Essentially, SSO is a process that allows users to authenticate once, without the need to do so again throughout the user session. SSO has become increasingly popular in recent years, especially in organizations that deploy Web portal interfaces to facilitate third-party and backend systems such as enterprise resource planning and customer relationship management. Earlier this year, representatives from the International Space Station project announced that they had implemented SSO to accommodate 5,000 users from 16 countries. On an even grander scale, the U.S. Postal Service announced plans this year to install an SSO solution that will support 155,000 users and more than 7,000 applications and Web sites.
Given the expanding use of this technology, internal auditors should consider familiarizing themselves with SSO and understand how it alters the authentication process. Auditors should also examine the potential risks associated with this type of authentication in the event of an SSO implementation at their organization.
SSO systems come in several architectural permutations, most of which rely on a central server to facilitate authentication, authorization, password synchronization, and monitoring. In essence, the different architectures can be grouped into two categories: password synchronization and true SSO.
Password synchronization technology requires users to sign onto every system individually, but it synchronizes their password across the network. In other words, users possess multiple identifications (IDs)--one for each system--but only a single password.
With true SSO, a single encrypted "key" allows users to access all authorized target systems with just one password and ID. Under this scheme, central SSO servers authenticate users by accessing information in a security database. This database stores user credentials and system/application information. After the user successfully authenticates to the central SSO server, he or she is given a session ID that enables transparent validation while transversing various systems and servers.
In its most basic form, SSO is considered a single-factor authentication scheme, as it requires only one input--a password. By combining it with other technologies, however, SSO can be enhanced to deliver greater security. Authentication techniques such as one-time passwords (OTPs) and biometrics can each be used in conjunction with SSO to create either a two-factor or multi-factor authentication scheme.
BIOMETRICS Biometrics technology involves automated methods of identifying individuals based on "what they are," or a unique set of physiological traits. Depending on the device used, biometrics can establish identity by measuring face, fingerprint, hand geometry, handwriting, iris, retinal, vein, or voice characteristics. By relying on unique physiological traits, biometric authentication systems have proven effective for applications requiring a higher standard of security, such as those found in banking institutions, certain government settings, and the military.
A combination of biometric and SSO technology can be used to create two-factor authentication. For example, users could be required to enter an ID and password--"something you know"--and then touch a fingerprint reader attached to their computer--a measure of "what you are"--in order to be authenticated. The combination of the password and unique fingerprint results in what is known as "strong" authentication.
ONE-TIME PASSWORDS OTP technology creates a unique password value for each authentication, eliminating vulnerabilities associated with fixed passwords such as guessing and hacking. Generally, OTP solutions involve the use of a token or smart card. Tokens, which are small devices the size of a credit card, typically generate a new password value every 60 seconds. This value must then be combined with a personal identification number to form a one-time login password. In other words, the technology uses "something you have"--the token--combined with "something you know"--a password--to establish access controls.
Smart cards, which are also the size of credit cards, store some combination of password files, electronic credentials, one-time password seed files, and a biometric image on a single card. Smart-card applications can offer three-factor authentication by requiring users to present a smart card, enter a password, and verify their identity with a biometric scan.
"A major driver behind the creation of authentication infrastructure is Single Sign-On (SSO). In short, SSO is the ability for a user to authenticate once to a single authentication authority and then access other protected resources without re-authenticating." (Jan & Guido 2007, p. 533)
The Open Group defines Single Sign-on as a mechanism where a single action of user authenticating in to a system can permit the same user to access all the computers the user has privileges, without needing to enter multiple passwords to each and every obstacle. (Open Group, 2002)
Since Single Sign-On (SSO) has been developed, it has been most popular among all types of organizations to strengthen the security of their systems. Figure 6 shows an example of an SSO where there is a two step process, in which the user first authenticates with the primary DOMAIN 1(This could be the users designated computer system) and then when the user requests access to other DOMAINS (Secondary DOMAIN2 and Secondary DOMAIN3) the primary DOMAIN will serve as a proxy server and authenticate the user to other DOMAINS.
