Next Article in Journal
Securing Additive Manufacturing with Blockchains and Distributed Physically Unclonable Functions
Next Article in Special Issue
Implementation of a New Strongly-Asymmetric Algorithm and Its Optimization
Previous Article in Journal
Power Side-Channel Attack Analysis: A Review of 20 Years of Study for the Layman
Previous Article in Special Issue
An Alternative Diffie-Hellman Protocol
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Cryptography
Volume 4
Issue 2
10.3390/cryptography4020016
Review Report
cryptography-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
Article
Peer-Review Record

Security and Performance of Single Sign-on Based on One-Time Pad Algorithm

Cryptography 2020, 4(2), 16; https://doi.org/10.3390/cryptography4020016
by Maki Kihara *,†,‡ and Satoshi Iriyama ‡
Reviewer 1:
Eghbal Ghazizadeh
Reviewer 2: Anonymous
Cryptography 2020, 4(2), 16; https://doi.org/10.3390/cryptography4020016
Submission received: 13 April 2020 / Revised: 28 May 2020 / Accepted: 9 June 2020 / Published: 12 June 2020
(This article belongs to the Special Issue Cryptographic Protocols 2022)

Round 1

Reviewer 1 Report

I appreciate the opportunity to review this paper. This paper is proposing an algorithm based on VE based authentication without disclosing the user identity (Token) for the SSO. Although the paper is in general well written there are some serious concerns which need to be addressed. Therefore, I recommend accepting the paper subject to revision.

My concerns are listed in detail below, so the authors need to :

  • highlight the Purpose (mandatory) Design/methodology/approach (mandatory) Findings (mandatory) Research limitations/implications (if applicable) Practical implications (if applicable) Social implications (if applicable) Originality/value (mandatory) in the Abstract more clearly.
  • Highlight the •The research problem and its importance •Brief Literature Review •Deficiencies in the current literature •Highlight contributions by other researchers in the same area. Bring out the research gap. •Research Motivation •Research Objectives/Questions •Research Methodology used •Contributions •Organization of the thesis/report/article •One paragraph on each in the Introduction more clearly
  • Highlight the impact on the customer and business in the discussion section
  • Lack of Conceptual Model for their model to identify all independent and dependent variables
  • The literature review should clearly bring out the gap that the paper intends to focus on
  • The methodology used for the analysis needs to be defined clearly
  • The authors have applied QP-DYN algorithm to their algorithm, please justify why?
  • The authors have compared their proposed model with Kerberos, OpenID, and SAML, but in the Robustness against attack, there is a lack of this comparison.
  • As the main focus in the OAuth is authentication, it is better that authors compare their model with OAuth (1&2)
  • Justify why your proposed algorithm is based on a verifiable encryption (VE)-based authentication algorithm

Author Response

Dear reviewer 1

We express appreciation to you giving us the fruitful comments.
According to your comments, we are revising the article carefully now.
Since we would like to increase the quality of our paper more, would you mind waiting for two weeks?

The points that we are modifying are the following:

"My concerns are listed in detail below, so the authors need to :"
"highlight the Purpose (mandatory) Design/methodology/approach (mandatory) Findings (mandatory) Research limitations/implications (if applicable) Practical implications (if applicable) Social implications (if applicable) Originality/value (mandatory) in the Abstract more clearly."
"Highlight the •The research problem and its importance •Brief Literature Review •Deficiencies in the current literature •Highlight contributions by other researchers in the same area. Bring out the research gap. •Research Motivation •Research Objectives/Questions •Research Methodology used •Contributions •Organization of the thesis/report/article •One paragraph on each in the Introduction more clearly"

>>Thank you for your comments. According to your advise, we are modifying abstract and introduction to clarify SSO problem, our purpose, the value of this study.


"Highlight the impact on the customer and business in the discussion section"

>>Thank you for your advise. According to you, we are adding subsection "the impact on business" in discussion section.


"Lack of Conceptual Model for their model to identify all independent and dependent variables"

>>Thank you for your comment. According to your advise, we are adding the conceptual model in section 2 (algorithm) to identify all variables.


"The literature review should clearly bring out the gap that the paper intends to focus on"

>>Thank you for your advise. In accordance with your comments, we are modifying and adding the literature review. Especially, the reviews of OpenID, Kerberos, SAML, LDAP have be added.


"The methodology used for the analysis needs to be defined clearly"

>>Thank you for your comment. By accounting for your advise, we have added the methodology used for the analysis. For example, Each time from the input of a plaintext at verification step to the output of last calculation at verification step were measured. Each value in the table and graph of verification speed are the average of 100times experiment.


"The authors have applied QP-DYN algorithm to their algorithm, please justify why?"

