Trusted Platform conforming to the Trusted Computing Platform Alliance (TCPA) specifications. The relevant TCPA architectural components and security services are described and associated threats are analysed.
This is a Published version This version's date is: 23/03/2003 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/c11dc227-30b4-e63d-a9d7-f65cb2e1e9b3/1/
Deposited by () on 14-Jul-2010 in Royal Holloway Research Online.Last modified on 10-Dec-2010
[1] Boris Balacheff, Liqun Chen, Siani Pearson, David Plaquin, and Graeme Proudler. Trusted Computing Platforms: TCPA Technology in Context. Prentice-Hall, 2003.[2] T. Berners-Lee, R. Fielding, and L. Masinter. Request For Comments 2396: Uniform Resource Identifiers (URI): Generic Syntax. Internet Engineering Task Force, August 1998.[3] Liqun Chen. Private communication, January 2003.[4] Jan De Clercq. Single sign-on architectures. In George I. Davida, Yair Frankel, and Owen Rees, editors, Infrastructure Security, International Conference, InfraSec 2002, Bristol,UK, October 1-3, 2002, Proceedings, volume 2437 of Lecture Notes in Computer Science,pages 40–58. Springer-Verlag, 2002.[5] Compaq Computer Corporation, Hewlett-Packard Company, IBM Corporation, IntelCorporation, Microsoft Corporation. TCPA Main Specification v. 1.1b, 2000-2002.[6] Computer Security Center of the Department of Defense, Fort George G. Meade, Maryland 20755. Department of Defense Password Management Guideline, April 1985. CSCSTD-002-85.[7] Donald Eastlake. Request For Comments 2535: Domain Name System Security Extensions.Internet Engineering Task Force, March 1999.[8] International Telecommunication Union. ITU-T Recommendation X.509 (03/2000), Information technology — Open systems interconnection — The Directory — Public-key and attribute certificate frameworks, 2000.[9] Liberty Alliance. Liberty Architecture Glossary, January 2003.[10] Liberty Alliance. Liberty Architecture Implementation Guidelines v.1.1, January 2003.[11] Liberty Alliance. Liberty Architecture Overview v.1.1, January 2003.[12] Liberty Alliance. Liberty Authentication Context Specification v.1.1, January 2003.[13] Liberty Alliance. Liberty Bindings and Profiles Specification v.1.1, January 2003.[14] Liberty Alliance. Liberty Protocols and Schemas Specification v.1.1, January 2003.[15] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography.CRC Press, Boca Raton, Florida, 1997.[16] National Institute of Standards and Technology. Federal Information Processing Standards Publication 180-1: Secure Hash Standard, April 1995.[17] OASIS, http://www.oasis-open.org/committees/security/. Security Services Technical Commitee Homepage.[18] Eric Rescorla. SSL and TLS. Addison-Wesley, Reading, Massachusetts, 2001.[19] TCPA. TCPA Frequently Asked Questions, Rev 5.0, November 2002.[20] World Wide Web Consortium. XML-Signature Syntax and Processing, w3c recommendation edition, Feb 2002.