The advantage of Single Sign-On is this, that the user need to authenticate only once only with the primary system. (Primary DOMAIN). The primary system authenticates and builds a trust relationship with other secondary systems. Single Sign-On is easy on a user as the user don't need to remember multiple passwords rather than just one password which has a combination of characters and alphanumeric for security reasons.
Many organizations are currently trying to deploy Single Sign-On technologies that would surely provide security and convenience. Imagine a company with 50,000 employee, which is 1.25 x 109 (1.25 billion) keys. So to make convenient for users SSO technology can be used.
Two types of Single Sign-On solutions used today are centralized and decentralized data storage.
In Centralized data storage the user data will be stored in a centralized dedicated server which is network based. These data contains important user information which will be used by user day to day and users can login from any location workstation to perform their duties. A good example of such technology is Microsoft's .NET Passport Technology. In decentralized data storage the users' important data will be stored in local computer or at the particular location locally. These kind of systems are known as password vaults and are designed specifically to store passwords. An example of this is in Liberty Alliance. (Bobby, 2003)
- Single Sign-On has the ability to reduce the number of logins and create a user friendly environment for the user to perform duties.
- A single Sign-On application should be able to provide service both centralized data storage and decentralized data storage way.
Four of the Single Sign-On technologies covered in this paper are:
3- Liberty Alliance
4- Microsoft's .NET Passport
1 - Kerberos
Kerberos is a Single Sign-On (SSO) technology which was created in the 1980's as a part of MIT's "Athena Project".
'Microsoft introduced Kerberos as the new default authentication protocol in Windows 2000. Every Windows 2000, Windows XP, Windows Server 2003 and R2 OS platform includes a client Kerberos authentication provider.' (Jan & Guido 2007, p.303)
'Kerberos is an IT based services which uses secret key cryptography which provides an authentication for client/server applications. In brief Kerberos is a ticket based network authentication protocol utilizing symmetric cryptography, software that will add to the ability of operating systems (windows, Mac, etc) to authenticate users and server and manage session level security and encryption.' (Cheryl, 2006)
Kerberos can be used on Windows, UNIX and mainframe platforms, but requires extensive modification of client/server application code, and is thus not used by many legacy applications.
Picture walking in to a theme park, and is given two choices. Either use the credit card to buy a ticket for outlet or buy a day ticket which will grant for the rest of the day. It is serious issue for anyone to use credit card so often, so anyone would want a comfortable day with a day ticket. This is exactly what Kerberos does in Single Sign-On in organizations networks.
At the beginning of a working day a user enters his/her password in to the system which is running Kerberos. The key is checked by the Kerberos Key Distribution Center (KDC) and if matching then its authorized. KDC holds all users encrypted keys and are used throughout the day to authenticate users' access. There is a time to live set on the ticket for each user, normally after working hours the ticket expires for a user. So incase after office hours if another office colleague wants to sniff in to a friend's computer it would be impossible. (Apple Developer Connection, 2007)
According to Wikipedia.org, Kerberos is accessible on Windows, Mainframe and on UNIX platforms, but requires wide range of modifications of client/server application code. (Wikipedia n.d.)
Some of the architectures use the following components in Kerberos:
â€¢ Authentication Server (AS)
â€¢ Ticketing Granting Ticket (TGT)
â€¢ Ticketing Granting Service (TGS)
â€¢ Request Service
Authentication Server and Ticket Granting Service are realized as one central system called Key Distribution Center (KDC). A ticket contains user information such as the name and IP address of the user computer. Also a ticket includes lifetime value and session key for secure communication. This ticket is issued by the Authentication Server (AS) and is sent to the Resource Server.
The resource server receives all the necessary information about the user and checks whether the user representing the ticket is the authenticated user and whether the ticket is being used by the right user. When this proving is successful then only the user gets access to the server. The ticket can be used over and over again. The ticket is encrypted using the key of the receiving server which is to secure the content of the ticket. The user's client program in the user's computer creates the authenticator.
