With the increased use of internet, user authentication for accessing different services provided by a service provider has become cumbersome for the user as well as the service provider. For every service, the user is required to remember different passwords and the service provider has to incur cost to maintain all the passwords of user like cost incurred in maintaining large number of IT help desk calls about passwords etc. With single sign-on, users only need to memorize a single password for all the services provided by a service provider. Single sign on is a mechanism that enable the user to access variety of services through only one user id and password without separated process for authentication for different services. There are different types of authentication processes used in single sign on such as enterprise single sign on, web single sign on, Kerberos, Federation identity, OpenID etc.
In Kerberos based single sign on, when a user tries to access protected services of a service provider, the service provider redirects the user to an authentication server. The authentication server generates a Ticket Granting Ticket (TGT) and encrypts it using the user's password and returns the encrypted TGT to the user device. When user wants to access a service, it sends the TGT to a Ticket Granting Service (TGS) that validates the TGT of the user and grants a service granting ticket to the user. The user sends the service granting ticket to the service provider to access the services. The service provider provides the requested services to the user.
One of the drawbacks of using Kerberos authentication process includes compromise of the TGT or the service granting ticket. An unauthorized user can access the services from the account of the authorized user using the compromised TGT or the service granting ticket. This may lead to replay attacks by the unauthorized users.
Therefore, there is a need for a robust single sign on authentication method that is safe from replay attacks.