Warianty tytułu
Języki publikacji
Abstrakty
This work concentrates on distributed authorization and describes a procedure based on different protocols that can be applied to address a variety of distributed authorization problems. Such protocols are flexible enough to satisfy the needs of a diverse set of applications. Our authorization procedure includes a new method of absolute identity delegation among processes in distributed systems. This delegation transfers the representation of a user or process in a total way throughout a distributed environment. Taking into account that each principal is identified by its private key, our solution is based on one Authorization Server (AS). The AS stores the secret information, such as private keys, of both intermediate processes and users so that this information will not have to be transmitted over the network. The AS will also execute all those cryptographic operations that require using the private keys. The mentioned procedure makes use of X.500 Directory to store the public keys and Certification Authorities (CAs) to sign the certificates. Delegation in our proposal corresponds to international security standards (ITU-T X.509), both from the point of view of the user and from the point of view of all the services preceeding and following the delegation of identity.
Czasopismo
Rocznik
Tom
Strony
7-21
Opis fizyczny
Bibliogr. 27 poz.
Twórcy
autor
- Departamento de Lenguajes y Sistemas Informaicos e Ingenieria del Software, Facultat de Informatica, Campus de Montegancedo, Madrid, jyaguez@fi.upm.es
autor
- Departamento de Lenguajes y Sistemas Informaicos e Ingenieria del Software, Facultat de Informatica, Campus de Montegancedo, Madrid, fmorant@fi.upm.es
autor
- Departamento de Lenguajes y Sistemas Informaicos e Ingenieria del Software, Facultat de Informatica, Campus de Montegancedo, Madrid, Imengual@fi.upm.es
autor
- Departamento de Lenguajes y Sistemas Informaicos e Ingenieria del Software, Facultat de Informatica, Campus de Montegancedo, Madrid, nicolas@fi.upm.es
autor
- Departamento de Lenguajes y Sistemas Informaicos e Ingenieria del Software, Facultat de Informatica, Campus de Montegancedo, Madrid, glopez@fi.upm.es
Bibliografia
- [1] Morris J.H., Satyanarayanan M., Conner M.H., Howard J.H., Rosenthal D.S.H., Smith F.D., Andrew: A Distributed Personal Computing Environment', Communications of the ACM, V 29 N 3, March 1986.
- [2] Colouris G., Dollimore J., Kindberg T., Distributed Systems - Concepts and Design', Addison-Wesley, Second Edition, 1994.
- [3] Barcia N., Propuesta de un Servicio de Delegadón de Identidad en Sistemas Distribuidos', Thesis, Politechnical University of Madrid, 1998.
- [4] Gasser M., Goldstein A., Kaufman C., Lampson B., The Digital Distributed System Security Architecture', Proceedings of the 12th National Computer Security Conference, pp. 305-319, 1989.
- [5] Kaufman C., Distributed Authentication Security Service, Request For Comments (RFC) 1507, September 1993.
- [6] The Object Management Group, Framingham, MA, Object Services Architecture, Revision 8.0, OMG TC Document 92-11-9, September 1, 1994.
- [7] Kaijser P., Parker T., Pinkas D., SESAME: The solution to security for open distributed systems' Computer Communications, Butterworth-Heinemann, 17(7), 501-518, July 1994.
- [8] Audun J., The Right Type of Trust for Distributed Systems', Proceedings on the Workshop on New Security Paradigms, pp. 119-131, ACM Press, September 17- 20, 1997.
- [9] Gasser M., Goldstein A., Kaufman C., Lampson B., The Digital Distributed System Security Architecture', Proceedings of the 1989 National Computer Security Conference, 1989.
- [10] Gasser M., McDermott E., An Architecture for Practical Delegation in a Distributed System', SympSecPr, Research in Security and Privacy, pp. 20-30, IEEECSP, May 1990.
- [11] European Computer Manufacturer Association (ECMA) Authentication and Privilege Attribute Security Application with Related Key Distribution Functions', December 1994.
- [12] Gollman D., What do we mean by Entity Authentication?, Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 6-8, IEEE Computer Society Press, 46-54, 1996.
- [13] ITU-T (CCITT), Data Communication Networks, Directory. Blue Book Volume VIII - Fascicle VIH.8, Recommendations X.500-X.521, 1988.
- [14] ITU-T (CCITT), The Directory-Authentication Framework, Blue Book Volume VIII, Fascicle VHI.8, Recommendation X.509, 1988 (revised 1993).
- [15] ISO/IEC 10181, Information Technology-Security Frameworks in Open Systems, 1993.
- [16] Housley R., Ford W., Solo D., Internet Public Key Inftaestructure, Part I: X.509 Certificate and CRL profile, Internet Draft, draft-ietf-pkix-ipki-partl-04, March 1997.
- [17] Tardo J., Alagappan K., 'SPX: Global Authentication using Public-Key Certificates', Proceedings of the ШЕЕ Symposium on Security and Privacy, pp.232-244, Oakland, Calif., May 1991.
- [18] Lamport L., Password Authentication with Insecure Communication, Communications of the ACM 24.11,770-772, November 1981.
- [19] Haller N., The S/KEY One-Time Password System, Request For Comments (RFC) 1760, February 1995.
- [20] Haller N., Metz C., The S/KEY One-Time Password System, Bellcore and Kaman Sciences Corporation, Request For Comments (RFC) 1938, May 1996.
- [21] Miller S., Neuman B., Schiller J., Kerberos Authentication System, Section E.2.1, Project Athena Technical Plan, M.I.T. Project Athena, Cambridge, MA. 27, October 1988.
- [22] Oppliger R., Authentication Systems for Secure Networks, Artech House, Inc. 1998.
- [23] Steiner J., Neuman C., Schiller J., Kerberos: An Authentication Service for Open Network Systems, Proceedings of the Winter 1988 USENIX Conference, pp 191- 202, Berkeley, Calif., February 1988.
- [24] Trostle J.T., Neuman B.C., A Flexible Distributed Authorization Protocol, CyberSAFE Corporation and Information Sciences Institute (University of Southern California), IEEE, 1996.
- [25] Yialelis N., Sloman M., A Security Framework Supporting Domain-Based Access Control in Distributed Systems, Proceedings of the ISOC Symposium on Network and Distributed Systems Security, San Diego, CA, IEEE Computer Society Press, 26-39, 1996.
- [26] Erdos M.E., Pato J. N., Extending the OSF DCE Authorization System to Support Practical Delegation, In Proceedings of the PSRG Workshop on Network and Distributed System Security, pages 93-100, February 1993.
- [27] Open Software Foundation, Introduction to OSF/DCE, Prentice Hall, 1992.
Typ dokumentu
Bibliografia
Identyfikatory
Identyfikator YADDA
bwmeta1.element.baztech-article-LOD7-0028-0038