Applying a Single Sign-On Algorithm Based on Cloud ... - IEEE Xplore

2013 IEEE 11th Malaysia International Conference on Communications 26th - 28th November 2013, Kuala Lumpur, Malaysia

Applying a Single Sign-On Algorithm Based on Cloud Computing Concepts for SaaS Applications Faraz Fatemi Moghaddam

Omidreza Karimi*, Mostafa Hajivali**

Faculty of Computer Science & Information Technology U.P.M. University Kuala Lumpur, Malaysia [email protected]

Department of Computer Science Staffordshire University Kuala Lumpur, Malaysia * [email protected], **[email protected]

remember and manage their profile details (i.e. username, password, security questions and email) in various subscribed SaaS applications. The most popular way for solving this problem is using a common profile detail for all of accounts [3] but this solution will decrease the security of user accounts in various applications after losing one of the accounts during an attack, or unpredictable event. Moreover, common profile details may not be compatible for all accounts because of some established restrictions [4] by different service providers such as password length or special characters in usernames. Due to these limitations and weaknesses, an affective and intelligence property seems to be essential for increasing the efficiency in cloud-based applications.

Abstract— The rapid growth of using cloud computing environments for storing data and deploying on-demand software, is an undeniable fact that have attracted attentions of IT service providers to this emerging technology. Accordingly, a considerable number of cloud-based applications were presented by service providers with different specifications. Managing profile details in various accounts is one of the most challenging issues for users. On this basis, this paper offers a cloud- based single sign-on model for reliable accessing to cloud computing software-as-a-service applications. In the proposed model a cloud-based application and two cloud separate cloud servers were presented to apply a secure and efficient SSO model for accessing to cloud computing environments. Furthermore, some security tools and techniques such as Secure Socket Layer (SSL) for transmission processes and Advanced Encryption Standard (AES) cryptography algorithm for storing purposes were used to increase the performance and reliability of the suggested model. The performance of this model were analysed and compared with similar client-based SSO model and according to the results, this model is more efficient than client-based models. In addition, the theoretical security analysis of the proposed model shows that the algorithm is enough reliable for establishing secure connections between SaaS application service providers and users.

II.

Single sign-on is a type of secure technology that provides a single action for users to access a group of applications related to the entry point [5]. SSO model has many advantages such as conventional authentication support, password security increase, password re-entering and administrative overhead reduction, effectiveness improvement of disabling all accounts for terminated users, and centralized reports for compliance adherence [6].

Keywords—Cloud Computing, Single Sign-on, Software-as-aService, Advanced Encryption Standard, Password Manager,

I.

There are many SSO models that were presented by many service providers according to the considerable benefits of this service. Using Cookies for saving users verified information is the traditional type of SSO. In this type, the user information is verified through Cookie when the user login another system. implementing SSO by key distributed centre and authenticating the user uniformly is another type of SSO that user information are sent to key distributed centre by a ticket request if the sign up process is verified. By this request a server ticket will be generated by key distributed centre to allow user for using corresponding services [5]. Furthermore, presenting Security Assertion Mark-up Language (SAML) as an assertion-based mechanism for controlling access to the resources for authenticated principals to provide authentication, attribute, and authorization decision-making [7] is another protocol for SSO. Finally, centralized user identity authentication management and the function of information bidirectional authentication are the other SSO models that were presented to improve the security and efficiency in web-based environments

INTRODUCTION

Software-as-a-Service (SaaS) is an innovative software delivery model to establish applications and their associated data on cloud computing environments [1]. The rapid growth of using cloud computing environments for storing data and deploying on-demand software, is an undeniable fact that have attracted attentions of IT service providers to this emerging technology. In overall, there are seven main characteristics that have been applied in SaaS applications [2]: accessed via the web, managed upgrades, vendor support, low customization, subscription pricing, success based revenue model, and shift to service-based mentality. According to these specifications, many SaaS applications have been presented in cloud computing environments by many service providers (e.g. Google Apps, iCloud, Microsoft Outlook, etc.). However, one of the most challenging issues for these applications users is to This work was supported in part by U.P.M. University, Asia Pacific University (A.P.U.), and Meta Soft Co. (Medica Tak Company), Selangor, Malaysia.

