cure channel, the reference monitor implicitly trusts the login system to be faithful to the user's ...... pcriorls of idle processing, systems can generate keys in ...
An Architecture
for Practical
Delegation
in a Distributed
System
Morrie Gasser, Ellen McDermott* Digital
Equipment
Corporation
BXB1-2/D04 85 Boxborough,
Swanson
lloacl
Massachusetts
Abstract
01719-1326
process,
the reference
monitor
that the access request Delegation is the process whereby a user in a distributed environment authorizes a system to access remote resources on his behalf. In today’s distributed systems where all the resources required to
wishes.
The fact that the user has authorized
sufficient grounds tional
cases,
reference
where the user makes
monitor
monitor
through
[DOD85]
to some form of reference
trol of the objects ically associates authenticated enforced
in the system. an active
user. Access
by the reference
had made them directly. identity-based, (ACLS),
with resources through
monitor
[Ames83]
The reference
roles or identities
different
and/or
requests
names
monitor
The access control
according
scheme
passwords),
security
presence
also occurs
systems
where the user selects
process
that is a subset
typ-
in multilevel
a single classification
of the access
access requests
classes
secure for his
for which
the
monitor
process
on some remote How should
identity.
user
system
may be
with local
has been activated
the local
by another
mmrit or has aut hcnt icat ed
reference
of the user to associate
authenticate
dctcrrnine
is for the local reference
login system
In this case the reference
monitor
with its local process?
approach
to ask the remote to properly
associated
has direct ly aut henticat cd.
system to which the user is logged in,
The most straightforward
are
in a computer
from its local processes,
are not necessarily
likely the local
monitor
to supply
the user’s
mcmi tor trusts
the user.
thc login
But this Icvcl of
trust is too great to bear in the world of mutually
suspicious
systems.
policy,
To limit the need to trust the iogin system
horses in the user’s
can ask the login system
for the user. The login system,
*This paper presents the opinion of its authors, which are not necessarily those of the Digital Equipment Corporation. Opinions expressed in this paper must not be cwrstrucrt to imply any product commitment on the part of the Digital Equipment Corporation.
from the user and forwards
DEC, DNS and VMS are trademarks of Digital Equipment Corporation.
still not very secure
Unix is a trademark of American Telephone and Telegraph Company.
has a chance
the password
trust than simply
a password the password
it to the local systcrn.
Asking believing because
to capture
the local refer-
to supply
in turn, obtains
is taken as evidence
at the login system.
20
CH2884-5/90/OOOO/O020$Ol .00 @ 1990 IEEE
routinely
system the reference monitor
also enforces
ence monitor of Trojan
in using
to some subset that the user is authorized.
the identity
of both.
the possible
by logging
in order to limit the ac-
delegation
the user.
such as access cent rol lists
to a mandatory
the rights of one of sev(e.g.,
where the login syst em’s refcrencc
with the
as if the associated
to act on his behalf
Limited
In a distributed
in con-
made by the process
to the
tions of the process
system
path
monitor
directly
can the reference
user is authorized.
to pro-
a trusted
entity, such as a process,
using mechanisms
rule-based,
or a combination Despite
system
of his process
eral permissible
Most
themselves
is
Only in excep-
of rights from the user to the process.
In some cases the user may delegate
process computer
to
himself)
know the user’s intent with certainty.
is a form of delegation
Background
users authenticate
a request
a trust cd path,
The user’s authorization
users that the reference
On any standalone
the user’s
the process
on which to base this belief.
but these processes
tect,
but to believe
reflects
act on his behalf (by logging in and authenticating
carry out an operation are rarely local to the system to which the user is logged in, delegation is more often the rule than the exception. Yet, even with the use of state-of-the-art authentication techniques, delegation is typically implicit and transparent to the remote system controlling the resources, making it difficult for that system to determine whether delegation was authorized by the user. This paper describes a practical technique for delegation that provides both cryptographic assurance that a delegation was authorized, and authentication of the delegated systems, thereby allowing reliable access control as well as precise auditing of the systems involved in every access. It goes further than other approaches for delegation in that it also provides termination of a delegation on demand (as when the user logs out) with the assurance that the delegated systems, if subsequently compromised, cannot continue to act on the user’s behalf. Delegation and revocation are provided by a simple mechanism that does not rely on online trusted servers.
1
has no choice
made by a process
for a password
of
requires a bit lCSS
the login systcm’s the login systcm,
and replay
Receipt
that the user is currently claim,
but is
if malicious,
the password
at a later
time.
Any system
he last changed
to which the user has ever logged in (since
his password)
can masquerade
behalf of the user, as the user may be operating
as the user to
different
A more secure technique a cryptographic
for authenticating
algorithm
erat ed by the user, allowing
and a hardware
the reference
mine that the user is in fact currently nicating
through)
be spoofed
the login system
by the login system.
authentication [NCSC87a,
Racal].
erence monitor
A number
reference
of “see-through”
2
this
device is one that permits special
special
hardware,
is some
that carries out the cryptographic the user properly
hardware
login system associates
to the reference
monitor,
the user’s identity
phys-
on behalf
monitor
type of smart
himself
the reference
card
feature V4
his
monitor
system
the reference monitor
to be faithful
to the user’s wishes.
user has authenticated sufficient
grounds
authenticating delegated
himself
By directly
to act
system trust.
the reference
controls
without
By
system
to which
can reliably
enforce
the user did not delegate.
But interactive
not always ulation” rlogin,
practical.
Except
as in the common it is not always
erence monitor
use of TCP/IP’s
convenient,
to freely interact
the authentication database
for examples
on the user’s
login system
em-
telnet or Unix
or possible,
a file server
by a query processor
(figure
1).
behind
It is not practical
a
tem.
to
Query processor on Iogin system
feature,
systems,
make
permits
subsequent
usc of the rights revocatio
eauthenticatic
the
to the ter-
attained
no fdclcgatio
than preset timeouts
ofonlin
the dele-
by the user so that
if compromised
through
nondcma.nd
used in other sysrevocation
doso
mservcrs[Girling82]
and
[Redel174]. delegations
are specified
that aredynamically
Because
created
they areunforgcable
access,
traditional
capabilities,
delegation
not sufficient
signatures
arc very much like
that possession access.
keynamed
and the key in the certificate
key cer-
tokens serving as proofof
Access
thecertificateaud protects
by public
at thenscr’sloginsys-
certificates
except
topcrmit
possess acryptographic of digital
and
by us to be prcscrrt in
schemes,
terminated
This instant
only those whoposscss
DBMS Server
not known
forwarding
authorizc(t cateis
User
(as well as that of the user) foranditing
purposes.