The authenticator needs to prove herself that the ticket is issued to the right user. The authenticator has the username, IP address of the client, time-stamp on the ticket, so with these identifications checked, the authenticator is generated at the user's computer by the client program. By comparing the tickets it is possible to know that the issuer is the right user.
Kerberos works with symmetrical keys which mean that the same keys are used for encryption and decryption. The sharing of symmetric keys and the secret key is very critical. A secure channel is used to distribute these keys. Authentication of user has to be carried out before the user wants to use the Kerberos system, for this the secret key is needed by the users. The following describes the Authentication process by using Kerberos. These processes show how to authenticate to the Authentication Server (AS) in order to get access to the ticket granting server (TGS).
Example: In this case Alice wants to authenticate to the Authentication Server.
1- Request at the Authentication Server
Alice wants to access the Ticket Granting Server (TGS) so she creates a message containing her information which includes name and the time and the request to access Ticket Granting Server and she sends it to the Authentication Server (AS). The Authentication Server acknowledges her message and tries to resolve Alice's name and authenticate the time strap. If the verification was successful and Alice is identified to the Authentication Server, the server is able to obtain Alice's secret key from its central database.
The Authentication Server is able to produce session keys for symmetrical encryption. These keys are provisional keys which are created in order to secure messaging between two parties. This session key is needed for the communication between Alice and the Ticket Granting Server (TGS). The user receives a copy of this session key encrypted in a message using the user's secret key. Another copy of the session key is dedicated to Ticket Granting Server. The Authentication Server creates the so called Ticket Granting Ticket (TGT) for the Ticket Granting Server (TGS) as well. This Ticket Granting Ticket (TGT) consists of the user's information.
When the ticket is created and encrypted it has to be known to the Ticket Granting Server (TGS) and only to the Authentication Server. (Thomas 2002, p. 20)
In Kerberos, the Authentication Server (AS) will authenticate itself to the user (Alice) by sending an encrypted message containing the server's name and a time-stamp. This time-stamp is very important in Kerberos as this is to protect against replay attacks. The default setting is 5 minutes, and setting a higher time-stamp creates bigger risks for replay attacks.
2- Getting the Ticket Granting Ticket (TGT)
The Kerberos Authentication Server (AS) sends the ticket and with the user's copy of the session key (SK1) to user (Alice) with both encrypted using the user's secret key. It is authenticated by the user and knows that only the user have access to this. The Authentication Server (AS) only answers to the requests from users, and does not ask for any user passwords. Only the authenticated user is able to decrypt the response send from the Authenticated Server (AS) after accessing the message using the password to generate the secret key. After decrypting the client stores the received session key and the Ticket Granting Ticket (TGT) for later use and the user's secret key is not needed in this session anymore. The Ticket Granting Ticket (TGT) can be used to access the Ticket Granting Server (TGS) and also will make way to acquire tickets needed for other services. Ticket Granting Ticket will expire after a given time.
3- Accessing Service
The Ticket Granting Server (TGS) issues tickets to access to individual sites and services. All the user has to do is send a request to the Ticket Granting Server (TGS) with name of the desired server which the user wants to access, Ticket Granting Ticket (TGT) and previously generated session key. After receiving the information the Ticket Granting Server verifies the authenticator, Ticket Granting Ticket (TGT) and if both are valid, the Ticket Granting Server (TGS) generates a new session key (SK2). This session key is the key between the client and the new desired server.
4- Obtaining a new Ticket
The Ticket Granting Server only generates new tickets for user's desired servers. The ticket contains the user's name, the name of the service which the ticket is issued for or the name of the server the ticket is issued for, IP address, the time-stamp, the new session key (SK2). Also in this ticket includes the lifetime value which is limited by the remaining lifetime of the Ticket Granting Ticket and the predefined maximum lifetime value for the desired server. . (Thomas 2002, p. 21) This ticket encrypted with the previous session key (SK1) needs to be wrapped and send to the Ticket Granting Server to obtain a new ticket.