978-1-4799-1532-3/13/$31.00 ©2013 IEEE

SINGLE SIGN-ON (SSO)

335

2013 IEEE 11th Malaysia International Conference on Communications 26th - 28th November 2013, Kuala Lumpur, Malaysia

[8]. In the model that is presented in this paper, the effect of using Single Sign-On platform in cloud computing environments is investigated according to the described concepts in SSO models.

III.

E. Advanced Encryption Standard (AES) AES is a private key cryptography algorithm that is used for encryption data by SSOSA and storing them in PCS. In addition keys are stored in KCS. According to the nature of project, AES-192 or AES-256 have been chosen for cryptography processes.

RESEARCH METHODOLOGY

In this research, the proposed model has been introduced and various tools and techniques have been established to increase the efficiency of the SSO process in cloud computing environments. Furthermore, specifications of the suggested model have been considered to identify strengths and weaknesses of the schema. Finally this model has been evaluated by appropriate simulation and defined parameters, and effects of using this model on cloud computing environments have been identified.

V.

PROPOSED ALGORITHM

The proposed algorithm has been presented in this section according to described tools. Furthermore, Figure. 1. shows this algorithm in brief. A. Storing Usernames and Passwords 1. User installs PMA as an extension in his browser.

IV.

2. By using PMA and singing on to this extension, user can access to SSOSA for storing his various usernames and passwords.

INTRODUCTION OF PROPOSED MODEL TOOLS

The proposed model was designed by using concepts of agent [9], version 3.0 of Secure Socket Layer (SSL) [10], Advanced Encryption Standard (AES) [11] model, a middle cloud server, and a middle SaaS application to apply a secure and efficient SSO model for accessing to cloud computing environments.

3. SSOSA generates keys according to AES-256 and encrypts given usernames and passwords. 4. After the encryption process, encrypted data are stored on PCS and keys are stored on KCS.

A. Password Manager Agent (PMA) Password Manager Agent is a client-based agent that is installed on browsers as an extension. The main obligation of PMA is to communicating with the single sign on cloud server for simultaneously sign on various SaaS applications.

B. Single Sign On Cloud Server (SSOCS) Single sing on cloud server is a middle-based cloud server that has two main servers: Password Cloud Server (PCS) and Keys Cloud Server (KCS). Different usernames and passwords are encrypted and stored in PCS and the all keys are stored in KCS.

C. Single Sign On SaaS Application (SSOSA) SSOSA is a cloud-based application that manages usernames and passwords, encrypts them and stores in PCS, stores keys in KCS, decrypts usernames and passwords, connects to various cloud computing environments and SaaS applications, and provides user requests from various applications to the client.

D. Secure Socket Layer (SSL) SSL is used for transferring data from PMA and SSOSA. Moreover, it is used for the communications between SSOSA and various SaaS applications.

978-1-4799-1532-3/13/$31.00 ©2013 IEEE

Fig. 1. Proposed Model Schema

336

2013 IEEE 11th Malaysia International Conference on Communications 26th - 28th November 2013, Kuala Lumpur, Malaysia

VII. ANALYSIS OF DATA IN SSOSA, PCS AND KCS

B. Accessing to Various SaaS Applications

As was described, SSOSA involves a cloud-based SaaS application that connects to two main cloud servers. The required data is processed in SSOSA, encrypted with AES-256 cryptography algorithm and stored in PCS according to following tables:

1. User accesses to SSOSA by signing on PMA. 2. User requests to access on a specific cloud-based SaaS application from SSOSA. 3. SSOSA gets encrypted username and password from PCS and related keys from KCS.

TABLE I: DATA RECORDS AT SSOSA BEFORE ENCRYPTION

4. Username and password are decrypted and sent to the requested SaaS application for signing on process. 5. After confirmation process, data are transferred from the SaaS application to SSOCS and after that transferred to the user browser. VI.