In our scheme
running
Girling monitor
cddclegates.
more security
tificates
and
thcrefcrence
Other systems that implernentinstant
indirection
for the ref-
[Kargcr86]
the idcntit y
with thehclp
with the user to carry out
Consider
dialog.
server that is accessed
of “terminal
tems.
for-
V5 [Koh189]
nareauthoriz
cannot
provides
is
multi-
“authentication
ofdclegations
to be explicitly
delegation.
V4 in that it through
can determine
authentication
mination,
time.
thcchai
intermediate
access
Kcr-
delegation
for Kcrberos
Kargcr
the dele-
the reference monitor
Onc additional gation
aIso called
by
Inourchain
Kerbcms
eliminates
serverat
is proposed
was also discussed
other
that
of delegations
a feature,
or “proxy”,
access control
of the distributed
aut hcnt icat ion of the rcmot e user by the reference monitor
(such
of those systems
to
cryptography
or cascade
the
the Kerbcros
except
goes further than Kcrberos
a “chain”
with
The delegation
server to initiate
need for anonlinetrustcd
In addition,
the login system in turn
any components
authentication
knows that all systemsin
is
the remote user in an unspoofa-
monitor
trusting
Our usc of publickcy
[Girling83]).
to the process. authenticating
gation.
thercfer-
directly
third party.
system,
an online
warding”
the user has
a connection
communicating
trusted
requires
and
hcrepmrnits
the remote user has delegated
authentication
ple systems
The fact that the
and by establishing
must not
the remote user and the
described
without
This architecture
up the se-
that login
the login system
local process
mechanism
computing
is very similar to that irnplcmentedby
permits
trusts the login
on which to base this additional
monitor’s
has delegated ble manner
through
himself through
to that system,
the reference
by setting
implicitly
architecture
[Miller87]
beros’s
and sets up
trusts its local process
of the user, but in addition,
cure channel,
between
to know whether
user or with any online
proto-
through
with a local process
explicitly
with trans-
of the Architecture
to a login systcm
some form of “secure channel” between the local process and the Iogin system.1 As in the case of the standalone system, the reference
occur
delegation
distributed
interaction
Overview
ence monitor
for the user,
challenge/response
authenticates
Any
monitor.
Thedclcgation
col for the user. Once
problems
in at the time
that cannot
dialog between the user and the remote ref-
to take place without
Similar
applications.
for general-purpose
require real-time
to deter-
that will accomplish
(A see-through
suitable
logged into (or commu-
ically at t ached to a terminal. ) More convenient but requiring
device op-
monitor
in a manner
devikes are available
the authentication
act ion processing
the remote user
in an entirely
and may not even be logged
the query is processed.
the local reference monitor. employs
context
of the ccrtifiispermittcdby
who canprovethcy
intheccrtificate.
the integrity prevents
Onrusc
of the certificate,
use by other than the
Figure 1: Multiple levels of indirection in an access. The reference monitor in the file server cannot directly authenticate
authorized
the user on behalf of whom the request was made.
sealing
expect
a number of tagged architectures have been proposed and implemented. Mullender snggcsted, in the Amoeba system
the file server to directly
time it receives
anthcnticate
R,cdell [Redcl174]
the user at the
the access request from the DBMS
holder.
server on
to prevent
[Mullcnder85], if forgery
lIdeally thk secure channel should be an integrity-protected communications path using some form of encryption.
a concern.
21
first proposed forgery
using
that encryption
the concept a tagging
and digital signatures
and misuse of capabilities Girling’s
capabilities
of capability
mechanism,
by unauthorized
cent ain one-time
and
be used users is keywords
to prevent
because
forging,
in capabilities
can be captured delegation trusted crecy
but the capabilities
keywords
and re-used.
credentials
locations
(a topic
(PACS)
cannot
are similar
in ECMA’S
[ECMA89],
on which
in Open
that ECMA’S
trusted online authentication
where un-
later),
Our
be assumed.
“Security
except
system
to potentially
we elaborate
to the privilege
groups of groups, and the ACL can specify that access by a user is permitted only from a given set of delegated systems.
over the wire
In a distributed
must be transferred
of a certificate
credentials
must be kept secret
communicated
4
se-
delegation
Simplified
Our simplified
model of computing
involves a user logged into
certificates
a workstation
that issues requests
to access remote
Systems”
framework
on behalf of that user.
certificates
are created
by a
can be any multi-user
service rather than by the user’s
not be physically
In general, computer
however, system,
present or ‘logged
resources
the workst at ion
and the user need
in’) at the time the access
request is made. Local
Context
and Definitions
This delegation
architecture
files within the workstation
is specified
[Gasser89],
an outgrowth
of work originated
[Birrel186].
While
incorporates
protected
System Security
“reference
scribe security-kernels, grees of assurance using standard
require no explicit
is controlled
delegation.
access to local
by the workstation’s
(DSSA)
the notion
of a clearly
normally
used to de-
applicable
workstation,
(figure 2).
by Birrell, et al.
does not concern
and is equally
commercial
Architecture
monitor”
DSSA
reference monitor
within the framework
Distributed DSSA
uses of a workstation
If the user logs into a standalone
of Digital’s
defined,
of Delegation
attribute
login system.
3
View
User P
itself with de-
to systems
“print Alpha”_
I
W
Workstation
File Alpha
~roce55
“Open@lpha>readJ”
ACL for Alpha
Sc
~
built
1
I
practices.
II
Under DSSA users log into local systems using smart cards that carry out cryptographic public
key cryptography
vices implementing ital’s
naming
authentication
[Rivest78].
a hierarchical
service
(DNS)
are available
and concepts
similar to those discussed
throughout
similar
services
authentication
mechanism
are not trusted for DSSA
Because
system,
For the most
for security. is covered
We generally
a common
descriptive
Principals possess
cret consisting or to digitally
are identified
a relatively
and public
distributed mutually reference
monitor.
common
set of protocols
consists
monitors
All se-
keys.
the process
cannot
in today’s
for access to local resources is systems and does not require
mechanisms.
example
Delegation of distributed
delegation
so that the workstation
the user’s files resident on a remote
server.
is from a can access
In figure 3, if the
m
The
bound
authority
a collection systems,
to-
(CA)
and enforces
au-
with
Certificates:
a
A
for interop-
are not centrally discretionary
of
each with
for compliance
D1 Delegation
managed. policy
for
and their access rights.
may identify
users, systems,
groups
CA SC ZSP 1~]
CA authorizes
“.s(7 signs for p
~{
SC authorizes
“WI
speaks for P“
Figure 3: Delegation to workstation. SC delegates to WI for access to files on WS-. The delegation certificate Ill is passed to
DSSA specifies the use
where the ACL lists the global names
of principals
Authentication
and mandat-
its own security
under its control.
of ACLS for each object,
Single-level
delegation
user to his workstation,
name.
