When a user logs in over https to a login server, my goal is to have the login server take the __username+timestamp__ and encrypt it to get a 'session key', which can then get passed around as a POST variable to all our other servers, so each server doesn't need to re-validate the user's credentials. The assumption is that all the servers will have a single, carefully guarded shared key needed to encrypt/decrypt the 'session key', thus being able to confirm the user has validly logged on at the 'timestamp' time. So the crypto we use would need to be such that a hacker couldn't extract the key if he figured out the unencrypted and encrypted data (simple XOR wouldn't work). I think AES would work for this type of thing. But I'm assuming this is a common task and I don't need to re-invent the wheel trying to figure out how to do it securely. I just can't find a document that explains the best way to implement this. I see lots of documents about using SSO-technologies that require inter-server communication, or require licensed technology (like Microsoft's stuff). But I can't find a document that explains how to implement a simple SSO system like I described that allows the servers to operate without the need to communicate with each other. Does anybody know where I can find this?
Thanks ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