Service Provider

Y57478 A85797

Office 365 Google Docs

Username Faraz Omid

Password 12345678 11111111

Last Access 01.09.2012 04.04.2013

TABLE II: ENCRYPTED DATA RECORDS STORED AT PCS

SPECIFICATIONS OF THE PROPOSED MODEL

A. Using a Cloud Server for Storing Passwords In the proposed model, usernames and passwords are stored in a cloud-based server and accessible anytime and anywhere according to cloud computing concepts. Accordingly, the proposed model is more efficient and accessible in comparison with similar client-based password manager and single sign on systems. Furthermore, usernames and passwords are stored encrypted in PCS by one of the most powerful symmetric keys cryptography algorithms (AES-256 or AES-192) for increasing the security and reliability of the model.

RecID

UserID

Service Provider

Username

Password

Last Access

AH44 65464 987

U2FsdGVkX18 pLUofNKADpQ 8Aj5K/mLHVac hVub7GdNI=

U2FsdGVkX1 9MGLXu+A9f gIeJD7NWePE Pk+ThLGWhq q8=

U2FsdGVkX1 +kJsuHfcw6T wMIpsjZ9poz VA9p4BBDD PA=

U2FsdGVkX1/ 1g4pCFLGBS eSPgyylIMM mc5WvuSACy SM=

FS475 45321 968

U2FsdGVkX1+ XqHOiIfo3jMp1 CnixJl3G6nkq8 Tl3Ayk=

U2FsdGVkX1/ HH4czcrGgFd qxHLaeWweL POy8l+Fzqwo =

U2FsdGVkX1 9fyFwELQjut6 HpOR9UUvO 4Vi8KJUp1eT s=

U2FsdGVkX1 +Z7N3TUDhl AJcwDFRdfn B2O/sDmNb+ XYg=

U2FsdGVk X1/2qY8O aavTuGRS GdItWqnej A8XnUfM wA4= U2FsdGVk X18lSQgD LORXDFn 7ZkM70D O2wTO99 5rS1MY=

KeyID H354373 S574735

TABLE III: KEYS DATA RECORDS STORED AT KCS RecID Pass Key SA754JFG34673HDFH4357DJN//HJR87U5 AH4465464987 JFG574586ERUEJETGHRU47G//KUYK756 FS47545321968

Table I-III shows the type of data records at SSOSA, PCS, and KCS. According to the records, keys are linked to data by a specific id (RecID). Moreover, the names of service providers are stored on PCS by encrypting specific IDs that have been defined by SSOSA. This means if all data and keys are lost by an attack and usernames and passwords are decrypted by the attacker, he will not able to match usernames and passwords to the correct and related service provider.

B. Different Cloud Servers for Passwords and Keys Usernames and passwords are encrypted and stored in PCS and all cryptography keys are stored in a different cloud server. This separation helps to increase the security of passwords according to the power of AES cryptography algorithm. This means, if the encrypted data are lost by possible attacks or unpredictable events, the attacker need 1.1 × 1017 possible combinations for decrypting each password and this amount of combinations needs 3.31 × 1056 years approximately [12]. This amount of time shows that passwords are stored quit safe and after a possible attack, users have enough time to change their passwords without any concerns.

VIII. EVALUATION OF THE PROPOSED MODEL The simulation process was done to compare the proposed model with a similar client-based single sign on system. Accordingly, a client-based single sign on prototype was implemented and run in a 2.40 GHz Intel® Core ™ i5 CPU and 4.00 GB RAM pc (Com-A). Moreover, a cloud-based SaaS application was simulated in a 3.06 GHz 6-Core Intel® Xeon CPU and 64.00 GB RAM (8×8GB) Mac Pro Server (Com-B) and was connected to Com-A (as PMA) via a wireless network. Furthermore, Microsoft Office 365, Google Docs, Microsoft Outlook, and iCloud have been chosen as target SaaS Applications. The following figure shows the simulation process in details:

C. Using SSL During Data Transmission SSL is the most appropriate solution for providing security in data transmission process [13]. Accordingly, SSL was established in the proposed model in data transmissions between PMA and SSOSA for providing a secure and reliable transmission. D. Accessing to SSOSA with Browser Extension User can access to the single sign on cloud server by log in to an installed extension in his browser. This extension increases the dependency of the single sign on process to web browser and can use the security and error-handling tools of web browsers without establishing a new stand-alone application.