and naming conventions implements
access controls
of
Except
Each reference monitor access to the objects
4.1
The simplest
system,
cryptographic
are usually
computer
erabili ty, the reference ory
the user,
a secure physical
service.
suspicions
its own
differ-
to other systems
signed by a certifying
system
occurrence
delegation
of an RSA key, and
themselves
keys of principals
and stored in the directory tonomous,
by a global
sign certifrcat es using their private
gether in a certificate The
between process,
permanent
to authenticate
the user and the process,
special
for clarity we often use more
of the private component
have the ability names
although
terms such as user, workstation,
or server. principals
behalf is called a “princi-
do not have to distinguish
ent types of principals,
channel between
maintains
itself or can make an ac-
cess request on its own or another’s pal.”
has authenticated
the reference monitor
This form of implicit
by
Linn [Linn90]. Any entity that can authenticate
No delegation is required
forge the identity of the user on behalf of whom it is operating,
The user
in detail
to local resources.
the reference monitor
and because
X.509[CCITT88b]
in
2: Access
when the user, authenticated to the workstation W by his smart card, accesses files on that directly attached system.
ser-
to X.500
the distributed
and authentication.
part, directory
Figure
on RSA
directory
name space based on Dig-
[Lampson86],
[CCITT88a],
are used for certification
based
Online
the W5 along with the access request.
The names on an ACL of users and systems,
user (P),
or
22
through
his local workstation
(W1 ), needs to access
the ability to access those files on his behalf.
delegation permit
delegation
4.2
theuser must delegate to the
remet e files on a server ( WS ), workstation
must result in a set of credentials
WI to prove it was an authorized
Chained
Delegations
This In many situations
that
there is more than one system
the user and the server.
delegate.
between
In figure 4 the user on workstation
WI accesses a file on the server Ws, but that request is in fact The delegation
from the user to the workstation
sented by a delegation
certificate,
card at login time (certificate specific
workstation
gation
certificate
SC signed other words, P can.
authorizing
SC has authorized
The workstation
delegation,
D1 in figure 3), authorizing user.
we show, ~1
a certificate
The delefor P.
this certificate,
The first delegation
to any server to which the workstation
pens
that a
nel (encrypt ed or physically verify the identity
link)
provides
between
of WI, so that the server knows
cei ving the request from the syst cm named cxmtificate,
and (2) integrity
the request provide
are outside
the scope
channels
of this delegation
we require secure communications system,
significant
on integrity
Shown certificate
mechanism
authorizing
in figure
This certificate
certifying
authority
discussion, tificate
elsewhere
[Linn90],
tory service,
as compared
are dynamically all the systems,
and authentication
stored
to the delegation certificate
service,
must have access looking
Before
in the delegation
ence monitor
of delegation
mention
the names of the dclcgatcd
security
weaknesses
description
that
This section
of the delegation
a third principal bitrary
(P)
the delegaare available
we don’t
show A being
where delegasyst cms,
provides
pre-
a more
process with additional
cipals,
when explicitly on behalf
of the system
The rcrp.rests to access an as requests
of the target
system
relevant
to this discussion
that a reference
monitor
sociated
label or “access
involved
arc not noting policy
class range” receives
usually the last systcm in the delegation
and not the label of every system
23
the details
a label-based
with the systrxn from which it directly
access request,
are also be the same as those named in the delegation
certificate.
While
of dclcgat ion, it is worth
need only know the security
the re-
clclegates.
by the trugct sys-
and its mechanisms
that enforces
had con-
in the chaiu must
as permitted
tem, may further limit access to the ot)jcct.
those
by the
An additional
principals
policy
prin-
are being
are mediated
by the first principal.
security
that
as if the requests
access cent rols, if cmployrd
of the mandatory
the refer-
making
indicated
As
to an ar-
made by any of the rkkgatcd
straint is that all the delegated
to be
delegator.
can be “chained”
of the first principal,
monitor
of the
by authorizing
to act on behalf of the original
number of other principals.
princi-
on behalf
and may further dclcgatc
earlier this delegation
Mandatory
the dclcgatcd
an object
be listed on the ACL of the object
to
the server scans the ACL, Of course,
to access
on a target systcm
made
Delegations
has been received,
object
reference
the name of
name that matches
and Using
principal,
we indicated
is needed by the
crxtificates
Creating
delegating
nscr and workstation(s)
certificate.
identity
above,
for the mechanisms.
pal may make requests
between
in order for the request
access,
Process
anrl is also insufficiently
directly.
Once a delegation
cer-
must insure that the user named in the request,
and the authenticated qncst,
Both
for a user name and system
identified
overview
5.1
pro-
certificates
an ACL that contains
permission
WI and the user.
simplified
been made directly
granting
care,
request.
have been autho-
The
thorough
to this
the user and also may list the name of the workstation(s)
granted.
not
case, must trust W2 to
of the Delegation
motivation
passed from WI to Ws.
which the user may delegate.
does
any access
Details
cise to be implcrnentcd
in the direc-
that signed
Since authentication
The server WS enforces
and
made
by some
crest cd. Even wit h secure channels
from the directory
has no proof,
faith on behalf of both
tion certificates
the user:
are not important
is the owner of the smart card (SC) tion certificate.
the server
5
has some
server to verify that the user narncd in the access request
to systems
to
the smart card with the
probably
the authentication
that W2 is authorized
WI and W2, as well as P, must be
by the
but it is worth noting that the authentication
A is static information
Both
cer-
using DI,
While
is signed in advance
that associates
the
dclegat ion
a chain of reasoning
WI or the user actually
act in good
3 is an authentication
user. The details of the certification cess, covered
to and
here does not
the smart card to represent
Through
The server only knows that the delegations
foolproof
is attained
discussed
second
to the server, W2 forwards
rized and, as in the single workstation
of this secure channel.
for completeness
1~1.
in security
that
whether
even wit horrt secure cornmunicatious.
Integrity of the delegation depend
architecture.
for a completely
improvement
use of this architecture
Mechanisms
are well known
The
hap-
for
thatWI permits Wz to speak for the user.
(Dl and D2).
Note
it is re-
in the delegation
is the same as the one WI sent.
to speak
named on the ACL.
to
so that the server can be sure
secure communications
is authorized
any access requests
speak for the user.
the Ws
(1) authentication
WI
D2 and A the server can conclude
there must be a secure chan-
protected
The secure channel
to W2 to act on
to the server a copy of both its own and WI’s delegation tificate
For this scheme to be robust
In this case, the
from the user to the workstation
where
Before making
request on behalf of P.
and WI.
as before,
l~]says
of
submits
of the user.
user (certificate e DI in the figure).
In
as proof
on behalf
to WI which in turn delegates
behalf of the user.
means that W1 to speak
by W2, acting
user delegates
the
WI to access anything
passes
made
signed by the user’s smart
to speak for the specific
format
is repre-
asthe
chain,
in the delegation.
