ThresPassport A Dstrbuted ngle gn-on ervce Teru Chen 1, Bn B. Zhu 2, hpeng L 2, Xueq Cheng 1 1 Inst. of Computng Technology, Chnese Academy of cences, Bejng 100080, Chna chenteru@software.ct.ac.cn, cqx@ct.ac.cn 2 Mcrosoft Research Asa, Bejng 100080, Chna {bnzhu, spl}@mcrosoft.com Abstract. In ths paper, we present ThresPassport (Threshold scheme-based Passport), a web-based, dstrbuted ngle gn-on (O) system whch utlzes a threshold-based secret sharng scheme to splt a servce provder s authentcaton key nto partal shares dstrbuted to authentcaton servers. Each authentcaton server generates a partal authentcaton token upon request by a legtmate user after proper authentcaton. Those partal authentcaton tokens are combned to compute an authentcaton token to sgn the user on to a servce provder. ThresPassport depends on nether Publc Key Infrastructure (PKI) nor exstence of a trustworthy authorty. The sgn-on process s as transparent to users as Mcrosoft s.net Passport. ThresPassport offers many sgnfcant advantages over.net Passport and other Os on securtyortablty, ntruson and fault tolerance, scalablty, relablty, and avalablty. 1 Introducton As computer networks and systems prolferate to support more onlne accesses and busness, a user s typcally requred to mantan a set of authentcaton credentals such as username and password for each servce provder he or she s enttled to access. A user s facng a dlemma between usng dfferent authentcaton credentals for each ndvdual servce provder for the sake of securty, resultng n escalatng dffculty n memorzng all those credentals, and usng the same credentals for many servce provders for easy memorzaton at the cost of lowered securty. Forcng a user to enter authentcaton credentals frequently when the user accesses dfferent servce provders or the same servce provder multple tmes s also an awkward user experence. It s desrable to have an authentcaton servce to manage a user s sgn-on credentals and allow the user to authentcate hm or her convenently to a varety of servce provders. ngle gn-on (O) has been proposed as a potental soluton to the mplcatons of securty, credentals management, and usablty for the aforementoned applcatons. O utlzes a centralzed credentals management to provde authentcaton servces for users to access partcpatng servce provders. Wth O, a user needs to authent- Contact author: Bn B. Zhu, emal: bnzhu@eee.org (preferred) or bnzhu@mcrosoft.com. Ths work was done when Teru Chen was an ntern at Mcrosoft Research Asa.
cate hm or her to an authentcaton servce only once, whch n turn enables hm or her to automatcally log nto partcpatng servce provders he or she has access permsson when needed wthout any further user nteractons. uch a system makes the complexty to log nto an ncreasng number of servce provders completely transparent to a user. From a user s pont of vew, there s no dfference between loggng nto one servce provder and nto multple servce provders. The complexty s handled by the O system behnd scene. In other words, O enhances usablty n loggng nto multple servce provders dramatcally wth a centralzed authentcaton servce. everal dfferent O systems have been proposed. Kerberos [1] s an O system whch s wdely used when users, authentcaton servers, and servce provders are under a centralzed control such as n the same company. In Kerberos, a user authentcates to an authentcaton server and obtans a vald Tcket Grantng Tcket (TGT) whch s used to authentcate the user to a Tcket Grantng erver (TG) when requestng a ervce Grantng Tcket (GT). To access a servce, a user requests an GT from a TG and presents t to the servce provder whch checks valdty of the tcket and makes a decson f access s granted or not. Kerberos s not sutable for use n an untrusted envronment such as the Internet [2]. The Lberty Allance [3], a consortum of over 150 member companes, recently developed a set of open specfcatons for web-based O. ecurty Assertons Markup Language (AML) [4], a standard, XML-based framework for creatng and exchangng securty nformaton between onlne partners, s used n the specfcatons. The most popular and wdely deployed web-based O should be Mcrosoft s.net Passport [5] whch has provded servces snce 1999. The core of Passport s archtecture s a