一個整合SAML和EAP-SIM認證的單一簽入服務和其安全性考量

Abstract

由OASIS所提出的SAML包含認證斷言、屬性斷言和授權決策斷言等三種斷言，而這些斷言可以增加XML架構下的Web Services的安全性。SAML還可以跨平台去實現單一簽入服務。 目前，大部分的單一簽入服務，像是微軟的Passport，都需要使用者手動去鍵入自己的個人資料，像是電子郵件帳號和密碼。較少論文去提出一個自動化的認證方法去實現單一簽入服務。EAP-SIM認證是一個使用在EAP的GSM行動電話網路中的認證方法。它提供用戶設備和網路的雙向認證，以確保只有有效的用戶設備可以去進入此行動網路。它的特色是使用一張SIM卡。SIM是智慧卡的一種，包含了一些使用者資訊，而這些資訊可以用在記帳，還可以被用來作為加密傳輸語音和資料上的一些相關資訊。SIM卡雖然大部分使用在行動電話上，但目前也應用在筆記型電腦，PDA和其他設備，以整合無線區域網路和GSM行動電話網路。 本篇論文的目的是提出一個整合SAML和EAP-SIM認證的單一簽入服務，使得使用者在作單一簽入認證時，不需要手動去鍵入他們的個人資料，並討論此單一簽入服務上的安全性考量。

SAML which is proposed by OASIS contains three kinds of assertion: authentication, attribute, and authorization decision assertion, and these assertions increase the security of Web Services implemented by XML architecture. SAML also can cross platform to achieve the single sign-on (SSO) service. At present, most of SSO services such as the Microsoft’s Passport need the users to authenticate by keying their confidential personal information such as email and password by manual keying. There are fewer theses to purpose an automatic authentication method for SSO services. EAP-SIM authentication is an implementation of an authentication method of the extensible authentication protocol (EAP) used in GSM-based mobile phone networks. It provides mutual authentication between the client device and the network, to ensure that only valid client devices can gain access to the mobile telephony network. Its feature is to use a SIM card which is a type of smart card, containing the user information that can be used in accounting procedures, as well as data that is used in the encryption of transmitted voice and data. SIM cards, though most commonly used in mobile phones are emerging for use with notebooks, PDA, and other devices to integrate the wireless LAN (WLAN) and GSM-based mobile phone networks The purpose of this thesis is to propose a SSO service that integrates the SAML and EAP-SIM authentication to make the users don’t have to key in their confidential personal information manually for authenticating and achieve the SSO, and also discuss the security consideration of this SSO service.