978-1-4799-1532-3/13/$31.00 ©2013 IEEE

UserID

337

2013 IEEE 11th Malaysia International Conference on Communications 26th - 28th November 2013, Kuala Lumpur, Malaysia

8000 Time (ms) 7000

7301 6467

6347 5357

6000 5000 4000

3507

3671

3374

3503

3000 2000 1000 0

Microsoft 365 Google App Outlook.com Cloud-Based SSO

iCloud

Client-Base SSO

Fig. 3. Sign In Process in Various SaaS Applications

According to the results, the cloud-based SSO model takes between 37 to 49% less time than client-based SSO model for connecting, sending account details, and receiving data from SaaS applications. This time difference was happened because of the dependency of client-based SSO model to the hardware performance of clients during decryption account details from stored data.

Fig. 2. Simulation of the Proposed Model

The process of storing usernames and passwords was simulated as follows: •

Cloud-Based SSO: Sending details from Com-A, encrypting and storing data in Com-B.

•

Client-Based SSO: encrypting and storing details in Com-A.

IX.

The theoretical security analysis of the proposed model shows that the algorithm is enough reliable for establishing secure connections between SaaS application service providers and users. The most important advantage of this model is using a cloud-based SaaS application with two separate cloud servers. This separation and encrypting usernames and passwords with AES-256 cryptography algorithm increase the reliability and security of the proposed model for storing details of various user accounts in a cloud server without and concerns. Furthermore, using SSL between PMA and SSOSA establish security during data transmission processes. In addition, using browser extensions as PMA is led to an efficient dependency between PMA and web browsers and lets PMA to use strengths of web browsers in different ways especially in security parts. In overall, the proposed model provides a reliable cloud-based environment for storing important personal details without security concerns [14].

The following table shows the time of storing process in both models according to AES-192 and AES-256 algorithms: TABLE IV: TIME OF STORING PROCESS IN CLOUD-BASED AND CLIENTBASED SSO ACCORDING TO AES-192 AND AES-256 ALGORITHMS Algorithm AES-192 AES-256

Cloud-Based SSO (ms) 2754 3124

Client-Based SSO (ms) 7345 9247

The simulation results shows that the time of storing data in cloud-based SSO model is significantly less than client-based SSO model even with one more step (i.e. sending to Com-B). This was happened due to the weakness of Com-A in encryption process and it shows that dependency of the encryption process to the hardware of clients decrease the performance of encryption algorithm considerably especially in portable devices (e.g. smart phones, tablets, etc.).

X.

CONCLUSION

The proposed model is a cloud-based single-sign-on algorithm as an effective solution to increase the efficiency in cloud-based applications according to the limitations [15] and weaknesses of similar client-based models. The proposed model was designed and described by establishing two cloud servers for storing encrypted account details and cryptography keys. Moreover, a cloud-based SaaS application was designed to connect clients and SaaS service providers. Using AES-256 and SSL in the suggested model improves the security of cloud-based SSO algorithm. In conclusion, the reliability of the proposed model has been assured for storing users important data according to specifications of the model.

In addition the time of sign in process in each model was tested and shown in following diagram. This time is includes decryption account details, log in and transmission processes.