centralzed database whch contans all the regstered users and assocated data and credentals. Every account s unquely dentfed by a 64-bt number called the Passport ser ID (PID). Each partcpatng servce provder s also assgned a unque ID, and needs to mplement a specal component n ts web server software and to share wth the Passport server a secret key whch s delvered out of band. To log nto a partcpatng servce provder, a user s browser s redrected to the Passport server whch tres to retreve and verfy valdty of a Tcket Grantng Cooke (TGC) from the web browser s cooke cache. If such a cooke s not found, then the user needs to enter account name and password to authentcate to Passport, whch saves a fresh TGC n the browser s cooke cache. A TGC s encrypted by a master key known only to Passport. If everythng goes all rght, Passport saves n the browser s cooke cache a set of cookes encrypted wth the secret key shared between Passport and the specfc partcpatng servce provder. The set of cookes acts lke Kerberos GT and s used to authentcate the user to the partcpatng servce provder. More detals of dfferent O archtectures can be found n [2]. There are a few major concerns on securty and avalablty of.net Passport that prevent users and servce provders from wdely adoptng.net Passport as a webbased logn servce, esp. for accessng web servces such as a bank account whch requre hgher securty and contan senstve prvate data. These ssues are analyzed and dscussed n detal n [6, 7]. In.NET Passport, a user s authentcaton nformaton s centrally managed by the Passport server. Every user has to be dentfed and authentcated wth the help of the data stored n the central database. Every partcpatng servce provder depends on the response of the Passport server and ts securty..net
Passport s not scalable. The Passport server s a sngle pont of falure and a central pont of attacks for the system. It s an attractve target for hackers to paralyze the whole system through dstrbuted denal-of-servce attacks. A sngle compromse of the Passport server may endanger the whole system. Passport cookes are the only authentcaton proofs n.net Passport. nless a user chooses the automatc sgn-n mode whch uses persstent cookes, a cooke s lfetme n.net Passport s determned only by the browser s lfetme and the encrypted cooke s expraton tme. A user who forgets to log off the Passport account on a publc computer could leave vald authentcaton tokens for anyone to recover and reuse, whch s partcularly dangerous for persstent cookes that are strongly dscouraged to use. Threshold-based secret sharng [8, 9] has been extensvely studed n cryptography. A (k, m) threshold scheme splts a secret nto m shares and dstrbutes each share to an entty. Any k shares can be used to fully recover the secret whle any number of shares less than k wll not be able to recover the secret. Threshold-based secret sharng has recently been proposed to use n CorO, a dstrbuted O servce by Josephson et al. [10]. CorO s used to authentcate usersrograms, and servces, whch are referred to as prncpals. In CorO, each party has a par of publc and prvate keys. A set of authentcaton servers create a par of publc and prvate keys K, } and { k uses a threshold scheme wth a threshold t to splt the prvate key k and stores a dstnct share at each authentcaton server of the set. The publc key K s sent to and stored by an applcaton server A whch uses the set of authentcaton servers for authentcaton servce. The prvate key k speaks for the set of the authentcaton servers. A prncpal C also has a par of publc and prvate keys K, } where the { c k c prvate key k c speaks for the prncpal. When a prncpal C wants to access an applcaton server A, the prncpal C uses ts prvate key k c to encrypt a fresh challenge from the applcaton server A, and requests authentcaton servers to certfy ts publc key K c. Each authentcaton server, after proper dentty checkng, generates for the prncpal C a partal certfcate whch s an encrypted verson of the content ncludng the prncpal C, ts publc key K, vald tme of the certfcate, etc. wth ts partal c share of k. The prncpal C combnes the t partal certfcates receved from t authentcaton servers to compute a certfcate sgned wth the authentcaton prvate key k, whch