5- Accessing the desired Server
With the new ticket the user will be able to access her desired servers.
After signing on once using Kerberos, the user gets the so called tickets after the user gets authenticated by the central server. These tickets are used by the user to enter the restricted areas, which are mainly other services and other servers. This ticket has several information of the user, such as the name, IP address of client, time-stamp, a life line value and a random session key which is used for the secure communication.
Components used in Kerberos are:
Key Distribution Center (KDC) - Service Cryptographic keys are held by Key (Secret) Distribution Center (KDC). Also users (Secret) keys are also held in KDC.
Authentication Service (AS) - This service performs the authentication, this is a functional component of Key Distribution Center (KDC)
Ticket Granting Service (TGS) - Aim is the distribution of keys, is also a part of Key Distribution Center (KDC)
Ticket - Authentication Token
Secret and Session Keys - Encrypted keys, using symmetric encryption
2 - Microsoft Passport
The .NET Passport technology was developed by Microsoft in 1999. This is a Sign Sign-On technology which is hosted, managed and owned by Microsoft Corporation. .NET passports have a centralized server that holds all the user information.
Windows Live ID is the new Microsoft Passport Network version which is interconnected Microsoft servers which is developed by Microsoft. .NET or Microsoft Passport allows access to websites using one user account. It is suppose to be new SSO for all web commerce. (Wikipedia n.d.)
The passport model consists of the client, the merchant and the passport Sign-On server. The client is at the user end, who has registered with passport service. The merchant is the people who market the product at online stores. The passport Sign-On server plays the most important role which is to organize and maintain central authority. This is a server and it holds users authentication information and his profile data, which allows interacting with the online merchants. Furthermore the passport model splits the clients' data which gives wallet. This is a client program holds the clients payment information such as the credit card data. Microsoft Passport Single Sign-On was developed for secure transactions in online shopping.
The core of the Passport's is the central database, which holds all registered users confidential data. For each user the Passport generates a unique identifier, this is called the Passport Unique Identifier (PUID). Ever user with a Passport Unique Identifier is unique.
Three security levels of authentication suiting the needs:
Standard Sign-On which is common application cases without extraordinary security restrictions. The Secure Chanel Sign-On boosts the Standard Sign-On profile by using SSL. Strong Credential Sign-On gives highest level of security with new edition to the secure channel sign-on. (Thomas 2002, p. 23)
Figure 9 - Single Sign-On with Microsoft Passport (Thomas 2002, p. 25)
In passport model, Standard Sign-On represents the lowest security level. SSL will be used is only in one occasions which is when a username and password are transferred to the Sign-On Server. This is when the user uses sites which have high security restrictions. The diagram above (Figure 8) shows authentication process in Single Sign-On with Microsoft Passport.
1- Redirection of MS Passport Server - Firstly the users use the sign-on link which is on merchant websites to link to Passport Sign-On server.
2- Accessing the Passport Sign-On Server - The user is linked to the dedicated Passport server. On this server, there is a sign-on page which identifies the merchant site where the user has been directed from. These merchant sites are given unique identification (ID) number the registered as a participating merchant. The request from the user bundles with the ID of the merchant as well, this is done to direct the user's browser to the preferred page when sign-on was successful.
3- Entering the user's credentials - The first check is whether the merchant ID of the site is identical to the ID in the user's request which also has the merchant ID. After cross matching this, the Passport server request to enter username and password in order to sign-on. SSL protocol is used to transfer the login data when the user submits user's data to the login server.
4- Obtaining the Cookies - The user is signed on when the Passport Sign-On server proves the received authentication information and matches it with the information stored in the server's database. The server claims the users Passport Unique Identifier and other information and creates cookies representing the user's status. A total of seven cookies are generated. In this paper there are three main cookies highlighted. Which is:
ï‚§ The Ticket Cookie, which consists of the Passport Unique Identifier (PUID) and the time-stamp.
