基于可转换代理签密的SAML跨域单点登录认证协议

可转换代理签密算法具有保护用户隐私、抗重放攻击、抗抵赖性等优势,基于该算法提出一种SAML跨域单点登录协议(SSPCPS).通过用户与异构域服务器直接交互认证,简化了跨域单点登录认证过程.用户身份票据由双方公钥结合用户随机选取的参数而生成,以密文形式传输,攻击者即使窃取该令牌也无法调用服务.用户利用代理签名密钥对摘要进行签密,在减少计算量的同时也可保证用户隐私安全.SSPCPS协议基于DH算法协商会话密钥,简化了会话密钥分发过程并降低了管理成本.使用CK安全模型证明了本协议的安全性并进行了性能分析,结果表明协议具有前向保密性、消息完整性等特点,同时在生成票据计算量和计算时间方面优于SSPPS协议、Juang方案、Ker-beros机制等.

SAML Cross-domain Single Sign-on Authentication Protocol Based on Convertible Proxy Signcryption

Convertible proxy signcryption algorithm has the advantages of protecting user privacy,anti-replay attack,anti-disavowal etc.A SAML cross-domain single sign-on authentication protocol (SSPCPS) was proposed based on the algorithm.Through user and heterogeneous domain server interacting and authenticating directly,the protocol simplifies the process of SSO authentication.User token is generated by combining selected random parameters with the public key,and is transferred in the secret form,improving the security of protocol.The attacker cannot use the service,even though the token is stolen.Proxy signature key is used to signcrypt the digest,reducing the amount of computation,and ensuring the privacy of user as well.Session key is negotiated based on DH algorithm,simplifying the distribution process as well as reducing the management cost.The security of the protocol was proved by CK security model and performance analysis was presented.The result indicates that the protocol holds the features of forward secrecy,message integrity,etc,and the amount of computation and the computation time of generating token are better than SSPPS protocol,Juang scheme and Kerberos scheme,etc.