s then sent together wth the challenge encrypted wth the prncpal s prvate key k c to the applcaton server A. The applcaton server A uses the authentcaton servers publc key K to verfy the receved certfcate, and then extracts the prncpal s publc key K c to decrypt the encrypted challenge and compare wth the orgnal challenge t sends to C to decde f the prncpal s allowed to access the applcaton server. It s clear that the threshold scheme and authentcaton servers are used to replace the conventonal Certfcate Authorty (CA) to certfy the publc key for each prncpal n CorO. The requrement of a par of publc and prvate keys for each prncpal renders CorO napproprate for web-based sngle sgn-on authentcaton servce for users,.e. the applcaton arena targeted by.net Passport and the Lberty Allance, snce CorO does not provde any portablty n ts authentcaton
servce. A user cannot easly use dfferent computers to access a web servce the user has permsson to access snce t s very nconvenent and nsecure to carry hs or her prvate key around. In ths paper, we present a dstrbuted, user-frendly O system based on threshold-based secret sharng. Our O system s called ThresPassport a threshold scheme-based Passport. In ThresPassport, a partcpatng servce provder selects a secret key K s and utlzes a threshold scheme to splt K s nto partal shares, each partal share s sent to an authentcaton server out of band durng regstraton of the servce provder. ThresPassport s clent module utlzes a user s account name and password to generate a dstnct logn credental for the user to authentcate to each authentcaton server. An authentcaton server uses ts partal share of the secret key K s to encrypt a challenge from the servce provder passed to t from a user s clent module. The clent module combnes t encrypted challengers from t authentcaton servers, computes a challenge encrypted by the servce provder s secret key K s, and passes the result to the servce provder, whch decrypts the receved encrypted challenge and compares wth the orgnal challenge to decde f the user s granted access permsson. ThresPassport shows many sgnfcant advantages over.net Passport and CorO, whch are dscussed n detal later n ths paper. The paper s organzed as follows. In ecton 2 we descrbe n detal the archtecture and protocols of our dstrbuted O system, ThresPassport. ecurty and comparson wth.net Passport and CorO are then presented n ecton 3. The paper concludes n ecton 4. 2 ThresPassport A ThresPassport O system conssts of three partes: users who want to access servce provders, servce provders who provde servces to users, and authentcaton servers whch offer sngle sgn-on servces for partcpatng users to access partcpatng servce provders. In ThresPassport, a server module s nstalled n the partcpatng servce provder s server, and a downloadable web browser s plug-n s nstalled to a user s clent machne. Before gong to ThresPassport detals, the notaton used n ths paper s ntroduced frst. 2.1 Notaton A partcpatng servce provder. A partcpatng user. A The -th authentcaton server. ID A unque ID for a partcpatng user. ID A unque ID for a partcpatng servce provder. AID An unque ID for the -th authentcaton server A. K A secret key generated by and known only to.
K The -th partal share of K s generated by a threshold scheme. K A secret key for to authentcate to the -th authentcaton server A. p 1 2 Two properly selected prme ntegers 2 > p1. g A generator n Ζ, 2 g p1 2. * p 1 K, A A sesson key between a user and the -th authentcaton server A. < m > k A message m encrypted by a symmetrc cpher wth a key k. k p < m >, It means m k mod p where m Z p. n X Nonce generated by entty X. r X A random number generated by entty X. [ x ] x s optonal n descrbng a protocol. 2.2 ThresPassport Protocols ThresPassport s dvded nto two phases: the setup phase and the authentcaton phase. In the setup phaseartcpatng servce provders and users regster to authentcaton servers, and generate and send secret keys securely to authentcaton servers out of band. Those keys wll be used n the authentcaton phase to authentcate a user to authentcaton servers and to a servce provder. In the followng, we assume that there are n authentcaton servers n total and a (t, n) threshold scheme s used to share a servce provder s secret key K. s 2.2.1 etup Protocols for Partcpatng ervce Provders and sers Durng the setup phase, both partcpatng servce provders and users are requred to regster wth the authentcaton servers and nstall a server module on servce provders servers and a clent web browser plug-n on users machnes. A partcpatng servce provder utlzes the followng protocol to regster securely to authentcaton servers. 