ï‚§ The Profile Cookie which consists of user profile information and
ï‚§ The Visited sites Cookie which lists the sites the user has signed on.
These important cookies are encrypted using 3DES (Triple Data Encoding Standard algorithm). As stated earlier the key used for encryption of cookies was initially assigned when the site was registered to join Passport System. The server encrypts the cookies and returns the ticket and user information by adding them as query string to the return URL of the merchant site. The user's browser can be redirected according to the information added to this URL.
5- Accessing the Participating sites - To authenticate if the right user has accessed to the participating site, the Passport Manager running at the participating site's server extracts the return URL which was provided by the Passport server in order to obtain the containing ticket and user information. The Passport Manager at the participating site decrypts and obtains Passport Unique Identifier (PUID), the time stamp and information profile. After cross matching this, the participating site can confirm the authenticity of the user.
6- Using the Participating Site - The participating site is now able to display a customized page to the client by using the profile information along with the profile cookie. (Thomas 2002, p. 26)
7- Sign-Out - By clicking the standardized Microsoft button the user can use to sign out at any time. When signing out the client's browser links back to the Passport Server, the server uses the visited sites cookie in order to delete all the cookies created at sign-on for the visited sites.
Secure Channel Sign-On
This is an extension of Standard Sign-on profile by the use of secure end to end SSL channel. SSL is used during the while authentication process. If SSL is not used an attacker is able to eavesdrop the communication between the clients browser and the Passport Sign-On server.
Strong Credential Sign-On
The secure channel and the standard Sign-On profile limit the number of password try entries, and if an attacker tries to guess the password the users passport account, the passport Sign-On server will block the account for a short time. This takes effect after definite number of incorrect password tires. In this there is risk to crack the password. In Strong Credential Sign-On the incorrect attempts of passwords entered is strictly limited with five attempts. If unsuccessful passwords are attempted the Strong Credential Sign-On level is clocked until the user generates a new security key by answering three secret questions. These questions are chosen among several questions on registration. After answering the questions successfully, hence after successful Sign-in the counter which is responsible for blocking the accounts is reset to 0.
The Standard Sign-On profile still remains usable for the user by using standard Passport credentials. Sites and resources which require lower levels of Passport Sign-On are still accessible for the user. As a result this profile supports the highest level of security a participating sire can request from Passport. With this the system is no longer vulnerable to a dictionary attack.
Users sensitive data such as personal information, bank details, credit card details...etc is recorded in Passport technology, and it managers the user's data in a secure environment. When the user wants to purchase a product online, the merchant gets all information straight from Microsoft Passport and nothing from the user. Microsoft Passport of the user contacts the credit card company and processes payment and also contacts the delivery company for the delivery of the product. Merchant websites can become members of .NET Passport by licensing the product with Microsoft.
3 - Web Sign-On
Web Single Sign-On provides a web-based Single Sign-On experience, which means transparent logon experience for users who access applications using web interface and the HHP protocol. The application should be web enabled to join an application to a web SSO infrastructure. Also called Web-AM (Web Access Management) and all web resources pass through a web proxy. Unauthorized users will be denied and can only pass through with successful logging on. Cookies are used to track user moments, and Web SSO service extracts user information and share cookies with other web resources to give an effective single sign-on service. Web Single Sign-on can provide effective business connection between business partners.
1: User applies for Access Gateway to give access to protected resource
2: User is denied access because the Access gateway has no records of the user. Then the access gateway directs the user to Identity server and is presented with a login dialog requesting username and password (credentials)
3: The identity server checks for user records in the Identity storage, and authenticates the user.
4: User identity is validated, and the Access gateway now understands the user's common username and password, as the user has been already authenticated by the identity Server.
5: The Access gateway adds the username and password into the authentication header.