“read Alpha for D1 — EImii21
P“ ACL for Alpha
Wz D2 ~1 *
Wz I delegate read
I Certificates: ~1
CA authorizes
“S(3 signs for P“
D1 Delegation
~1
SC’ authorizes
TVl
Dz Delegation
1~]
WI
‘TV, speaks for P“
A
Authentication
Figure
This is because outside
no system
..th.ri.es
4: Delegation
levels
two
can be permitted
its access class range, and within
speaks for P’
deep.
S(7 delegates to WI which delegates to IVz. expiration
to communicate
is imminent
a delegation
the user’s local workstation
that range the sys-
tem must be trusted to specify the proper access class of every
that have received soon-to-expire
request.
access class does not provide
renewal requires that the workstation
assertion
requiring
Dclcgat ion at a specific
any security
benefit
over simple
of the access class
Delegation tificatcs.
is authorized
solely
by signed
In a chain of delegations
delegation
certificate
delegation
each principal
retains
for itself signed by the previous
pal in the chain, and signs a delegation
workstation,
princi-
behalf of the first principal
to access an object
must obtain
for the previous The rcfcrcnce
chain of certificates, object.
the reference
of a delegation certificates
in addition
to enforcing
monitor
Delegation
Typically
the delegation can forward
5.3
tkc validity
can be cached
on snbscqucnt
and the
ence monitor needed,
as required.
When
as when
the original
the chain should
not continue
stressed earlier, good
prior
systems
the delegations to represent
to it so it
trust.
chain is in fact corrupt each certificate ing which
contains
the corrupt
the user’s behalf.
a timeout system
are expected
monitor
to be reasonably
by a timeout.
and which
to the system,
properly
system at risk.
of the
compromise
delegations
time out, so
can only affect users who recently bnt for the 24 hours or so that the
compromise
be concerucd
of his system after he has logged
is a serious
workstations
did not In other
on behalf
its own future
is still in effect a user might rightly threat
where anyone
revocation
in an environment
can use the machine
of after
of a delcgatiors could be implemented
copies of all delegation
the user to all servers.
on
ing one- time passwords
certificates
In schemes for proof
such
in a chain from as Girling’s,
of delegation,
us-
each system
need only delete its password. But delegation certificates are “public” and their whereabouts cannot be constrained. Even though
long, on the order
the legitimate
be trusted
session will not
For very long sessions
trnstcd
while it is still operating
This scenario
by deleting
dur-
to operate
to behave
system
that user. Eventually
Immediate
to the rules,
in the chain have
interactive
ca-
the user departs.
will grant no access.
of a day or more, so that a typical be interrupted
continue
of a previously
of a system
public
in a
that limits the period
If any of the certificates
timed ont, the reference Timeouts
act according
could
intervals,
be assumed
a compromise
out.
to act in the best
must
be able to prevent
about a possible
As we
Bnt, in case one of the systems and doesn’t
Girling’s
from affecting
delegation
in
interests of the user, and the user must assume that no system to which he delegates will delegate to another systcm that the user doesn’t
iutcgrity-protected.
users of the trusted
a systcm,
delegated
are no longer the systems
the user.
are expected
7.3.
if the certificate
to it is in effect, it would be nice if a sub-
compromise
user, should
of all
or to the refer-
riser logs out,
in section
to implement
Keys
a system
while a delegation
words,
for the systems
jobs when delegations
to all systems that have made the query.
Delegation
place previous
to the next principal
are discussed
In
at the original
are timed out with the help of an online authentica-
Whereas
requests. )
in the chain will keep copies
certificates
those copies
does not possess.
present
are linked by
Timeout
each system
topics
be cryptographically
scqncnt
5.2
physically
are more difficult
must signal a timeout
the
the ACL of the
has verified
chain the information
need not be forwarded
in the chain must be signed by the
tion server that is queried at appropriate
along with
must validate
being sure the certificates
delegates,
(Once
monitor
These
pabilities
in the chain and
must forward those copies to the reference monitor the access request.
cannot
a copy of all the dcle-
principals
the user,
as is the case for batch or background
Timcmrts
on
by
certificate es. This
rcauthcnticatc
the user may have logged out long ago, restricted
to the next principal
are used. in the chain wishing
gatiorr certificates
authorized
the first certificate
case the user is no longer
a
if it chooses. Any principal
delegation
user’s private key which the workstation
ccr-
is initiated
to all the systems
that the user re-cnt er his smart card or password,
because
by the last system in the chain.
renewal
and propagated
systems
cates, there are additional
where
24
in the delegation
chain could
to delete their own copies of the delegation copies of the delegation
certifi-
certificates
not under control
of any of the trusted
In particular,
the server for an object
the delegates,
systems
in the chain.
yet it must receive a copy of the delegation
tificate for each of the systems in the chain. files on a server, a good system imate need to forward
[K. IKl a. WI for P until T ]
need not be one of cer-
The certificate
In order to access
because
in the chain will have a legit-
all delegation
certificates
delegation
to the server
Using
certificate
D2 in figure 5 the server (W~)
delegate
to it. (In a distributed
system where the user has ac-
at the time it makes the request,
cess to data on many different
servers, there are cases where
component
server does but not trust a different
in order
to access
server desiring
to data
copies
are of no direct
and would making
therefore
a request
not be able to represent
to another
system.
after Iogout but before expiration, systems malicious
server,
certificates original
even after because
system
time
of the delegation quently
of the
can retrieve
user for access to any file on any other good certificates
the
server,
expire.
a principal
certificate
not trusted
may have to be disclosed
as much
as the named
any public
key scheme
a digitally
signed
it is generally
certificates
in transit can be captured
unsafe
to assume
certificate e is confidential.
ends but before
the timeout, key. ” A delegation
on a “delegation keypairgeneratcd The public certificate
component signed
component
(if any).
version of the two-level
a more precise
future diagrams
by replacing keyof
for the current
we
is held by WI, and certificate
card’s
private
of K1 is permitted
K2 is authorized
key, specifies
that
component
format here is expanded
a new field for the delegation
of K1.
there to
certifi-
perhaps)
using the private
kcy KI.
But the old dele-
because
the private
neither
component
in that certificate.
Hence,
W2 nor any of the delega-
A new delegation
with
a ncw
delegation
IVl has no choice
pri-
but to gencrat e a
kcy pair for itself K{, but K~ is useless unless card delegating
to this key.
it is nnlikcly
The smart
if the user is willing
to, the compromised
for possession
attempt,
to
systcm.
that a server will challcngc
of the delegation
since that would seriously
K2S is on behalf of P (if so claimed
the private
egation
Dl,
Therefore,
signed
the private
a work-
kcy on every access
impact
and possession
performance.
