The Research Of Authentication Techniques Under WEB Environment

With the development of Internet application, people's dependence on authentication is increased. Web service is one of the most popular services in Internet environment, but the authentication techniques under web environment are different from general and traditional authentication techniques because of the special characteristics of web environment. So it's very important to differentiate these two situations.Starting with traditional authentication techniques, taking the current web environment's characteristics into account, combining current web authentication techniques with PKI authentication techniques, this paper designs a secure authentication environment and realize single sign-on at last. Generally, the main achievements in this paper are as followings:1) Analyze every kind of security components, summarize their usage, and give out the method on how to customize Apache authentication system.2) Design a secure data transfer system-Hybrid Cryptograph Transfer Protocol, prove its validity through BAN Logic.3) Discuss key management techniques needed in authentication protocol. Propose probable solutions for existing PKI problems. Realize the corporation of CA and LDAP, and give out the method on how to access LDAP server securely.4) Propose five pieces of design principles of secure credentials. Design different solutions for different scenarios with different secure granularities, and give out the according source code. Improve the security of Passport's credential by UID plus IP instead of UID only.5) Reduce the difficulties of Single Sign-on into two points. First is to produce authentication credentials for customers and then to proliferate the credentials when needed; second is to correspond the authentication identity to the authentication identity. Propose the encryption characteristics of cookie, and then propose a more secure distributed cookie storage scheme. With regard to access control, propose a "pull" model based on the "push" model in [ZXZ02].6) Give out the "Pull" model and "Push" model for authentication and access control of PKI Single Sign-on which incorporate proxy certificate andattribute certificate.7) Propose the integrated Single Sign-on model which combines web Single Sign-on with PKI Single Sign-on.