6: Secure Access will be granted from here. (Lee, 2006)
4 - Cosign
University Michigan program which presented the design of Cosign, which is an open source WSSO (web single sign-on package). Cosign was a piece of the National Science Foundation Middleware plan EDIT software'. (Ivan, 2006)
Cosign model is very much like the model of Kerberos, which uses Ticket Granting Ticket (TGT) to issue the Server Ticket. But Cosign issues both Ticket Granting Ticket and Sever Ticket before validating the user. Cosign consists three major parts:
Daemon - The daemons supports replication and can work on more than two machines. And daemons can be implement appropriate load-balancing. Two daemons in Cosign are Cosignd and monster.
CGI - Checks login cookies
The filter - Which is not a part of the centralized cosign infrastructure. The filters job is to determine which areas of the website are protected by Cosign. Filter assures that users are authorized by obtaining the users username and other important information.
The process begins when the user tries to enter the web server, for which the filter is configured to require verification of user to authenticate. When the filter checks for authentication it checks for valid cookie, if no cookie found the filter redirects the user to Cosign CGI where the user will be set a login cookie. The user is redirected with a service cookie and with return URL. (Craig, McGowan & Malestein, 2006)
The CGI confirms the existence of a rightful login cookie (Login cookie is made by CGI, and it is the key to a browser which identifies itself to Cosign server). If it is legitimate, the job of Cosign CGI is to register the new service cookie (generated key by the filter to identify itself to the application server)with the existing login cookie and redirect back the cookie to return URL which is in the login cookie.
The filter receives the service cookie, checks it. The filter authenticates the user and gives authorization to access the application if the cookie is valid.
Cosign has 2 CGIs, cosign.cgi (or login cgi- which is responsible for users in and out of the central server and also helps in registering logs) and logout CGI is responsible to log out users from the cosign server.
The Daemon provides the main function in Cosign. It has the responsibility to maintain all the sessions which occurs.
Cosignd job is to implement the server side of the cosign protocol. And also to sustain the cosign cookie database alternatively duplicating the Register, Login and Logout commands to all other cosignd in the server.
A monster server consists of two main functions, one of it is the old cookies and old ticket will be deleted when it is not needed. Monster can also adapt time stamp pushing interval. Which by default is 120 seconds and this happens between successive passes through the cookie database.
The filter exists in on an application server and it determines which area of the website is protected by Cosign. When a user try to use a service the filter checks if the service cookie is existing or not and makes sure that the user gets authorization. If not authorized this means that a new service cookie needs to be created and then user is redirected to CGI to perform login. (Ivan, 2006)
The Filters and CGI's communicate with the daemon directly over safe TLS connection but both needs a trusted certificate authority. (Craig, McGowan & Malestein, 2006)
Advantages and Disadvantages of deploying SSO Technologies from the perspective of a network manager
Single Sign-on is advantageous for both users and administrator. There is no need to point out that users' and administrators' lives become much easier if they have to deal only with a single key of credentials which is one for every user.
Single Sign-On system is an advantage security wise too. As there is only one place to enter password for all applications, the amount of times to reenter passwords are none, and no passwords or any sensitive information will be all over the network.
Users are less likely to store passwords in their computer, as only one password is what the user needs to remember to log on to all applications. As it is one unique password it is very difficult to guess by hackers. Also the password will be typed on local workstation and it will not be wandering around the network, this means passwords aren't exposed to eavesdropping.
Other Advantages of Kerberos is:
- Stolen tickets can't be used
- Centralized user account administration
- Easier to recover from application server compromise
- Much easier to effectively secure a small set of limited access machines (The KDC's)
Several advantages of Microsoft Passport includes, transactions which are made through Passport are totally anonymous. And all the logs and user transactions are controlled by the Microsoft Passport. Disadvantage of Passport includes a high level of misuse by users with malicious intent.
Cosign provides additional features which are very useful, including the ability to use the GSSAPI for n-tiered application. Cosign does fall short in critical requirements, robustness mostly fails during installation, when it is not installed correctly. Most common problem in centralized systems are especially in authentication and when authorization of systems which is highly inflexible.
Studying all most all Single Sign-On technologies to write this paper, a manager would choose Kerberos SSO as it does give more advantages for the user.