In-
in order
W2, in acldition inform
by W2) once proof of del-
of K2 has already
to completely
to deleting
its private
WS to tear down the sccurc
channel.
to reopen
a channel
possession
will be required --something
plus
the delegation,
compoucnt
the certificate,
to Ws,
been established.
tcrmiuate
The delegation
to include the timeout
kcy in addition
by cer-
stead, Ws will assume that any message on the sccurc channel
to speak for the user. Similarly,
to speak for the user through
D2, signed by the private
W:,
a new certificate
by the smart
In practice station
the smart card,
session,
to sign a new delegation
system
log into, and dclcgatc
the name of the
successto verify
D1 as proof that it is still
card will only sign such a certificate
the
Ws
which WI will not be able to sign with KI’s
ncw delegation signed
by the CA’s private key, KCA. KI is the public
by the smart
the principal
it uses
servers
as required
to do.
certificate
possesses
vat e component.
with the key used to sign it.
key generated
of which
certificate
which
in figure 4 illustrating
A shows that thepublic
KO, is certified
component
5 shows
Inthisand
more precisely
signer of the certificate
portion
Figure
delegation
keys used intheccrtificates. show certificates
delegation
system,
other
component
D1 is useless
will require
key pair K!,
and the private
Wz can no longer
of the old delegation
certificate
to W;
system,
from
the private
WI can attempt
tion key Kz mentioned
in the delegation
If Wz is subse-
to obtain but since
from
of
USCICSSany copies
compromised,
or it can attcrnpt
system
for each session.
the del-
components
WI can attempt
(for another
component
itself to the server and to sign the next del-
certificate
Certificate
dclcgatcd cate D; gation
needed,
than Wz, is subsequently
reuse the old delegation
other system
of the key is named
by the delegating
of K2’s private
In
after the “ses-
K2
D2.
the delegation is based key is a public/private
is held by the delegated
toauthenticate egation
bythedelegated
its possession If WI, ratbcr
by wirct appcrs.
certificates,
to any challenges
are two things
that
wi th
component
by Ws.
attempt
of K2 was not saved,
to
As a minimum,
To avoid this type of reuse of a delegation sion”
delegate.
held
Wz can
fully respond tificate
thc private
are no longer
certificates
compromised,
component
this secure
protocol
D2.
and reuse the delegation
The above scenario may seem a bit far-fet ched, but it points out that a delegation
a challenge/response
keys KI and Kz, rendering
good
digitally
communications
W2 associates
WI and W2 erase the private
their delegation
from the server and can then act on behalf of the
until the delegation
systems
the private
of 1{2, but more
on a secure
W2 and Ws.
Now, when the delegations egated
the user when
by an accomplice
the compromised
named in certificate
certificates
But if, at some
will only
W2 could
component
W2, where Wz proves it possesses
These
one of the previously
in the chain is compromised
the request
wit h K2 through
server,
in any of the delegation
it will send
channel
systems.
use to the malicious
likely
on another
certificates
the server is not named
on
that it possesses this proof
with the private
K2S, between
server could retain copies of the received
by the delegated
sign its request
To provide
channel
resident
all copies have been deleted
of K2.
to make use
of the user’s rights to access information
but the
accept a request from W2 on behalf of the user if Wz can prove,
data on one
that server for access
server. ) A malicious
to
name WI,
on the ACL,
is to the key KI.
or not the good
himself
trusts the server enough
to include the workstation
whether
a user authenticates
system
continues
that name is needed for lookup
of K2, must
If W2 then tries
a new certificate
and proof
W2 cannot
of
do if it
has erased its key.
to the names of It should bc andcrstood that signatarcs are always done asing private componcats, and only public components arc transmittcxi between principals as “data” in a certificate. Private mmponmts are never disclosed to other principals.
and workst ations:2
‘We don’t explicitly bother to ia&lcate in these figures the private vs. public components of the keys; thk should be obvious from context.
25
~ Certificates:
A
Em3@l
Authentication
KCA signs ‘(KO signs for P“
speaks for
D1 Delegation
K. IK1 as WI for P
KO signs “K1 as W1
D2 Delegation
K1 IK2 as W2 for P
KI signs “K2 as W2 speaks for P“
P’
Figure 5: Delegation keys. Delegation is expressed in terms of the ability of a system W~ to speak on the user’s behalf if it possesses the delegation key K;. W, uses K~ to authenticate itself and to sign further delegation certificates. Successful
revocation
depends
nications.
Since
an attacker
and defeat
the revocation,
and each intermediate delegates
cm the reliability
could
disrupt
it may be desirable
delegate
(by challenging
each identified
of commu-
both
for the server
to periodically
very restrictive
of int crest)
rcauthenticate
them for possession
Within
but not so often that performance
very much
question
is hampered.
than simply
forwarding
first system.
The primary
If all systems starting
systems
in the existing systems
the existing different
Also,
available
our delegation
from
attacker
and working problem
damage
forwarding
This
architecture
depends
(small)
in Unix,
by substituting
The reference monitor
by using
Since the reference
the key to the next Nothing
force
to
access,
on the delegation,
in
first delegation
on the use of encryption
monitor
now uscs the role name to en-
monitor
must ascertain
for the user whose
certificate
used in figure 5,
adequate
in the chain.
for auditing
and the authentication
key Kt, the name of the delegated
chain.
Though
key, Kd, of the previous
adequate
diet ate some further
6.1
public
delegator
practical
rights
in the
6.2
certificate
in the chain.
the use of “roles”
when
signing
We can provide
where users may have a number
the real user’s
purposes.
into the certificate
certificate monitor
(it is sim-
because
a false name,
monitor
to
But the name dcuial
A hint is
must fct ch the user’s service
on the first delegation is what certifies determines
anyway
certificate, P and its
whether
R is
role for P by similar lookup of certificates The prccisc description of the mcchauisms
in by
whose full
roles, is a topic for a future paper,
UIDS and Public Place
the first delegation more flexibility
the
Also,
from the directory
The reference
of authorized
that the user has one identity
the
which the user asserts a role at login time, and the validation
considerations
refinements.
he delegates
key.
an authorized the directory.
Roles
So far we assume access
in principal,
the reference
certificate
in order verify the signature
W,, and the name of the original delegating in the chain P, all signed by the private component
that
card signed
to the server as a “hint”)
because
anthcntication
smart
to the role name R, must be available
monitor
ply communicated
(target ) system
of the delegation
and is
will grant access only if R is named on
the reference
role is authorized
[Kd Il{i as Wt for P Until T [
principal
a user
the mlc name R for the the
of service is the only effect of giving
delcgatimr
certificate,
the ACL of the object.
P does not need to be bound
has the public
in
the
anyway through
of reasons.
certificate
names
in VMS.
