论文信息 - A Proof-Carrying Authorization System

A Proof-Carrying Authorization System

We describe an infrastructure for distributed authorization based on the ideas of proof-carrying authorization (PCA). PCA is more general and more flexible than traditional distributed authorization systems. We extend PCA with the notion of goals and sessions, and add a module system to the proof language. Our framework makes it possible to locate and use pieces of the security policy that have been distributed across arbitrary hosts. We provide a mechanism which allows pieces of the security policy to be hidden from unauthorized clients. As a prototype application we have developed modules that extend a standard web server and a standard web browser to use proofcarrying authorization to control access to web pages. The web browser generates proofs mechanically by iteratively fetching proof components until a proof can be constructed. We provide for iterative authorization, by which a server can require a browser to prove a series of challenges. Our prototype implementation includes a series of optimizations, such as speculative proving and modularizing and caching proofs, which allows proof-carrying authorization to be used with minimal performance and bandwidth overheads.

Lujo Bauer | Edward W. Felten | Michael A. Schneider

[1] Martín Abadi,et al. On SDSI's linked local name spaces , 1997, Proceedings 10th Computer Security Foundations Workshop.

[2] Martín Abadi,et al. Authentication in the Taos operating system , 1994, TOCS.

[3] Frank Pfenning,et al. System Description: Twelf - A Meta-Logical Framework for Deductive Systems , 1999, CADE.

[4] George C. Necula,et al. Compiling with proofs , 1998 .

[5] Dirk Balfanz,et al. A security infrastructure for distributed Java applications , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[6] Joan Feigenbaum,et al. Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[7] Furio Honsell,et al. A framework for defining logics , 1993, JACM.

[8] Martín Abadi,et al. A calculus for access control in distributed systems , 1991, TOPL.

[9] Andrew W. Appel,et al. Proof-carrying authentication , 1999, CCS '99.

[10] Martín Abadi,et al. A Calculus for Access Control in Distributed Systems , 1991, CRYPTO.

[11] Joseph Y. Halpern,et al. A Logic for SDSI's Linked Local Name Spaces , 2001, J. Comput. Secur..

[12] Jean-Emile Elien,et al. Certificate discovery using SPKI/SDSI 2.0 certificates , 1998 .

[13] Tim Berners-Lee,et al. Hypertext transfer protocol--http/i , 1993 .