â€¢ Bob, H 2001, Content Distribution Network Retrieved October 20, 2007, https://doc.telin.nl/dsweb/Get/Document-15534/
â€¢ Bobby, V 2003, Single Sign On Technologies as Privacy Enhancing Technologies Retrieved October 19, 2007, from http://zoo.cs.yale.edu/classes/cs457/2003/Single_Sign_On_Technologies_as_Privacy_Enhancing_Technologie
â€¢ Cheryl, G 2006, Kerberos Tutorial Retrieved October 19, 2007, http://www.hitmill.com/computers/kerberos.html
â€¢ Free BSD Handbook n.d., What is a Firewall. Retrieved October 20, 2007, http://docs.freebsd.org/doc/2.1.5-RELEASE/usr/share/doc/handbook/handbook67.html
â€¢ Kerberos: Highly Secure, Single Sign-On Authentication in Mac OS X 2007. Retrieved October 19, 2007, http://developer.apple.com/opensource/kerberosintro.html
â€¢ Compex Inc n.d., Stateful Packet Inspection firewall. Retrieved October 22, 2007, http://www.cpx.com/whitepapers/Compex%20SPI%20Firewall.pdf
â€¢ Craig, McGowan & Malestein 2006, The Cosign Web Single Sign-On Scheme Retrieved October 21, 2007, http://www.umich.edu/~umweb/software/cosign/media/cosignscheme2006a.rtf.
â€¢ Dmccormick n.d., Explain what the TCP/IP model is. Retrieved October 20, 2007, http://www.dmccormick.org/tcpip.htm
â€¢ Evolution of the Firewall Industry 2002. Retrieved October 20, 2007, from http://www.cisco.com/univercd/cc/td/doc/product/iaabu/centri4/user/scf4ch3.htm
â€¢ Harsha, S, &Shiva Shankar, R 2002, Web Caching: A Technique to Speedup Access to Web Contents Retrieved October 20, 2007, from http://www.ias.ac.in/resonance/July2002/July2002p54-62.html
â€¢ Ivan, N 2006, Web Single Sign On Systems Retrieved October 19, 2007, http://www.cesnet.cz/doc/techzpravy/2006/web-sso/
â€¢ Jan, De, C &Guido, G 2007, Microsoft Windows Security Fundamentals, Linacre House, Oxford
â€¢ James, F, K 1999, Computer Networking: A top-Down Approach featuring the Internet, Addison Wesley Longman, US.
â€¢ Lee, H 2006, Single Sign On Systems Retrieved October 20, 2007, http://www.novell.com/solutions/securityandidentity/passwordtour/single_sign_on_webinar.pdf
â€¢ NETGEAR n.d., Wireless-G ADSL Modem router. Retrieved October 20, 2007, http://www.netgear.com/Products/RoutersandGateways/GWirelessRouters/DG834G.aspx
â€¢ Open Group, 2002. Retrieved October 20, 2007, http://www.opengroup.org/security/sso/sso_intro.htm
â€¢ Raimo, K 2003, Peer to Peer and SPAM in the Internet Retrieved October 20, 2007, http://www.netlab.hut.fi/opetus/s38030/F03/Report-p2p-spam-2003.pdf
â€¢ Thomas, G, R 2002, Identification and Authentication in Networks enabling Single Sign-On Retrieved October 20, 2007, http://www.iaik.tugraz.at/teaching/11_diplomarbeiten/archive/roessler.pdf
â€¢ Webopedia n.d., Application Gateway. Retrieved October 20, 2007, from http://www.webopedia.com/TERM/A/application_gateway.html
â€¢ Wikipedia n.d., Web cache. Retrieved October 22, 2007, http://en.wikipedia.org/wiki/CoSign_single_sign_on
â€¢ Wikipedia n.d., Web cache. Retrieved October 22, 2007, http://en.wikipedia.org/wiki/Web_cache
â€¢ Wikipedia n.d., Windows Live ID. Retrieved October 22, 2007, http://en.wikipedia.org/wiki/Windows_Live_ID