Peningkatan Sistem Keamanan Autentikasi Single Sign On (SSO) Menggunakan Algoritma AES dan One-Time Password Studi Kasus: SSO Universitas Ubudiyah Indonesia

Zuhar Musliyana, Teuku Yuliar Arif, Rizal Munadi

Abstract


Single Sign On (SSO) merupakan model autentikasi independen yang diimplementasikan Universitas Ubudiyah Indonesia (UUI) menggunakan Message-Digest Algorithm 5 (MD5) dan web service NuSOAP berbasis bahasa pemograman PHP. Sistem ini berjalan pada protokol Hypertext Transfer Protocol (HTTP). Faktanya penggunaan protokol HTTP ini sangat rentan terhadap berbagai jenis serangan karena data dikirim dalam bentuk plaintext tanpa ada proses enkripsi dan penerapan algoritma MD5 pada autentikasi login juga rentan terhadap serangan dictionary attacks dan rainbow tables. Disisi lain, Penggunaan web service NuSOAP juga menciptakan celah keamanan karena pengiriman dan penerimaan payload tidak dienkripsi. Saat ini diketahui sudah ada beberapa metode yang dapat digunakan untuk meningkatkan pengamanan kerentanan tersebut diantaranya yaitu menggunakan Hypertext Transfer Protocol Secure (HTTPS), Secure Hypertext Transfer Protocol (SHTTP) dan Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA). Namun beberapa hasil penelitian terkait memperlihatkan masih terdapat beberapa kelemahan dari penggunaan HTTPS, SHTTP dan CAPTCHA. Penelitian ini mengusulkan penggunaan algoritma Advanced Encryption Standard (AES) dengan pembangkit kunci dinamis dan metode One-Time Password (OTP) berbasis sinkronisasi waktu dengan kombinasi salt untuk meningkatkan keamanan pada autentikasi SSO UUI. Hasil pengujian menunjukkan penerapan algoritma AES dan OTP  dapat mengamankan proses autentikasi SSO  dari serangan dictionary attack dan rainbow table.

Keywords


SSO, Kunci Dinamis, Salt, OTP, AES.

Full Text:

PDF

References


K.D. Lewis, "Web Single Sign-On Authentication using SAML," International Journal of Computer Science Issues (IJCSI), Vol. 2, Aug. 2009.

F. Heriadi, "Laporan Ancaman Serangan Web Server Universitas Ubudiyah Indonesia (UUI) 2014-2015," DCDC UUI, Lap. 08.2015, 2015.

E. Rescorla, A. Schiffman. (1999, Ags.). The Secure HyperText Transfer Protocol. The Internet Engineering Task Force (IETF), California, USA. [Online]. Available: https://www.ietf.org/rfc/rfc2660.txt

E. Rescorla, A. Schiffman. (1999, Ags.). The Secure HyperText Transfer Protocol. The Internet Engineering Task Force (IETF), California, USA. [Online]. Available: https://www.ietf.org/rfc/rfc2660.txt

H. Tschofenig, E. Leppanen, S. Niccolini, M. Arumaithurai (2008, Feb.). Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) based Robot Challenges for SIP. The Internet Engineering Task Force (IETF), California, USA. [Online]. Available: https://tools.ietf.org/id/draft-tschofenig-sipping-captcha-01.txt

J. Kirk (2007, Mei.). Researcher: RSA 1024-bit Encryption Not Enough. IDG Consumer & SMB, San Francisco, USA. [Online]. Available: http://www.pcworld.com/article/132184/article.html

Adam S., (1999, Mei.). An Overview of SHTTP. National Academy of Sciences Cryptography. USA. [Online]. Available: http://www.homeport.org/~adam/shttp.html

Ahmad B. A, "Bypassing Captcha by Machine-A Proof for Passing the Turing Test," European Scientific Journal, Vol. 10 No.15, Mei. 2014

M.C. Ah Kioon, Z. Wang and S.D. Das, "Security Analysis of MD5 algorithm in Password Storage," Proceedings of the 2nd International Symposium on Computer, Communication, Control and Automation (ISCCCA-13), 2013

R. T. A. Fadlan, "Implementasi Algoritma Rijndael pada NuSOAP," Skripsi, Lab. Komputer, STEI ITB, Bandung, Indonesia, 2011.

R. Sadikin, Kriptografi untuk keamanan jaringan, 1st Ed. Yogyakarta, Indonesia: Penerbit Andi Offset, 2012

Sahoo, O.B.; Kole, D.K.; Rahaman, H., "An Optimized S-Box for Advanced Encryption Standard (AES) Design," International Conference of Advances in Computing and Communications (ICACC), 11 Ags. 2012.

A. Kumar et al, "AES Security Enhancement by Using Double S-Box," International Journal of Computer Science and Information Technologies (IJCSIT), Vol. 3, Mei. 2012

Z. Musliyana, T.Y. Arif, R. Munadi, "Security Enhancement of Advanced Encryption Standard (AES) using Time-Based Dynamic Key Generation," ARPN Journal of Engineering and Applied Sciences, Vol. 10, No. 18, Oct. 2015

Vishwakarma, D.; Madhavan, C.E.V., “Efficient dictionary for salted password analysis,” in Electronics, Computing and Communication Technologies (IEEE CONECCT), 2014 IEEE International Conference on, Jan. 2014

Hyun-Chul Kim; Lee, H.-W.; Young-Gu Lee; Moon-Seog Jun, "A Design of One-Time Password Mechanism Using Public Key Infrastructure," Fourth International of Networked Computing and Advanced Information Management, Sep. 2008

D. M'Raihi, S. Machani, M. Pei, J. Rydell. (2011, Mei.). TOTP: Time-Based One-Time Password Algorithm. The Internet Engineering Task Force (IETF), California, USA. [Online]. Available: https://tools.ietf.org/html/rfc6238

G. Ramadhan, "Analisis teknologi Single Sign On (SSO) dengan penerapan Central Authentication Service (CAS) pada Universitas Bina Darma," Skripsi, Lab. Komputer, UBD, Palembang, Indonesia, 2012.

Gauravaram, P., "Security Analysis of salt || password Hashes," International Conference Advanced Computer Science Applications and Technologies (ACSAT), 26-28 Nov. 2012.

P. Ducklin. (2013, Nov.). Anatomy of a password disaster - Adobe's giant-sized cryptographic blunder. Sophos Ltd, Boston, USA. [Online]. Available: https://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/




DOI: https://doi.org/10.17529/jre.v12i1.2896

Refbacks

  • There are currently no refbacks.


View My Stats