An authentication model for delegation, attribution and least privilege
Article No.: 30, Pages 1 - 7
Abstract
The need to share information while maintaining privacy and security is a growing problem in health, finance, defense, and other distributed environments. Mitigating threats in a distributed computing environment is a difficult task and requires constant vigilance and defense-in-depth. Most systems lack a secure model that guarantees an end-to-end security. In this paper, we devise a model that mitigates a number of threats to the distributed computing pervasive in corporate and institutional information technology enterprises. This authentication process is part of a larger information assurance systemic approach that requires that all active entities (users, machines and services) are named, and credentialed. Authentication is bilateral using PKI credentialing, and authorization is based upon Security Assertion Markup Language (SAML) attribution statements. Communication across domains is handled as a federation activity using WS-* protocols. We present the architectural model, elements of which are currently being demonstrated and tested in a functional prototype in a boundary protected area processing center. The architecture is also applicable to a private cloud.
References
[1]
Burrows, M. and Abadi, M and Needham, R. M., "A logic of authentication," ACM Transaction on Computer Systems, vol. 8, no. 1, pp. 18--36, 1990.
[2]
Needham R. M., and Schroeder, R. M., 'Using encryption for authentication in large networks of computers', Communications of the ACM, vol. 21, no. 12, pp. 993--999, 1978.
[3]
Internet. Shibboleth Project, Available at http://shibboleth.internet2.edu/. (accessed 18 March 2010).
[4]
OASIS Identity Federation, Liberty Alliance Project, Available at http://projectliberty.org/resources/specifications.php. (accessed 18 March 2010).
[5]
OASIS Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0, Available at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security. (accessed 18 March 2010).
[6]
NIST Special Publication 800-95, "Guide to Secure Web Services," Available at: http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf. (accessed 18 March 2010).
[7]
"Web Service Security: Scenarios, Patterns, and Implementation Guidance for Web Services Enhancements (WSE) 3.0", Microsoft Corporation, 2005
[8]
"WS-ReliableMessaging Specification", OASIS, June 2007
[9]
"WS-SecureConversation Specification", OASIS, March 2007
[10]
"WSE 3.0 and WS-ReliableMessaging", Microsoft White Paper, June 2005, Available at http://msdn2.microsoft.com/en-us/library/ms996942(d=printer).aspx. (accessed 18 March 2010).
[11]
FIPS PUB 196, Federal Information Processing Standards Publication, "Entity Authentication Using Public Key Cryptography", February 18, 1997
[12]
Air Force Information Assurance Strategy Team, Air Force Information Assurance Enterprise Architecture, Version 1.70, SAF/XC, 15 March 2009. {Not available to all}
[13]
Overview: Globus Grid Security Infrastructure, Available at http://www.globus.org/security/overview.html. (accessed 18 March 2010).
[14]
Foster, I. and Kesselman, C. and Tsudik, G and S. Tuecke, A Security Architecture for Computational Grids, Proceedings of the 5th ACM Conference on Computer and Communications Security Conference, pp. 83--92, 1998.
[15]
Welch V, and Foster,. I and Kesselman, C and Mulmo, O and Pearlman and L Tuecke, S. and Gawor, J and Meder, S and Siebenlist F., X.509 Proxy Certificates for Dynamic Delegation., 3rd Annual PKI R&D Workshop, 2004.
[16]
Belani, E. and Vahdat, A. and Anderson, T. and Dahlin, M., The CRISIS wide area security architecture, In Usenix Security Symposium, January 1998.
[17]
Lewis, M and Grimshaw, A., The Core Legion Object Model, In Proceedings of the 5th IEEE Symposium. On High Performance Distributed Computing, Pages 562--571. IEEE Computer Society Press, 1996.
[18]
Windows Server 2003: Active Directory Infrastructure. Microsoft Press. 2003. pp. 1-8--1-9. ISBN 0-7356-1438-5.
Index Terms
- An authentication model for delegation, attribution and least privilege
Recommendations
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Authorization with security attributes and privilege delegation
This paper focuses on authorization in distributed environments; the typical authorization scheme employs access control lists, however, the scheme has problems when it is applied to a large-scale network. We introduce a new authorization scheme, ...
An attribute-based-delegation-model
InfoSecu '04: Proceedings of the 3rd international conference on Information securityDelegation constraint of current delegation models is mostly delegation prerequisite conditions. In these models, delegation security fully depends on delegator and security administrator. In many cases, we need a more secured delegation with a strict ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
June 2010
452 pages
Copyright © 2010 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 23 June 2010
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
PETRA '10
PETRA '10: The 3rd International Conference on PErvasive Technologies Related to Assistive Environments
June 23 - 25, 2010
Samos, Greece
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 469Total Downloads
- Downloads (Last 12 months)3
- Downloads (Last 6 weeks)0
Reflects downloads up to 26 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in