>>Thank you for your comments. In the section 3 (demonstration), we have clarified why QP-DYN used. Since QP-DYN was used in the VE-based authentication algorithm proposed in the previous paper and also has better speed performance than AES, QP-DYN is applied in this study.


"The authors have compared their proposed model with Kerberos, OpenID, and SAML, but in the Robustness against attack, there is a lack of this comparison."

>>Thank you for your comments. We are discussing about the comparison about robustness against attack. Specifically, we are experimenting by the following two methods:
1) Perform the same attack (chosen ciphertext attack) against them as our model
2) Perform common attacks which is against those models (such as man-in-the-middle attacks) against our model


"As the main focus in the OAuth is authentication, it is better that authors compare their model with OAuth (1&2)"

>>Thank you for your comments. The biggest reason we didn't compare our model with OAuth(1&2) is that the main focus in the OAuth is authorization rather than authentication. However, the main focus in the our model is authentication.
Moreover, the change from OAuth1 to 2 excluded cryptography, and OAuth1 was reported to have security issues.
Therefore, we compared the main SSO implementations, excluding OAuth.


"Justify why your proposed algorithm is based on a verifiable encryption (VE)-based authentication algorithm"

>>Thank you for your comments. According to your advise, we are describing the reason why our proposed algorithm is based on a verifiable encryption (VE)-based authentication algorithm. The following is a summary of the contents of the reason in the paper.
One of the reasons why network users refuse WebSSO is suggested to be hesitated to consent to the disclosure of their personal information. Also, providing the ID and password directly is required by many SSO mechanisms, it is regarded problematic that many people have the impression that sensitive personal information is stored somewhere locally by using the mechanism.
Hence, we have constructed the SSO algorithm based on VE-based authentication algorithm that enables use arbitrary personal information securely and does not provide information other than authentication information.


Also, we have corrected Theorem 3, Corollary 4, and Theorem 5. Specifically, the conditions for using the inverse element.
Moreover, in the section 4.2 (Robustness Against Attack), $p_1, {p_1}', p_2$ and $ {p_2}'$ have been replaced respectively by $p_{A,1}, p_{A,2}, p_{C,1}$ and $ p_{C,2}$. $k_1, k_2, k_3$ and $ k_4$ have been replaced respectively by $k_{A,1}, k_{C,1}, k_{C,2}$ and $ k_{A,2}$. $c_1, c_2, c_3, c_4, c_5, c_6$ and $c_7$ have been replaced respectively by $c_{A,1}, c_{C,1}, c_{C,2}, p_{c_{C,2}}, c_2, c_3$and $c_r$.
Please see the attached file.

 

Best regards,
Maki Kihara
Satoshi Iriyama

2020, 15th of May

Author Response File: Author Response.pdf

Reviewer 2 Report

The contribution of this work that the authors claimed, a method for SSO-based OTP algorithm, would be meaningful, in practice. Nonetheless, the reviewer does not recommend this paper be accepted, due to unclearness, technical errors, and poor presentation.

 

Most of all, the reviewer believes that a paper containing many technical errors even from preliminary section should not be accepted. For the case of this paper, even from Theorem 3, which is just a basic and preliminary proposition, it seems even the statements are technically not correct. In the beginning of the proof, it seems the authors are additionally assuming properties of the cryptosystem. And, in Corollary 4, it seems the use of inverse elements does not coincides with the properties listed in Theorem 3. And, in the last displayed equations in the proof of Corollary 4, the reviewer is not sure that the derivation is correct, because the operation mod 26 should be considered in the derivation as well. Becoming skeptical about the correnctness of the paper even from the preliminary section, the reviewer believes that the potential reader may not be convinced with the correctness of the main result as well.

It seems there may be other issues related to pedantry and language problem. As it seems only masking by modular addition is used, the general statements for group structure may not be necessary. For language, for example, past tense may not be used in abstract in general, and many article errors are found, as well. Finally, for claim that the proposed method is computationally efficient, the authors may want to compare the performance with the previous methods, with respect to time consumption, for example.

Overall, the reviewer recommends that the paper be thoroughly revised.

Author Response

Dear reviewer 2

We express appreciation to you giving us the fruitful comments.
According to your comments, we are revising the article carefully.
Since we would like to increase the quality of our paper more, would you mind waiting for two weeks?

