Abstract: Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. Unforgeability, credential privacy, and soundness are the basic requirements of any SSO scheme. Chang and Lee proposed new SSO scheme and claimed its security by providing well organized security arguments. But their scheme is actually insecure as it fails to meet credential privacy and soundness of authentication. Specifically, their scheme suffers from two severe attacks. The first attack allows a malicious service provider, who has successfully communicated with a legal user twice, to recover the user’s credential and then to impersonate the user to access resources and services offered by other service providers. In another attack, i.e. an outsider attack, by an unauthorized or illegitimate user of the system may be able to enjoy network services freely by impersonating any legal user or a nonexistent user. So to overcome these drawbacks, we propose an improvement to Chang and Lee SSO scheme by making use of efficient symmetric key encryption technique of SERPENT key signatures.

Keywords: Authentication, authorization, distributed computer networks, information security, single sign-on (SSO).