1. : Generates a secret key K, 1 K p2 2, and calculate 1 1 1 1 2. K such that K K = K K = mod ( p 1) 2. : ses a (t, n) threshold scheme to splt K nto n shares K, 1 n. 3. A, 1 n: ID, K. 4. A, 1 n : uccess. A stores ID and K for later usage. A user also needs to regster wth the authentcaton servers before he or she can enjoy the authentcaton servce provded by ThresPassport. The followng protocol s
used to regster a user to the authentcaton servers. The regstraton process must be secure. 1. : Generates a unque user name and a good password. The clent program generates a unque ID from the user name. 2. : Computes K = hash ( sername, Password, A ), 1 n. 3., 1 n: ID, K. A 4. A, 1 n : uccess. A stores ID and K for later usage. 2.2.2 ser Authentcaton Protocol to an Authentcaton erver If a user has not authentcated to an authentcaton server A yet durng a sngle sgn-on process of ThresPassport, the user s requred to authentcate to A before A can help authentcate the user to a servce provder. A challenge-response protocol such as the followng one usng the shared key K derved from the user s password can serve the purpose and generate a sesson key for subsequent confdental communcatons between the user and the authentcaton server. 1. A : Authentcaton request. 2. A : n A. 3. A : ID, < r, n, n >. 4. A : A A K A K < r, n, n > or falure. In tep 3, generates the authentcaton key K from s password wth the equaton K = hash ( sername, Password, A ). In tep 4, A uses the receved ID to extract the correspondng key K to decrypt the receved message and encrypt the message to be sent. The decrypted nonce n A s compared aganst that sent n tep 2 to decde what to send n tep 4. If the protocol ends successfully, a sesson K, s generated at both ends by hashng the communcated random numbers r A and r : K = hash( r, r ). Ths sesson key s used for subsequent confdental A, A A communcatons between and A for the sesson. Once the sesson ends, K, s A destroyed and a user has to authentcate to A agan through the above protocol. A sesson can be termnated by a user or when the lfetme set by the securty polcy expres.
2.2.3 ngle gn-on Protocol The followng protocol s used for a user s clent module to acqure an authentcaton token from authentcaton servers and to gan access to a servce provder. 1. : Request access to a servce. 1 2. : ID, n,[ < g > r ], [a lst of t authentcaton servers {, 1 f t} ]. 3. For 1 f t Ad f r 1 3.1: A d f : ID, n, [ < g > ],[ID] 3.2: 2 A : < ID,, n, [ < g > ] > d f d r 1 K f r 1 K 2 4. : ID, < ID,, n, [ < g > ] >, [ < n > k], r r 1 where k =< g >. 5. : access s granted or dened. In tep 2, the servce provder pcks up t lve authentcaton servers from all avalable authentcaton servers based on workloads, bandwdthsrocessng power, relablty, etc. and sends to the user s module. Ths means that a servce provder may need to montor status of authentcaton servers. An alternatve soluton s that the clent s module tres to fnd t lve authentcaton servers from the lst of n authentcaton servers receved from the servce provder. If the lst of authentcaton servers s already known to clents, there s no need to send the lst to a clent. In tep 3, f the user has not authentcated to the t authentcaton servers yet or the precedng sessons have expred, the user authentcaton protocol descrbed n ecton 2.2.2 s used to authentcate the user to each authentcaton server A and set up a secure communcaton channel between and d f A d f wth a sesson key K, A d f before gong to tep 3.1. Note that the communcatons between the user and an authentcaton server n teps 3.1 and 3.2 are confdental by usng the sesson key K, obtaned when the user s authentcated to the server, although the message A d f sent n tep 3.2 s not necessary to be confdental snce t s already encrypted. The clent n tep 4 computes an authentcaton token r 1 K 2 < ID,, n, [ < g > ] > from the receved t partal authentcaton token d r 1 K f 2 < ID,, n, [ < g > ] >. In tep 5, the servce provder uses the secret key 1 K known only to tself to decrypt the receved token: 1 r, 1 p K K r ]) ) = ( ID,, n, [ < g > ]) mod p 2 1 (( ID,, n, [ < g >, and makes a decson f access s granted or dened. If secure communcaton s desred after s sgned to, the optonal tems related to the generator g are also communcated n the protocol. The sesson key for subsequent confdental communcatons between