IKd IKt as Wt for R untd T
in col-
(since
Refinements
of a delegation
and they work
to only the role is dclcgatcd,
use of a role is a restriction
the reference
The structure
groups,
“*. proj ect”
or rights identifiers
name P, in addition
Practical
to
user’s name P:
for confidentiality.
6
to much
have access
usc of role names on ACLS.
that access available
accommodated
of WI
a service that we do not expect
for a number
roles are simply
have access
roles (that
on
to set up
WI if subsequent
chain) but is easily avoidable securely
system requires encryption, be universally
a future
This is a minor
can do considerable
delegation
keys.
chains
don’t
by appropriate
[Organick72],
can specify
key then WI cannot,
chain are corrupt
lusion with the attacker. corrupt
prevent
new delegation
roles (that
like the groups
may appear
and it is possible
By placing the role name in thc delegation
key Ki, rather
of KI used by the
reason is to limit the scope of trust.
share the same delegation
at the end of the session, from
delegation
to each Wi copy
DSSA,
Multics
may be why we require each system
IVi in the chain to have a separate
Role names
as well as privileged
more than usual),
of Kz ) at some
interval (say, an hour) that is much smaller than the timeout A reasonable
by a role name.
ACLS as if they were user names,
communications
In any implementation,
in
and systems,
of aliases,
as specified
a user or systcm.
26
Keys
as Identifiers
in
of Names
Even
human-readable
names
for users
on ACLS, do not uniquely in the case of a structured
identify name
(as in DNS or X.500), there is the need for soft links topermit transparent name space reorganizations (and other
intO subsequent
space
conveniences)
as described
in DSSA.
there may be more than one global pal, and it is possible
Because
Certificatees. UR replaces
the certificate.
For delegated
by roles, we can use the public
of these links
in place of the system
name for a given princi-
of that user or system
identified
all the ACLS that contain two choices: be found
in the delegation
because
IKd IKt as Kw, jor UR until T I
a name.
If we don’t
or (2) on every access,
attributes
to determine
those of the user identified
cates.
Choice
(1) is undesirable
whether
(z), involving
a number
of directory
ACL size, could be a performance permit
whether
tire reference
identifying
information
(which
The reference
tifiers.
If it finds a match,
it is better
certified
information
up both
names
in the
stored in the directory
not expected
enough
between
A convenient identifier)
for a user.
UIDS fairly
directory
functions.
entry keys
delegating
names
is a UID
key is a
still verifies
this type of restriction
the role mechanism a restricted
and places
dentials
of the principal
that can happen
stored
match
with
the restricted
if role UIDS aren’t
a right he doesn’t
when
The ability
reference monitor
has interpreted
unique
have (e.g.,
to a systcm
that is
the limited
Only objects
role
with the
to the system.
to a role per individual
and be aware of them.
using roles to restrict
object,
Another
problem
with
access is that the user may
to alter the ACLS of all the objects
current
architecture
does
not
support
for a user to make an on-the-spot
restrict
access
Mechanisms
to specific
objects
to
system
[Sollins88]
[Anderson86]
cre-
cally rest rict dclegat ed access,
The
sion in the delegation
a generalized
ad hoc decision
on a per-delegation
such as “constraints”
in the Monash
the
7.2
the role’s UID as belonging
else) and all accesses will fail. The UID is needed
Delegate
DSSA
solely as an aid to search the ACL. certificate
authenticating
and capabilities
offer means
to dynami-
and are candidates
architecture
to
basis.
for inclu-
if the need arises.
is that a
because
or role, UR, is inserted
set of
which he has access.
are able to
service.
6.1. The
role name on the ACLS of
access the user specifies
can be extended
has to manage exclusively
service need not
in the directory
user will delegate
The UID of the principal
When
in section
to a limited
but too many roles are likely to get out of hand since the user
(uniquc-
the actual
as discussed
role for access
With some ad-
role on their ACLS will be accessible
This concept
of these UIDS, since the reference
each ACL
may want to delegate is readily implemented
limited
but
keys do not
service
services
to a system
of Files
vance planning
not have the ability by the directory
to Subset
and then does the usual full delegation.
a user may
Public
Note that the directory
for uniqueness
first delegation
Access
to have this limited
keys are
system,
card.
Directory
all needs using roles
objects.
objects,
well, and UIDS can be used for other
monitor
to someone
since public
This is because
of unique
can be better
access to only a subset of its accessible
user creates
roles.
or role is created.
be trusted
use public
for a delegated
in his smart
source
maintain
worst
identifiers,
that is maintained
a principal
Delegate
through
(by
roles with different names, all sharing the same
key contained
differentiate
we could
to change as often as na.mes.3 A public
have multiple public
as unique
good unique identifier
is not good
addressed
only those objects.
In place of names in certificates
reasonably
that almost
delegations
A principal
along with the
for that principal). of the principals
to be little reason to do so. It appears for restricted
7.1
then mat ches up unique idenit looks
is not hard (we would
cert ificat e), but there seems
as
to put unique
does not change when names
monitor
to this architecture
set of Adding
determine
service to see if they refer to the same principal
comparing
to
to access a restricted
to read, but not write his files.
and other mechanisms. quickly
and in the ACLS,
names. directory
to
only a subset of his rights rather
the ability
add more fields to the delegation
and choice
proportional
refers to the same principal
name in the certificate,
in the certificates
such mechanisms
disaster.
a different change)
afiiIiation,
monitor
a name on the ACL
files, or the ability
certifi-
that
access to any ob jcct accessi-
role. There are a number of cases where a
than all of his rights:
those attributes
lookups
is very much like a capability
permitting
user might want to delegate
many name changes
do not reflect a change in organizational
certificate
ble to the identified
up each
by the delegation
because
Delegations
grants broad powers,
cannot
look
Restricted
A delegation
has only
service and fetch that direc-
match
To
accommodate
monitor
(1) deny access if a name in a delegation
name on the ACL in the directory
7
there is no way to find
in some way, the reference
on the ACL;
tory entry’s
kcy Kw, as the unique name
name Wi.
certificate.
to change all ACLS every time any portion
of the name space is altered name changes
the role name R in
which are not qualified
that the name of a user or system listed
cm an AC L (meat ed long ago) is not the same as the name It is not practical
systems,
does not constrain
types of access into the
ACLS because
signed by the smart card and copied
a Subset
of Access
semantics
of access
rights that may be reqnestcd these details
depend
Rights requests
or
or recorded
in
on the types
of objects
and operations implemented by each reference monitor. If a user is to restrict delegated access to some subset of possible
3We recognize tkat urriql[eness of inrkpendently generated public keys cannot be guaranteed, but the odds of duplication arc sufficiently remote for oar purposes. Intentional duplication of a public key is not possible arrlesstbe corresponding private key is compromised.
rights,
the syntax
(specified
by all reference
27
and semantics
in the delegation
describing
certificate)
that that subset
must be understood
rnrmitors likely to make use of the delegation.
