Security Enhancement of Single Sign on Mechanism for Distributed Computer Networks

Single sign-on mechanisms allow users to sign on only once and have their identities automatically verified by each application or service they want to access afterwards. There are few practical and secure single sign-on models, even though it is of great importance to current distributed application environments. Most of current application architectures require the user to memorize and utilize a different set of credentials (eg, username/password or tokens) for each application he/she wants to access. However, this approach is inefficient and insecure with the exponential growth in the number of applications and services a user has to access both inside corporative environments and at the Internet. Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential to be authenticated by multiple service providers in distributed computer networks. Recently, Chang and Lee proposed a new SSO scheme and claimed its security by providing well-organized security arguments. In this paper, however, it is shown that their scheme is actually insecure as it fails to meet security during communication. This paper shows the Chang & Lee scheme and it aims to enhance security using AES encryption and decryption. Implementation is done using socket programming in Java.