978-1-4799-1532-3/13/$31.00 ©2013 IEEE

SECURITY EVALUATION OF THE PROPOSED MODEL

338

2013 IEEE 11th Malaysia International Conference on Communications 26th - 28th November 2013, Kuala Lumpur, Malaysia

ACKNOWLEDGMENT We acknowledge the assistance and logistical support provided by Meta Soft Co. (Medica Tak Sdn Bhd), Dr. Maen T. Alrashdan, Dr. Pardis Najafi, and the bright memory of Dr. Enayat Fatemi Moghaddam. REFERENCES [1]

Y. Wang, B. Zhang, Y. Liu, and D. Wang, “The Modeling Tool of SaaS Software,” in Proc. 2nd International Conf. on Advanced Computer Control (ICACC), Shenyang, 2010, vol.2, pp. 298-302.

[2]

J. Ju, Y. Wang, J. Fu, J. Wu, and Z. Lin, “Research on Key Technology in SaaS,” in Proc. International Conf. on Intelligent Computing and Cognitive Informatics (ICICCI), Kuala Lumpur, 2010, pp. 384-387.

[3]

H. Luo, and P. Henry, “A Common Password Method for Protection of Multiple Accounts,” in Proc. 14th IEEE Proceeding on Personal, Indoor and Mobile Radio Communications (PIMRC), 2003, vol.3, pp. 27492754.

[4]

W. Ma, J. Campbell, D. Tran, and D. Kleeman, “Password Entropy and Password Quality,” in Proc. 4th International Conf. on Network and System Security (NSS), Melbourne, 2010, pp. 583-587.

[5]

Y. Chen, B. Wu, B. Xia, and L. Shi, “Design of Web Service Single Sign-On Based on Ticket and Assertion,” in Proc. 2nd International Conf. on Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), Deng Leng, 2011, pp. 297-300.

[6]

Y. Jian, “An Improved Scheme of Single Sign-on Protocol,” in Proc. Fifth International Conf. on Information Assurance and Security (IAS), Xian, 2009, vol. 1, pp. 495-498.

[7]

W. Xiuyi, W. Lingyan, H. Jihong, and C. Qingrong, “Security Research on a SAML-Based Single Sign-on Implement Mode," Microcomputer Information Journal, vol. 24, pp. 81-83, Aug 2007.

[8]

N. Fengming, X. Feng, and Q. Rongzhi, “SAML-Based Single Sign-On for Legacy System,” in Proc. IEEE International Conf. on Automation and Logistics (ICAL), Zhengzhou, 2012, pp. 470-473.

[9]

F. Q. Zhang, and D. Y. Han, “Applying Agents to the Data Security in Cloud Computing,” in Proc International Conf. on Computer Science and Information Processing (CSIP), Shaanxi, China, 2012, pp. 11261128.

[10] A. Freier, P. Karlton, and P. Kocher, “The Secure Sockets Layer (SSL) Protocol Version 3.0,” Internet Engineering Task Force (IETF), RFC 6101, pp. 12-16. Aug 2011. [11] J. Daemen, and V. Rijmen, “AES Proposal: Rijndael”. National Institute of Standards and Technology, p. 1-10. Apr 2001. [12] M. Arora, (2012) How secure is AES against brute force attacks? EE Times Desing Website [Online] Available: http://www.eetimes.com/design/embedded-internetdesign/4372428/How-secure-is-AES-against-brute-force-attacks-/ . [13] J. Claessens, V. Dem, D. De-Cock, B. Preneel, and J. Vandewalle, “On the Security of Today's Online Electronic Banking Systems,” Computers & Security, vol. 21, no. 3, pp. 253–265, Jun 2002. [14] F. Fatemi Moghaddam, M. T. Alrashdan, and O. Karimi, “A Hybrid Encryption Algorithm Based on RSA Small-e and Efficient-RSA for Cloud Computing Environments,” Journal of Advances in Computer Networks, vol. 1, no. 3, pp. 238–241, 2013. [15] F. Fatemi Moghaddam, Secure Cloud Computing with Client-Based Control System: Protection of Stored Cloud-Based Data by Increasing End-User’s Role, Chapter 1: Cloud Computing, 1st Edition. Saarbrücken: Lambert Academic Publishing (LAP), 2013, pp. 9-21.

978-1-4799-1532-3/13/$31.00 ©2013 IEEE

339