Since a nniversaJ standard
for representation
is not available,
of arbitrary
One might “read”
delegation
be able to define a common
and “write”
implement,
that all reference
but restriction system
is difficu~t.
set of rights
monitors
Carrying
on or
The
only major
the file directly
drawback
from
at time
this scheme
is for
as the print server will only be able to store a finite
number
to
out any activity
the print server access
printing,
are likely to
is likely to require rights such as “login”
than having of printing.
that the user may have to wait for his file to be queued
like
to a subset of these is unlikely
be useful except in special cases. a remote
of access rights
subsets
of fries.
In today’s multiple
printing
included
architectures
a print job may consist of
files and fonts fetched
by the print server
from places that the user knows nothhg
about.
manager of the remote system (or owner of the remote object)
sophisticated
of rights to a single
which the user may know nothing
about.
named file will not generally
will not have enough
to select the proper
“connect”
to the remote system,
of possible
rights defined by the system
information
rights needed to accomplish
In general,
the user
Delegation
to Background
are cases where a system
Delegation
Within
Jobs
must continue
on behalf
of a user after the user logs out.
operation
depends
on delegations,
remain valid for the duration the activity originaf
will complete
delegation
the architecture retains
certificate
described
its certificates
requested
operations
gation
certificates.
that are scheduled cluding
jobs
the most
DSSA
remain pending fore it runs. delegations
time of the system simply
or the delegations expiration
background
Nonet helcss, we believe
some time in the future,
are
some
planning
carry out for very specific is not unreasonable these selcctcd
runs.
A delega-
that extending
choosing
to delegate
short public
we can arrange
After
on his behalf
be willing
at ivcly
at
Possibly
to
because
Setting up such batch jobs,
advance
requires
and such jobs (e.g.,
for signature
digit al signing,
protocols
sion situations
usually
check for mail).
(for delegation
verification, fast,
It
from
roles for
large
where a system
approach
and
delegation
the less frequent
of a session.
investigated
This is
so that signature
takes
While we envi-
may need to check large numaccess requests
we do not foresee
has to sign large numbers
a case
of cert ificat es.
to be the moat acrious performance
architect nre requires
in each chain.
By
exponents,
for each dclegatiorr is not expected
of systems),
appears
Key
operation.
which is done rel-
while
(e.g., a server that receives
this
(using
is much slower.
where a systcm
numbers
are digital keys).
and long private
can be structured
bers of signatures
to Servers
case where limited
key tech-
signatures
place in parallel with network communication.
To address
a new key
this problcrn
for each wc have
several optimization:
delegation
print servers.
●
access to only the file to be printed,
reasonable
exponents
The need for a signature
is to simply
the file to the print server as part of the print request,
Generate
keys
processing,
systems
in
advance.
delegation
and can keep a cache
can generate
During
pcriorls
of ready
keys.
used if the disk has been removed.
rather
28
of
These
as long as they
are erased from disk when used for a delegation
copy
of idle
keys in anticipation
keys can sa.fcly be kept in online storage
time, and only for a single access.
the most
some
The primary operations
time consuming
frequent 1y, to be quite
operation,
When submit ting a print request to a server thc user might only for a limited
it is a t argct,
using RSA public
intensive.
to add much delay to the establishment
to a server might make sense. This involves like to limit the server’s
of a
a separate
Performance
is by far the most
Key gcnoration
There is at least one specific
with
(using the private key), verifying
generation
the time-
cases.
users to set up special
Delegation
for which
handled
the public key) and key generation
jobs.
Limited
to a user is better
Improving
concern,
7.4
and remember
in the use of roles.
signatures
offered by the timeout
by the user,
to expect
card that is the target
wit h which this archit cct ure needs to be concerned
of time.
functions
key for each delegation
niques are computationally
then the
those that run on a daily basis, normally
advance
a smart
It is well known that calculations
could
For batch jobs that run far in the future the role mechanism especially
delegation
8
length of time be-
to operate
is a suitable way to restrict access.
have to generate
have
basis)
any bat ch job
risk in most
he should
amount
would
Delegating
have to have a very long timeout,
outs for such jobs is an acceptable
Also,
delegation
planning
or batch jobs (those
require delegations,
reduce the security
be cumbersome.
with would
and would have to know which key to use in a given session.
expire.
might
in a trusted
time of dele-
on a periodic
although
a system
we could
time in the future, in-
in queues for an arbitrary
it for that expected
In many cases
the expiration
to run at a specific
all, if the user expects
to exchange
While
manrrcr, doing so in practice
must be in effect when the job
mechanism.
principal.
one another
cases where the system
tion to such a job might
the delegated
users to be the targets the delegator
must
so no change need be made to
examples,
with
requires
then the delegations
the normal
Deferred
we do not intend
Delegation
two smart cards communicate
so far: the delegated
If such batch jobs
and long timeouts
information
to Users
devise a scheme whereby
that rerun themselves
common
to operate
even after the user logs out until all
well beyond
the file to be printed.
of an
are completed
But there are several to operate
permit
Under these
If success
of the operation.
within
delegation
a given task.
of delegation. There
simple
subset
7.5 7.3
schemes
and not
●
Reuse unused keys. Depending cm the implementation oft he protocols, many delegations will occur but will never be used. That is, a system will delegate to another system at the beginning of a session in case remote access is required, but the resources might be local to the delegated system and the delegation may never be required. In this case the sarnc delegation key can be reused for the next delegation. This technique is only secure if the delegation certificate is destroyed by both delegator and delegate and never disclosed to a third party.
. Use short keys. Time to generate a key is a functicm of key length. Unlike principals’ authentication keys that are relatively permanent and stored in authrmticatirxr certificates in the directory service, delegation keys are only needed for the duration of a session. As long as the public component of the delegation key is never used for confidentiality (it is not in our architecture), no harm is done if the key is compromised after the delegation expires. We can therefore probably get by with much shorter (lCSSsecure) keys for delegation than would be needed for long term use. Avoid unnecessary keys. The architecture is rlesrxibed in terms of principals rather than users and computer systems, where a principal may be a process or application on a system. It is possible, then, for rnanY principals to exist on the same computer system. In the case where the delegator and delegate are principals under control of the same reference monitor (i.e., are two processes on the same system), it is not necessary to use cryptographic techniques to certify the portion of the delegation chain involving the two principals. Instead, thc rcfcrcnce monitor maiut ains a single delegation key for all processes under its control that arc part of the same chain. The reference rnorritor keeps track of the keys that processes may use. only when the delegation chain “enters” and “leaves” the systcm is cryptography required.
