glib-Single-Sign-On (gSSO) is a system for centrally storing, using, and managing credentials through secure access control. Credentials can be either "soft", such as a password, or "hard", such as a smart card. The plug-in system and additional security features allow use of "soft" credentials in ways similar to those smart cards have traditionally used.
With traditional password authentication systems, many applications store passwords in nonsecure, ad-hoc ways and keep the passwords in memory for long periods, while at the same time accessing insecure data received from the internet. Email applications are a typical example. This opens up possibilities for attacks that try to compromise the password, either locally or remotely. This password may then be used to send spam or possibly access other resources, where the same credentials are used. Using gSSO for these kinds of applications makes it possible to not retain the password in the application’s address spac, while also securely storing the credentials in a location where they are not directly accessible by the application.
Token-based authentication schemes are becoming a standard type of authentication for modern web and cloud applications. Implementing more recent standards is also becoming increasingly complex. Also, a trusted user agent is needed to bootstrap the authentication process and acquire the user’s authorization for the application to access the user’s data. gSSO provides both easy to use implementation of standard token-based authentication protocols, as well as centralized, secure storage of credentials and a trusted user agent.
In-application purchases and micro payments are also becoming increasingly popular in the modern application ecosystem. For these payment systems, a separate user agent is needed to obtain trusted and verified user authorization for the payment, as well as avoiding misrepresentation of the recipient or the value being charged. gSSO provides both process separation and necessary user interface tools to enable necessary authorizations and confirmations for these kinds of payment systems.
The main components are:
- Client API for requesting store and use actions.
- Storage for securely storing credentials, such as encryption keys or passwords.
- Plug-in system for performing various operations, using the stored secrets, on, as requested by a client.
- Plug-ins for standard methods of authentication and public-key cryptography.