A Novel Security Analysis against Impersonation Attacks for Distributed Systems | Original Article
Distributed systems and networks have been adopted by telecommunications, remote educations, businesses, armies and governments. A widely applied technique for distributed systems and networks is the single sign-on (SSO) which enables an authorized user to use a single secure credential to access multiple services from various service providers. There are many SSO schemes and demonstrated their security by providing well-organized security arguments. However, their scheme is actually insecure as it fails to meet credential privacy and confidentiality of authentication. Specifically, we present two impersonation attacks. The first attack allows a malicious service provider, who has successfully communicated with a authorized user twice, to recover the authorized user’s credential and then to impersonate the user to access various services offered by other service providers. In second attack, an attacker without any credential may be able to access the network services freely by impersonating any authorized user. Encryption and decryption of data sent between user and provider can improve security of communication. It also decreases the overhead of the system and would lock out the hackers entering into the system.