A General and Flexible Access-Control System for the Web

We describe the design, implementation, and performance of a new system for access control on the web. To achieve greater flexibility in forming accesscontrol policies – in particular, to allow better interoperability across administrative boundaries – we base our system on the ideas of proof-carrying authorization (PCA). We extend PCA with the notion of goals and sessions, and add a module system to the proof language. Our access-control system makes it possible to locate and use pieces of the security policy that have been distributed across arbitrary hosts. We provide a mechanism which allows pieces of the security policy to be hidden from unauthorized clients. Our system is implemented as modules that extend a standard web server and web browser to use proof-carrying authorization to control access to web pages. The web browser generates proofs mechanically by iteratively fetching proof components until a proof can be constructed. We provide for iterative authorization, by which a server can require a browser to prove a series of challenges. Our implementation includes a series of optimizations, such as speculative proving, and modularizing and caching proofs, and demonstrates that the goals of generality, flexibility, and interoperability are compatible with reasonable performance. ∗This paper appeared in Proceedings of the 11th USENIX Security Symposium, August 2002. †Supported in part by NSF Grant CCR-9870316. ‡Supported by a Fannie and John Hertz Graduate Fellowship.

[1]  Furio Honsell,et al.  A framework for defining logics , 1993, JACM.

[2]  Martín Abadi,et al.  Authentication in the Taos operating system , 1993, SOSP '93.

[3]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[4]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[5]  Martín Abadi,et al.  Authentication in the Taos operating system , 1994, TOCS.

[6]  Martín Abadi,et al.  On SDSI's linked local name spaces , 1997, Proceedings 10th Computer Security Foundations Workshop.

[7]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[8]  Jean-Emile Elien,et al.  Certificate discovery using SPKI/SDSI 2.0 certificates , 1998 .

[9]  George C. Necula,et al.  Compiling with proofs , 1998 .

[10]  Vipin Samar Single sign-on using cookies for Web applications , 1999, Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99).

[11]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[12]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[13]  Joseph Y. Halpern,et al.  A logic for SDSI's linked local name spaces: preliminary version , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[14]  Frank Pfenning,et al.  System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[15]  Dirk Balfanz,et al.  A security infrastructure for distributed Java applications , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[16]  A Logic for SDSI's Linked Local Name Spaces , 2000, J. Comput. Secur..

[17]  Nick Feamster,et al.  Dos and don'ts of client authentication on the web , 2001 .

[18]  Peter Honeyman,et al.  Kerberized Credential Translation: A Solution to Web Access Control , 2001, USENIX Security Symposium.

[19]  David L. Dill,et al.  Faster Proof Checking in the Edinburgh Logical Framework , 2002, CADE.

[20]  Scott B. Cantor,et al.  Shibboleth architecture draft v05 , 2002 .

[21]  David L. Dill,et al.  CVC: A Cooperating Validity Checker , 2002, CAV.