HiHat is a draft of a mechanism for increasing strength of existing single-sign on systems (SSO). It employs a queue algorithm to choose which servers it relies on. Each of the servers get equally mirrored with the salted password ciphertexts, that the user has. Web browser module that is running in protected memory space gets to do the encipherment. Salting strategy is carefully chosen so that the salt has maximum shielding power (randomness). A compromised SSO site will gain no information of the password. The SSO site merely stores ciphertext, as a blind messenger.
In a computing system, we tend to drift towards the setup that works best for us. This may mean changes in:
- operating system selection
- software (for example, our favorite www-browser)
- increasingly, when we adapt a web-based workflow, drifting and selection is directed towards the browser extensions and add-ons
- choice of physical setup: LAN / WLAN, etc.
Drift is one aspect that system administrators find challenging. One company-wide set-up would be preferable to them, because this is easiest to administer. Since everyone would have the same laptop, on top of which a certain OS version runs, and the applications were always in a same train of version, the encountered bugs would replicate usually from one user to another and thus fixing them became more predictable.
But reality is that drift happens. Some surveys have indicated recently that information technology cannot and should not be played by the rules of administrators, because they are often very conservative - they have been trained to be conservative and security-oriented.
Employees use and learn web technologies at home, mostly. They migrate habits back and forth between home and work; what might have been "forbidden" at work in the past may well be accepted and even recommended by top management nowadays.
Since employees have put hours into learning things, they would like to pour that knowledge over to their work environment - not destroy or forget it every time they enter work. Remote workers are also keen to test out new things; the changes often come in the form of extension mechanisms to web browsers. Mobile connectivity and aid software with smartphones is also one change-evoking point.
I'll be writing more about this later on. I'm very excited in exploring the possibilities that a SSO shield would actually have on the security of a system.