Authentication and authorization infrastructures (AAIs): a comparative survey

In this article, we argue that traditional approaches for authorization and access control in computer systems (i.e., discretionary, mandatory, and role-based access controls) are not appropriate to address the requirements of networked or distributed systems, and that proper authorization and access control requires infrastructural support in one way or another. This support can be provided, for example, by an authentication and authorization infrastructure (AAI). Against this background, we overview, analyze, discuss, and put into perspective some technologies that can be used to build and operate AAIs. More specifically, we address Microsoft .NET Passport and some related activities (e.g. the Liberty Alliance Project), Kerberos-based solutions, and AAIs that are based on digital certificates and public key infrastructures (PKIs). We conclude with the observation that there is no single best approach for providing an AAI, that every approach has specific advantages and disadvantages, and that a comprehensive AAI must combine various technologies and approaches.

[1]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[2]  知秋 Microsoft:微软“变脸” , 2006 .

[3]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[4]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[5]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[6]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2002, RFC.

[7]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[8]  Rolf Oppliger,et al.  Authentication systems for secure networks , 1996 .

[9]  X Itu,et al.  Information technology-open systems interconnection-the directory: Public-key and attribute certific , 2000 .

[10]  Wael Hassan,et al.  Security Technologies for the World Wide Web , 2000 .

[11]  Robert W. Shirey,et al.  Internet Security Glossary , 2000, RFC.

[12]  Duen-Ren Liu,et al.  Access control with role attribute certificates , 2000 .

[13]  Rolf Oppliger,et al.  Using Attribute Certificates to Implement Role-based Authorization and Access Controls , 2000 .

[14]  Charles Adams,et al.  Understanding Public-Key Infra-structure: Concepts, Standards, and Deployment Con-siderations , 1999 .

[15]  Martín Abadi,et al.  On SDSI's linked local name spaces , 1997, Proceedings 10th Computer Security Foundations Workshop.

[16]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[17]  John R. Aschenbrenner,et al.  Open Systems Interconnection , 1986, IBM Syst. J..

[18]  Roger M. Needham,et al.  Authentication revisited , 1987, OPSR.

[19]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[20]  J. Schiller SECURE DISTRIBUTED COMPUTING , 1994 .

[21]  Aviel D. Rubin,et al.  Risks of the Passport single signon protocol , 2000, Comput. Networks.

[22]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[23]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[24]  Brian Tung,et al.  Kerberos: A Network Authentication System , 1999 .

[25]  Carl M. Ellison,et al.  SPKI Requirements , 1999, RFC.

[26]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[27]  B. Clifford Neuman,et al.  Kerberos: An Authentication Service for Open Network Systems , 1988, USENIX Winter.

[28]  Andrew Nash,et al.  PKI: Implementing and Managing E-Security , 2001 .

[29]  Rolf Oppliger Microsoft .NET Passport: A Security Analysis , 2003, Computer.

[30]  Paul Ashley,et al.  Practical Intranet Security: Overview of the State of the Art and Available Technologies , 1999 .

[31]  Joachim Biskup,et al.  The personal model of data: Towards a privacy-oriented information system , 1988, Comput. Secur..

[32]  Günther Pernul,et al.  Information systems security: Scope, state-of-the-art, and evaluation of techniques , 1995 .

[33]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[34]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[35]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and CRL Profile , 1999, RFC.

[36]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[37]  Carl M. Ellison Cybercash Establishing Identity Without Certification Authorities , 1996 .

[38]  Ed Dawson,et al.  A New Design of Privilege Management Infrastructure for Organizations Using Outsourced PKI , 2002, ISC.