Abstract: A new single sign-on protocol used for the distributed network is proposed to achieve double-way authentication between user application servers. With a service token, identity authentication and service authorization are implemented by an authentication server, and the key is saved in the token which can be used in the verification process. The token not only makes the user that has been authenticated when it enters the network communicate with any application server, and improves the authentication efficiency of the whole network, but also makes the authentication server unnecessarily save the sate of users, and promotes authentication server’s performance. Using the BNA logic, the objective and the security of this protocol are proved by the formal analytical process.

Key words: single sign-on, token, BAN logic