Enabling Trust in Single Sign-On Using DNS Based Authentication of Named Entities

Full Text (PDF, 918KB), PP.41-53

Views: 0 Downloads: 0


Usman Aijaz N 1,* Nikita Mittal 2 Mohammed Misbahuddin 3 A Syed Mustafa 1

1. VTU, HKBKCSERC Bangalore560045, India

2. Reliance Jio Infocomm Ltd, Mumbai, India.

3. CDAC (Centre for Development of Advanced Computing)/ACTS & BD Bangalore- 560 100

* Corresponding author.

DOI: https://doi.org/10.5815/ijwmt.2022.01.05

Received: 24 Aug. 2021 / Revised: 23 Sep. 2021 / Accepted: 18 Oct. 2021 / Published: 8 Feb. 2022

Index Terms

DNS, DNSSEC, DANE, SAML, TLSA, IP Address, Digital Certificates


Single Sign-On (SSO) allows the client to access multiple partner e-services through a single login session. SSO is convenient for the users as the user neither needs to set multiple login credentials nor login separately for individual services every time. SSO (single sign-on) authentication is a password-authentication approach that permits end users to login into multiple systems and websites with a single set of login credentials. SSO authentication is mainly useful for IT organizations that consist of many different commercial applications. The outstanding feature of SSO is that it gives organizations centralized control of their systems by giving different levels of access to each individual. It reduces password fatigue and increases security because users only need to remember a single username/password that grants them access to multiple systems. However, the Single Sign-on poses risks related to a single point of attack which may lead to a path for cybercrimes. This paper proposes a trust model to increase the security of Single Sign-on systems against the vulnerabilities discussed in the subsequent sections. The proposed Trust model is named as DANE-based Trust Plugin (DTP) which acts as an added security layer over DNS Based Authentication of Named entities(DANE). The DTP proposes the modified SAML XML schema which enables the DTP to counter the attacks.

Cite This Paper

Usman Aijaz N, Nikita Mittal, Mohammed Misbahuddin, A Syed Mustafa, " Enabling Trust in Single Sign-On Using DNS Based Authentication of Named Entities", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.12, No.1, pp. 41-53, 2022. DOI: 10.5815/ijwmt.2022.01.05


[1]Armando A., Carbone R., Compagna L., Cuellar J., Pellegrino G., Sorniotti A. (2011) From   Multiple Credentials to Browser-Based Single Sign-On: Are We More Secure?. In: Camenisch J., Fischer-Hübner S., Murayama Y., Portmann A., Rieder C. (eds) Future Challenges in Security and Privacy for Academia and Industry. SEC 2011. IFIP Advances in Information and Communication Technology, vol 354. Springer, Berlin, Heidelberg. 

[2]B. Hubert, “On IP address encryption: security analysis with respect for privacy”, May 2017  [Online] Available: https://medium.com/@bert.hubert/on-ip-address-encryption-security-analysis-   with-respect-forprivacy-dabe1201b476

[3]B. Todd, Distributed Denial of Service Attacks, Feb. 18, 2000, [online] http://www.linuxsecurity.com/resourcefiles/intrusion detection/ddos–whitepaper.html 

[4]Barnes, Richard (October 6, 2011). "DANE: Taking TLS Authentication to the Next Level Using DNSSEC". IETF Journal. Retrieved August 5, 2018.

[5]Cheshire, S. and M. Krochmal , “Special-Use Domain Names”, RFC 6761, February 2013. 

[6]DITISS– 2014 October, 2014, “Cryptography and PKI”.

[7]Dukhovni, V. and W. Hardaker, “The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance”, RFC 7671, Oct 2015.

[8]G.Gabriela, A Lopez & B. J. V. Brochero “Quantum Computing”, 2019, DOI: 10.13140/RG.2.2.18905.36969.

[9]Herzberg, A., & Shulman, H. (2013). Towards Adoption of DNSSEC: Availability and Security Challenges. IACR Cryptology ePrint Archive, 2013, 254.

[10]J. Somorovsky, A. Mayer, J. Schwenk, M. Kampmann, and M. Jensen. ”On breaking SAML: be whoever you want to be”, In Proc. 21st USENIX conf. Security symposium (Security’12). USENIX Association, USA, pp. 1-21, 2012.

[11]List of root servers https://www.iana.org/domains/root/servers

[12]M. H. Jalalzai, W. B. Shahid and M. M. W. Iqbal, DNS Security Challenges and Best Practices to Deploy Secure DNS with Digital Signatures. Proceedings of 2015 12th International Bhurban Conference on Applied Sciences & Technology (IBCAST) Islamabad, Pakistan, 13th – 17th January 2015.

[13]OWASP foundation, Inc. “OWASP top 10” [Online] Available: https://owasp.org/www-project-top-ten/# (accessed June. 9, 2020).

[14]Postel, J., “Domain Name System Structure and Delegation”, RFC 1591, March 1994. 

[15]S. Cantor et al. Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0 – Errata Composite. Working Draft 06, 8 September 2015. Document ID sstc-saml-bindings-errata-2.0-wd-06. 

[16]The National Academies Press,” Qunatum Algorithms and Applications,” in Quantum Computing: Progress and Prospects, 1st ed. of National Academies of Sciences, Engineering, and Medicine, us, 2019, ch iii, pp. 57-94. 

[17]Vixie P., Gudmundsson O., Eastlake 3rd D., Wellington, B., “Secret Key Transaction Authentication for DNS (TSIG)”, RFC 2845, May 2000. 

[18]William Stallings, "Authentication Applications," in Cryptography and Network Security Principles and Practices, 4th ed. of Prentice-Hall, us, 2005, ch. xiv, sec. iii, pp. 427-430.

[19]Yao Y., He L., Xiong G. (2013) Security and Cost Analyses of DNSSEC Protocol. In: Yuan Y., Wu X., Lu Y. (eds) Trustworthy Computing and Services. ISCTCS 2012. Communications in Computer and Information Science, vol 320. Springer, Berlin, Heidelberg

[20]https://www.researchgate.net/publication/309225903_A_Review_on_Single_Sign_on_Enabling_  Technologies_and_Protocols [accessed Nov 17 2021].