Authentication and access delegation with user-released certificates

We propose an authentication and access delegation system based on an unconventional use of X.509 certificates. It allows users to connect from any untrusted machine and to define dynamically a group of trusted co-workers. It is low cost, doesn't need unusual software nor hardware on the client's side, and offers a good degree of security without requiring that the user be too careful. The underlying idea is to enable users to release their own certificates with very short life span (or usable just once) to authenticate themselves to the server.

[1]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[2]  Alfred Menezes,et al.  Elliptic curve public key cryptosystems , 1993, The Kluwer international series in engineering and computer science.

[3]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[4]  Mark R. Cutkosky,et al.  Madefast: collaborative engineering over the Internet , 1996, CACM.

[5]  Ian T. Foster,et al.  Application experiences with the Globus toolkit , 1998, Proceedings. The Seventh International Symposium on High Performance Distributed Computing (Cat. No.98TB100244).

[6]  Dennis G. Kafura,et al.  The PRIMA system for privilege management, authorization and enforcement in grid environments , 2003, Proceedings. First Latin American Web Congress.

[7]  William E. Johnston,et al.  Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.

[8]  Ian T. Foster,et al.  The Community Authorization Service: Status and Future , 2003, ArXiv.

[9]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[10]  John Linn,et al.  Generic Security Service Application Program Interface , 1993, RFC.

[11]  Chris J. Mitchell,et al.  The personal CA – PKI for a Personal Area Network , 2003 .

[12]  Ami Marowka,et al.  The GRID: Blueprint for a New Computing Infrastructure , 2000, Parallel Distributed Comput. Pract..

[13]  William E. Johnston,et al.  Grids as production computing environments: the engineering aspects of NASA's Information Power Grid , 1999, Proceedings. The Eighth International Symposium on High Performance Distributed Computing (Cat. No.99TH8469).

[14]  Ian T. Foster,et al.  A security architecture for computational grids , 1998, CCS '98.

[15]  Jim Basney,et al.  A hardware-secured credential repository for Grid PKIs , 2004, IEEE International Symposium on Cluster Computing and the Grid, 2004. CCGrid 2004..

[16]  John Linn,et al.  Generic Security Service Application Program Interface, Version 2 , 1997, RFC.

[17]  Ian T. Foster,et al.  A community authorization service for group collaboration , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[18]  Von Welch,et al.  Fine-Grain Authorization Policies in the GRID: Design and Implementation , 2003, Middleware Workshops.

[19]  Ian T. Foster,et al.  Data management and transfer in high-performance computational grid environments , 2002, Parallel Comput..

[20]  Morrie Gasser,et al.  An architecture for practical delegation in a distributed system , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[21]  Diego R. López,et al.  Providing secure mobile access to information servers with temporary certificates , 1999, Comput. Networks.

[22]  Yung-Kao Hsu,et al.  Intranet security framework based on short-lived certificates , 1997, Proceedings of IEEE 6th Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[23]  J.J. Tardo,et al.  SPX: global authentication using public key certificates , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  Peter Honeyman,et al.  Kerberized Credential Translation: A Solution to Web Access Control , 2001, USENIX Security Symposium.

[25]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[26]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[27]  B. Clifford Neuman,et al.  Proxy-based authorization and accounting for distributed systems , 1993, [1993] Proceedings. The 13th International Conference on Distributed Computing Systems.

[28]  Von Welch,et al.  Fine-Grain Authorization for Resource Management in the Grid Environment , 2002, GRID.

[29]  Chris Mitchell,et al.  Security defects in CCITT recommendation X.509: the directory authentication framework , 1990, CCRV.

[30]  Steven Tuecke,et al.  An online credential repository for the Grid: MyProxy , 2001, Proceedings 10th IEEE International Symposium on High Performance Distributed Computing.

[31]  Charles E. Catlett,et al.  From the I-WAY to the National Technology Grid , 1997, CACM.

[32]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.