r r 1 and s set to be < g >, whch s k n tep 4. Ths sesson key s n fact generated wth the Dffe-Hellman key agreement [11]. r 1 K 2 Both the authentcaton token < ID,, n, [ < g > ] > and the partal au- 2 thentcaton token < ID,, n, [ < g > ] > contan whch s an unque network ID of the user s clent machne such as the network address. Note that nonce and random numbers n dfferent protocols have no relatonshp even though we use the same notaton n descrbng the protocols. d r 1 K f 3 ecurty and Comparson wth Other Os 3.1 ecurty of ThresPassport In ThresPassport, a servce provder s key K s generated by and known only to the provder. Authentcaton servers do not know and cannot deduce ths secret key unless t or more authentcaton servers collude. Ths secret key never transfers over a network and s under full control by ts rghtful owner. uch a desgn guarantees the securty of the secret key. On the clent sde, a user s password s never used drectly n authentcaton. Instead t s used wth a one-way functon to derve the authentcaton keys used to authentcate the user to authentcaton servers. An authentcaton server A cannot use the authentcaton key K t knows to recover the password or the user s authentcaton keys to other authentcaton servers wthout a brute force attack. Note that the authentcaton key K s never transferred over a network except durng the setup stage. That sad, a user s password should be complex enough to avod weak keys snce the authentcaton keys K are generated from the password, and hence contan no more entropy than the password. nce passwords are entered at the clent sde, certan securty and tamper resstance are requred for the clent module. uch a requrement s typcal n most securty software at the clent sde. For example, there should be no malcous module between the user and the clent module to launch a man-n-the-mddle attack to mpersonate the user n communcatng wth the clent module. The sesson keys stored by the clent module durng the lfe of the sesson should not be examned by untrustworthy programs. Our desgn also mnmzes such a rsk. In ThresPassport, a user s password s lve n memory n a very short tme. It s overwrtten once the authentcaton keys { K } are generated. Once the authentcaton process to authentcate a user to servers s over, the authentcaton keys } { K are overwrtten. Only the temporal, one-tme sesson keys are stored n memory and used n subsequent communcatons between the clent and authentcaton servers durng the lfe of the sesson.
3.2 Comparson wth Other Os { k In ths subsecton, we would lke to compare ThresPassport wth.net Passport [5] and CorO [10]. To an end user, ThresPassport appears the same and as easy to use as.net Passport. The complexty to authentcate a user to multple authentcaton servers n ThresPassport s completely hdden nsde the protocols and software. On the other hand, ThresPassport shows several mportant advantages over.net Passport. On the securty sde, there s no sngle central pont contanng all the secret credentals n ThresPassport. All secret credentals are completely controlled by each rghtful owner: a servce provder s key s controlled by and known only to the provder. A user s password s controlled by and known only to the user (and to the clent s module n a very short tme). Hackers have to compromse up to t authentcaton servers to ncur securty damage to ThresPassport, thanks to the (t, n) threshold scheme used n the system. nce.net Passport requres L/TL channels to communcate between the user and the Passport server, an approprate Publc Key Infrastructure (PKI) must be n place. Lke Kerberos, ThresPassport does not depend on any PKI. In ThresPassport, sesson keys replace authentcaton cookes n.net Passport for