The points that we modified are the following:

"Most of all, the reviewer believes that a paper containing many technical errors even from preliminary section should not be accepted. For the case of this paper, even from Theorem 3, which is just a basic and preliminary proposition, it seems even the statements are technically not correct. In the beginning of the proof, it seems the authors are additionally assuming properties of the cryptosystem. And, in Corollary 4, it seems the use of inverse elements does not coincides with the properties listed in Theorem 3. And, in the last displayed equations in the proof of Corollary 4, the reviewer is not sure that the derivation is correct, because the operation mod 26 should be considered in the derivation as well. Becoming skeptical about the correnctness of the paper even from the preliminary section, the reviewer believes that the potential reader may not be convinced with the correctness of the main result as well. It seems there may be other issues related to pedantry and language problem. As it seems only masking by modular addition is used, the general statements for group structure may not be necessary."

>>Thank you for your comments. We have corrected Theorem 3, Corollary 4, and Theorem 5 in response to your suggestions. Specifically, the conditions for using the inverse element. Please see the attached file.


"For language, for example, past tense may not be used in abstract in general, and many article errors are found, as well. "

>>Thank you for your advise. We are checking all the abstract and correcting English error, especially, wrong use of past tense.


Finally, for claim that the proposed method is computationally efficient, the authors may want to compare the performance with the previous methods, with respect to time consumption, for example.

>>Thank you for your comments. In much of the literatures of SSO technology, we couldn't find a speed comparison. We think that the reason is that each SSO model depends on the environment and requirements such as the number of parties, trust level, and they are different, respectively.
Therefore, we did not compare the speed in this paper in the same way as literatures on SSO technology.
Instead of the speed comparison, we are comparing on attack robustness for increasing the quality of comparison. Specifically, we are experimenting by the following two methods:
1) Perform the same attack (chosen ciphertext attack) against them as our model
2) Perform common attacks which is against those models (such as man-in-the-middle attacks) against our model


Also, we are also revising the following:
- modifying abstract and introduction to clarify SSO problem, our purpose, the value of this study.
- adding subsection "the impact on business" in discussion section.
- adding the conceptual model in section 2 (algorithm) to identify all variables.
- modifying and adding the literature review. Especially, the reviews of OpenID, Kerberos, SAML, LDAP are being added.
- adding the methodology used for the analysis.
- clarifying why QP-DYN used. Since QP-DYN was used in the VE-based authentication algorithm proposed in the previous paper and also has better speed performance than AES, QP-DYN is applied in this study.
- Justifying why our proposed algorithm is based on a verifiable encryption (VE)-based authentication algorithm
- In the section 4.2 (Robustness Against Attack), $p_1, {p_1}', p_2$ and $ {p_2}'$ have been replaced respectively by $p_{A,1}, p_{A,2}, p_{C,1}$ and $ p_{C,2}$. $k_1, k_2, k_3$ and $ k_4$ have been replaced respectively by $k_{A,1}, k_{C,1}, k_{C,2}$ and $ k_{A,2}$. $c_1, c_2, c_3, c_4, c_5, c_6$ and $c_7$ have been replaced respectively by $c_{A,1}, c_{C,1}, c_{C,2}, p_{c_{C,2}}, c_2, c_3$and $c_r$.


Best regards,
Maki Kihara
Satoshi Iriyama
2020, 15th of May

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Hi, Thanks for submitting the new version of your paper, I found that you have addressed most of the issues that I found in the paper, but still my main concern is your methodology, I do recommend that add one section as a methodology and please define:

Research strategy
Research Design
Research Approach
The purpose of the research should be clearly defined
The research procedure used should be described in sufficient detail
The procedural design of the research should be carefully planned to yield results that areas objective as possible
The researcher should report with complete flaws in procedural design.

Also, there are some grammatical and writing issue such as:

line 260: which figure (??)

line 308, remove the character

and double-check the introduction and abstract based on my previous comments. 

Regards,

Author Response

We appreciate that you reviewed again and giving us the fruitful comments.

According to your comments, we are revising the article carefully.

The points that we are modifying now are as follows:

  • adding the section "Methodology"
  • checking and modifying the introduction and abstract again in accordance with your previous comments
  • line 260:  figure (??)
    >Row 260 refers to Figure 10.
    >>I mistyped the reference name, so we fixed Figure (??) to Figure 10.
  • line 308, removed the character
    >We deleted "proposed" from sentence "Therefore ~" on line 306.
    >To remove the character on line 308, it has changed from "Therefore, the one-time pad can be successfully constructed using the proposed SSO algorithm based on VE" to "Therefore, the one-time pad can be successfully constructed using the SSO algorithm based on VE".

 

Best regards, 

Maki Kihara

Satoshi Iriyama

 

2020, 27th of May

Reviewer 2 Report

-

Author Response

We express appreciation to the referee reviewing our paper.

Best regards, 

Maki Kihara

Satoshi Iriyama

 

2020, 27th of May

Back to TopTop