计算机工程 ›› 2012, Vol. 38 ›› Issue (16): 130-133.doi: 10.3969/j.issn.1000-3428.2012.16.033

• 安全技术 • 上一篇    下一篇

基于代理签名的SAML单点登录协议

王 曦,张 斌   

  1. (解放军信息工程大学电子技术学院,郑州 450004)
  • 收稿日期:2011-10-11 修回日期:2011-12-05 出版日期:2012-08-20 发布日期:2012-08-17
  • 作者简介:王 曦(1983-),男,硕士研究生,主研方向:网络与信息安全;张 斌,教授、博士
  • 基金项目:
    国家“973”计划基金资助项目(2011CB311801);河南省科技创新人才计划基金资助项目(114200510001)

SAML Single Sign-on Protocol Based on Proxy Signature

WANG Xi, ZHANG Bin   

  1. (Institute of Electronic Technology, PLA Information Engineering University, Zhengzhou 450004, China)
  • Received:2011-10-11 Revised:2011-12-05 Online:2012-08-20 Published:2012-08-17

摘要: 针对安全断言标记语言单点登录过程中存在的用户安全风险扩散问题,提出一种以用户为中心基于代理签名的单点登录协议。在建立安全会话时加入访问控制机制,以限定用户单点登录访问服务的时间和范围。对协议的安全性进行分析,结果表明,该协议能抵抗身份票据和访问令牌的重放攻击。

关键词: 单点登录, 安全断言标记语言, 代理签名, XML签名, 重放攻击, 离散对数难题

Abstract: To solve the problem of security threat spread in Security Assertion Markup Language(SAML) Single Sign-on(SSO), an user-centric SSO protocol based proxy signature is presented in this paper. An access control mechanism is added to the protocol, which restricts the scope of services being visited by user and limits time span that user can access. Security is analyzed in random oracle model, and results show that this protocol can resist the replay attack of identity notes and access token.

Key words: Single Sign-on(SSO), Security Assertion Markup Language(SAML), proxy signature, XML signature, replay attack, Discrete Logarithm Problem(DLP)

中图分类号: