AugSSO: Secure Threshold Single-Sign-On Authentication With Popular Password Collection

IF 7.7 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Transactions on Mobile Computing Pub Date : 2025-01-03 DOI:10.1109/TMC.2024.3525453

Changsong Jiang;Chunxiang Xu;Guomin Yang

{"title":"AugSSO: Secure Threshold Single-Sign-On Authentication With Popular Password Collection","authors":"Changsong Jiang;Chunxiang Xu;Guomin Yang","doi":"10.1109/TMC.2024.3525453","DOIUrl":null,"url":null,"abstract":"Single-sign-on authentication is widely deployed in mobile systems, which allows an identity server to authenticate a mobile user and issue her/him with a token, such that the user can access diverse mobile services. To address the single-point-of-failure problem, threshold single-sign-on authentication (PbTA) is a feasible solution, where multiple identity servers perform user authentication and token issuance in a threshold way. However, existing PbTA schemes confront critical drawbacks. Specifically, these schemes are vulnerable to perpetual secret leakage attacks (PSLA): an adversary perpetually compromises secrets of identity servers (e.g., secret key shares or credentials) to break security. Besides, they fail to achieve popular password collection, which is an effective means of enhancing system security. In this paper, we propose a secure PbTA scheme with popular password collection, dubbed AugSSO. In AugSSO, we conceive an efficient key renewal mechanism that allows identity servers to periodically update secret key shares in batches, and require storage of hardened password-derived public keys in credentials for user authentication, thereby resisting PSLA. We also present a popular password collection mechanism, where an aggregation server is introduced to identify popular passwords without disclosing unpopular ones. We provide security analysis and performance evaluation to demonstrate security and efficiency of AugSSO.","PeriodicalId":50389,"journal":{"name":"IEEE Transactions on Mobile Computing","volume":"24 5","pages":"4355-4370"},"PeriodicalIF":7.7000,"publicationDate":"2025-01-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Mobile Computing","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10821484/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Single-sign-on authentication is widely deployed in mobile systems, which allows an identity server to authenticate a mobile user and issue her/him with a token, such that the user can access diverse mobile services. To address the single-point-of-failure problem, threshold single-sign-on authentication (PbTA) is a feasible solution, where multiple identity servers perform user authentication and token issuance in a threshold way. However, existing PbTA schemes confront critical drawbacks. Specifically, these schemes are vulnerable to perpetual secret leakage attacks (PSLA): an adversary perpetually compromises secrets of identity servers (e.g., secret key shares or credentials) to break security. Besides, they fail to achieve popular password collection, which is an effective means of enhancing system security. In this paper, we propose a secure PbTA scheme with popular password collection, dubbed AugSSO. In AugSSO, we conceive an efficient key renewal mechanism that allows identity servers to periodically update secret key shares in batches, and require storage of hardened password-derived public keys in credentials for user authentication, thereby resisting PSLA. We also present a popular password collection mechanism, where an aggregation server is introduced to identify popular passwords without disclosing unpopular ones. We provide security analysis and performance evaluation to demonstrate security and efficiency of AugSSO.

查看原文本刊更多论文

AugSSO：安全阈值单点登录认证与流行的密码收集

单点登录身份验证在移动系统中被广泛部署，它允许身份服务器对移动用户进行身份验证，并向她/他发出令牌，这样用户就可以访问各种移动服务。为了解决单点故障问题，阈值单点登录身份验证（PbTA）是一种可行的解决方案，其中多个身份服务器以阈值方式执行用户身份验证和令牌发布。然而，现有的PbTA方案面临着严重的缺陷。具体来说，这些方案容易受到永久秘密泄漏攻击（PSLA）的攻击：攻击者会永久地泄露身份服务器的秘密（例如，秘密密钥共享或凭证）以破坏安全性。此外，它们无法实现流行的密码收集，而密码收集是增强系统安全性的有效手段。在本文中，我们提出了一种安全的PbTA方案，具有流行的密码收集功能，称为AugSSO。在AugSSO中，我们设想了一种有效的密钥更新机制，允许身份服务器定期批量更新密钥共享，并要求在用户身份验证凭证中存储强化的密码派生公钥，从而抵抗PSLA。我们还提出了一种流行的密码收集机制，其中引入了聚合服务器来识别流行的密码而不泄露不流行的密码。通过安全分析和性能评估，论证了AugSSO的安全性和高效性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Transactions on Mobile Computing 工程技术-电信学

CiteScore

12.90

自引率

2.50%

发文量

403

审稿时长

6.6 months

期刊介绍： IEEE Transactions on Mobile Computing addresses key technical issues related to various aspects of mobile computing. This includes (a) architectures, (b) support services, (c) algorithm/protocol design and analysis, (d) mobile environments, (e) mobile communication systems, (f) applications, and (g) emerging technologies. Topics of interest span a wide range, covering aspects like mobile networks and hosts, mobility management, multimedia, operating system support, power management, online and mobile environments, security, scalability, reliability, and emerging technologies such as wearable computers, body area networks, and wireless sensor networks. The journal serves as a comprehensive platform for advancements in mobile computing research.