authentcaton, and therefore mtgate the rsk that a subsequent user recovers the precedng user s authentcaton cookes n.net Passport to mpersonate the precedng user to llegally access servce provders. A user s prvacy s also better protected n ThresPassport, thanks to the notorous prvacy track record of cookes. On the relablty sde, ThresPassport s no longer a system of a sngle pont of falure lke.net Passport due to ts dstrbuted authentcaton servers. Any t out of the total n authentcaton servers can provde authentcaton servces to users n the system. It s much more dffcult to launch a dstrbuted denal-of-servce attack to dsable all but t 1 or less authentcaton servers. On the contrary, a successful denalof-servce attack to the Passport server would dsrupt authentcaton servces completely n.net Passport. ThresPassport s also scalable, dealng well wth both small and large systems wth a large varety of users and servce provders. ThresPassport also shows several sgnfcant advantages over CorO. ThresPassport enables portablty that CorO lacks. A user can use any computer (as long as the ThresPassport s clent module s downloaded and nstalled) to sgn on and access a servce provder n ThresPassport. In CorO, a trustworthy authorty s assumed, whose role s to generate a par of publc and prvate keys K, } for a set of authentcaton servers and to use a threshold scheme to splt the prvate key k nto partal shares dstrbuted to and stored by ndvdual authentcaton servers. In ThresPassport, each party controls ts own secrets, and there s no dependency on the exstence of such a trustworthy authorty. Ths advantage s extremely attractve when authentcaton servers are controlled and admnstrated by dfferent companes snce n ths case federaton s needed to acheve a vrtual trustworthy authorty. A thrd advantage s that approprate PKI s requred n CorO, recall that each of the three partes n CorO, a prncpal, a servce provder, or a set of authentcaton servers, has a par of publc and prvate keys speakng for tself. As we have just mentoned above, ThresPassport does not depend on any PKI whch dramatcally ncreases ts chance to be wdely adopted and employed.
4 Concluson In ths paper, we have presented ThresPassport, a web-based, dstrbuted sngle sgnon system usng passwords, threshold-based secret sharng, and encrypton-based authentcaton tokens. In ThresPassport, crtcal secrets such as a servce provder s sgn-on key and a user s password are always controlled by and known only to the orgnal owner. Every authentcaton server owns partal authentcaton nformaton of a clent or a servce provder. A threshold number of authentcaton servers are requred to accomplsh an authentcaton servce. ThresPassport depends on nether PKI nor exstence of a trustworthy authorty. It s as transparent and easy to use as.net Passport. ThresPassport offers many sgnfcant advantages over.net Passport and other proposed Os on securtyortablty, ntruson and fault tolerance, scalablty, relablty, and avalablty. References 1. Internet Engneerng Task Force: RFC 1510: The Kerberos Network Authentcaton ervce (V5) (1993) 2. Pashalds, A., Mtchell, C. J.: A Taxonomy of ngle gn-on ystems. In afav-nan, eberry, J. (eds.): 8th Australasan Conf. Info. ecurty and Prvacy (ACIP) 2003. Wollongong, Australa, July 9-11, 2003. Lecture Notes n Computer cence, Vol. 2727, prnger-verlag, Berln Hedelberg New York (2003) 249 264 3. http://www.projectlberty.org 4. http://www.oass-open.org/commttees/tc_home.php?wg_abbrev=securty 5. http://www.passport.com 6. Kormann, D. P., Rubn, A. D.: Rsks of the Passport ngle gnon Protocol. IEEE Computer Networks, 33 (2000) 51 58 7. Opplger, R.: Mcrosoft.NET Passport: A ecurty Analyss. IEEE Computer Magazne, 36 (7) (2003) 29 35 8. hamr, A.: How to hare a ecret. Communcatons of ACM, 24 (11) (1979) 612 613 9. houp, V.: Practcal Threshold gnatures. Proc. EROCRPT 00, Lecture Notes n Computer cence, Vol. 1807rnger-Verlag, Berln Hedelberg New York (2000) 207 220 10. Josephson, W. K., rer, E. G., chneder, F. B.: Peer-to-Peer Authentcaton wth a Dstrbuted ngle gn-on ervce. 3rd Int. Workshop on Peer-to-Peer ystems (IPTP 04), an Dego, A (2004) 11. Menezes, A. J., van Oorschot, P. C., Vanstone,. A.: Handbook of Appled Cryptography, CRC Press, London, New York (1997)