利用DNSSEC架構提供跨網站登入的服務

Abstract

跨網站登入的服務可以讓使用者只需要登入一個專門驗證身分的網站後就可以存取其他服務網站的網路資源，而不需要在每一個提供服務的網站架設身分認證的伺服器。在身分驗證網站和提供服務的網站之間必須要建立信賴的關係，而現今大部份的系統都是使用商業的憑證中心所簽發的憑證來建立信任關係，但是申請一個商業的憑證是一筆相當大的開銷，而且目前的商業憑證中心彼此之間並沒有相互信任的存在，缺乏一個信賴的起點來連結各個憑證中心。DNSSEC是建構在公開金鑰系統上可以為不同網域之間建立信賴的連結，而基於目前的DNS服務已經被廣泛的應用了，所以我們假設未來DNSSEC也是可以被廣泛的建構的，我們認為利用DNSSEC來建立不同網域間的信賴連結將會是個好選擇。而我們的論文提出了一個利用DNSSEC的架構來提供跨網站認證的服務，我們探討結合DNSSEC和跨網站登入的可行性，我們也對我們的方式提供安全性和效能性的分析。

OpenID separates the service accessing and the authentication into service provider and identity provider respectively. It is more convenient that service providers can share the same identities from a trusted identity provider. The trust relationship is constructed by using commercial certificates which are issued by CAs. However, current application of certificates is a considerable overhead due to there are no global root CA. Without the global root CA, it is hard to manage the trust relationship between the different commercial CAs. DNSSEC provides a global public key infrastructure (PKI) to establish the trust relationships between the different domains. It is a trend that DNSSEC would be widely deployed for securing domain name service (DNS). DNSSEC is a new option for certificates distribution. In this paper, we proposed a scheme for DNSSEC-based OpenID service. Otherwise, the performance has been evaluated and security analysis has been done to prove its practicability.