Single Sign-On (SSO) allows the client to access multiple partner e-services through a single login session. SSO is convenient for the users as the user neither needs to set multiple login credentials nor login separately for individual services every time. SSO (single sign-on) authentication is a password-authentication approach that permits end users to login into multiple systems and websites with a single set of login credentials. SSO authentication is mainly useful for IT organizations that consist of many different commercial applications. The outstanding feature of SSO is that it gives organizations centralized control of their systems by giving different levels of access to each individual. It reduces password fatigue and increases security because users only need to remember a single username/password that grants them access to multiple systems. However, the Single Sign-on poses risks related to a single point of attack which may lead to a path for cybercrimes. This paper proposes a trust model to increase the security of Single Sign-on systems against the vulnerabilities discussed in the subsequent sections. The proposed Trust model is named as DANE-based Trust Plugin (DTP) which acts as an added security layer over DNS Based Authentication of Named entities(DANE). The DTP proposes the modified SAML XML schema which enables the DTP to counter the attacks.

DNS is responsible for the hostname to IP address translation. It is an open resolver that's why vulnerable to different kinds of attacks such as cache poisoning, man-in-the-middle, DOS and DDOS, etc. DNS is responsible for the hostname to IP address translation. To protect DNS IETF added a layer of security to it known as Domain Name System Security Extensions (DNSSEC). DNSSEC is also vulnerable to phishing, spoofing, and MITM attacks. To protect DNS, along with DNSSEC we require certifying authorities to authenticate the communicating parties. DNSSEC combined with an SSL certificate issued by Certifying Authorities (CA's) can protect the DNS from various attacks. The main weakness of this system is there are too many CA's and It is not feasible to trust all of them. Any breached CA can issue a certificate for any domain name. A certificate issued from a compromised CA's is valid. In this scenario, it is necessary for the organization to limit the number of CAs and to check whether the server is signed by a trusted CA's or not. DNS Based Authentication of Named Entities (DANE) permits a domain possessor to stipulate specific CA's issue certificates for a specific resource. DANE will not allow any CA to issue certificates for any domain. It limits the number of CA's used by the client. As there were still some security issues left in it that can be resolved using a mechanism called D-TS. It is a DANE-based trusted server that acts as a third party and validates the certificates of all the entities of the network. D-TS will be a proof-of-concept for enhancing the security in communications between Internet applications by using information available in DNS. The system attempts to solve the shortcomings of DANE by establishing a trust zone between the clients and the services. By adding multiple levels of validations, it aims to provide improved authenticity of services to clients, thereby mitigating attacks like phishing, Spoofing, Dos, and man-in-the-middle attack. In this paper, we will discuss the detailed working of our proposed solution D-TS.