References
Copy delegation keys. Although wc statrxl earlier that ideally we would like each system to have its own rielegatiorr key, significant security is not lost in most cases by simply forwarding the key from one system to the next. In the event that kcy generation becomes a problem in certain applications, the architecture prwmits any two systems to resort to kcy copying without affecting any of the other aspects of the architecture. While key generation performance is not something to ignore, we think that there are enough ways to minimize the problcm that feasibility of implementing the delegation architecture is not in danger. 9
course, prototype implement ations. A formal dcfini tion and justification for all of DSSA is being written using notation and rules to express statements of belief and trust, The logic we arc using is an cxtcnsiorr of that defined by Burrows, et al. [Burrows88]. Rangan [Rangan88] has drwclopcd a more complete method for forrualizing reasoning and trust in a distribrrtcrl systcrn, but it appears that a simpler logic will bc adequate to express the basic concepts of DSSA. The goal of DSSA is to elevate the lCVC1of security of a heterogeneous distributed system to that routinely available with today’s state-of-the-art standalone secure operating systems. The architecture is not a theoretical exercise, but was designed with numerous practical implementation issues in mind. It is intended to bc irnplcmcntcd, at reasonable cost and performance, using techmdogy that wc expect to be available in the very near future. Initial installments of this architecture will be deployable without a wholesale rcplacemcrrt of existing hardware, oprxatiug systcrns, and applications, and we are currently devch]piug prototypes to demonstrate this fcasibilit y. At the same time, DSSA does not commit us to undesirable tradeoffs that may be due to limitations of today’s tcchrlology. Since architectures, once implerncntcd, do not die easily, we have set our sights on a long tcrrn goal to provide the maximum level of sccnri ty for the widest possible varicty of computing styles and applications.
[Amcs83]
S. R.. Ames, Jr., M. Gasrwr, and R. R. Schell, “Security Kernel Design and Implementation: An Introduction,” Com,puter, 16(7):1422, July 1983.
[Andcrson86]
M. Anderson, R.. D. Pose, and C. S. Wallace, “A Password-Capability System,” The Cornpufer Journal, 29(1):1 8, 1986.
[Birrcl18ti]
A. D. Birrcll, B. W. Lampson, R. M. Nccdharn, and M. D. Schroeder, “A Global Authcnticatiorr Service without Global Trust,” Proceedings of the 1986 IEEE Symposium on Secu,rit y and Privo.cy, IEEE Cornpnter Society, 1986, pp. 223 230.
[Bnrrows88]
M. Burrows, M. Abadi, and R. M. Needham, “Authentication: A Practical Study in Belief and Action,” Proceedin.,qs of the Second Conference
on
Theoretical
about Knowledge,
29
of Reasonin,q
[CCITT88a]
International Telegraph and Telephone Consultative Committee (CCITT), X.500, The Directory – Over-view of Concepts, Models and Ser-rnces(same as 1S0 9594-1).
[CCITT88b]
CCITT X.509 The Dwectory - Autl~enticar!ion, Framework (same as 1S0 9594-8).
Conclusion
The delegation scheme presented in this paper is an important component of Digital’s Distributed System Security Architecture. Items yet to be done inclnde a formal definition and, of
Aspects
M. Vardi, cd., 1987.
[DOD85]
Department
of Defense, Trusted Computer Criteria, DOD 5200.28STD, December 1985. System
[ECMA89]
[Gasser89]
[NCSC87a]
“Final Evaluation Report of Security Dynamics Access Control Encryption System,” National Computer Security Center, 9800 Savage Road, Fort George G. Meade, MD 20755-6000, CSC-EPL-87/001 Library No. S228,455.
[Racal]
“WATCHWORD Generator User’s Manual,” Racal-Guardata Limited, Richmond Court, 309 Fleet Road, Hampshire, England GU138BU.
[Rangan88]
P. V. Rangan, “An Axiomatic Basis of Trust in Distributed Systems,” Proceedings of the
Evaluation
ECMA/TR46, “Security in Open Systems - A Security Framework” and ECMA/TRxx, “Security in Open Systems – Data Elements and Service Definitions.” M. Gasser, A. Goldstein, C. Kaufman and B. Lampson, “The Digital Distributed System Security Architecture: Proceedings of the 1989 National Computer Security Conference.
1988 IEEE
[Girling82]
[Girling83]
C. G. Girling, “Representation and Authentication in Computer Networks,” Ph.D. Thesis, University of Cambridge, Queens’ College, April 1983.
[IS088b]
International Standards Organization, 7498-2, Security Architecture.
[Karger86]
[Koh189]
[Lampson86]
on Security
and Prz-
211. [Redel174]
D. D. Redcll, “Naming and Protection in Extendible Operating Systems,” Ph.D. Thesis, University of California, Berkeley, CA, published as Project MAC TR- 140, Massachusct ts Institute of Technology, Cambridge, MA, November 1974.
[Rivest78]
R. L. Rivcst, A. Shamir, L. Adleman, “A Method for Obtaining Digital Signatures and Public Key Cryptosystems,” Communications of the ACM, 21(2):120 126, 1978.
[Sollins88]
Karen R. Sollins, “Cascaded Authentication” Proceedings of the 1988 IEEE Symposium on Security and Privacy, IEEE Computer Society, 1988, pp. 156163.
1S0
P. A. Karger, “Authentication and Discretionary Access Control in Computer Netand Security 5:314-24, works,” Computers 1986, and Computer Networks and ISDN Systems 10(1):27- 37, 1985. J. Kohl, B. C. Neuman, J. Steiner, “Kerberos Version 5 draft RFC”, Project Athena, Massachuset ts Institute of Technology, 3 August 1989. “Designing a Global Name Service,” Proc. 4th Symposium on Principles of Distributed Computing, pp. 1-10, Minaki, ontario, 1986.
ACM
[Lirm90]
J. Linn, “Practical Authentication for Distributed Computing,” Proceedings of the 1990 IEEE Symposium on Security and Prnmcy, IEEE Computer Society, 1990.
[Miller87]
S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer, “Kerberos Authentication and Authorization System,” Project Athena Technical Plan, Section E.2. 1, Massachusetts Institute of Technology, 10 April 1987.
[Mullender85] S. J. Mullender, “Principles of Distributed Operating System Design,” Ph.D. Thesis, Vrije University, Amsterdam, The Netherlands, 1985. [Organick72]
Sympostum
vacy, IEEE Computer Society, 1988, pp. 204–
C. G. Girling, “Object Representation on a Heterogeneous Network,” Operating Systems Rewew 16:49--59, October 1982.
E. I. Organick, The iWv,ltics System: An Examination of Its Structure, MIT Press, Cambridge, Massachusetts, 1972.
30