Skip to main content
Springer Nature Link
Log in

A Multipurpose Delegation Proxy for WWW Credentials

  • Conference paper
Public Key Infrastructure (EuroPKI 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3545))

Included in the following conference series:

  • 624 Accesses

Abstract

Credentials like passwords or cryptographic key pairs are a means to prove one’s identity to a web server. A practical problem in this context is the question of how a user can temporarily delegate the right to use a credential to another person without revealing the secret. Related to this is the issue of sharing a single credential among members of a group such that all of them may use the credential, but no one actually gets to know it. This paper presents and compares several solutions to solve these problems. One is a client-side approach, while the other three are man-in-the-middle architectures. We have implemented one of these, the HTTP proxy variant, as a prototype. Our TLS Authentication Proxy is capable of transparently authenticating with a target web server on behalf of users. It supports the major authentication methods used on the Internet, both for standard HTTP and SSL connections.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. CCITT: Recommendation X.509: The Directory - Authentication Framework. Technical report (1988)

    Google Scholar 

  2. Ginkel, T.-A.: Entwurf und Implementierung eines Authentifikations-Proxys für das World Wide Web. Diploma thesis, Technische Universität Darmstadt (2004), http://thilo.ginkel.com/diplom/

  3. RSA Laboratories: PKCS#12 v1.0: Personal Information Exchange Syntax. Standard (1999), http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/

  4. Pashalidis, A., Mitchell, C.J.: A Taxonomy of Single Sign-On Systems. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 249–264. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  5. De Clercq, J.: Kerberized Credential Translation: A Solution to Web Access Control. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 40–58. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  6. Basney, J., Yurcik, W., Bonilla, R., Slagell, A.: Credential Wallets: A Classification of Credential Repositories Highlighting MyProxy. In: Proc. 31st Research Conference on Communication, Information and Internet Policy (2003), http://www.ncsa.uiuc.edu/~jbasney/credentialwalletTPRC.pdf

  7. Kohl, J., Neuman, C.: The Kerberos Network Authentication Service (V5). RFC 1510 (1993), http://www.ietf.org/rfc/rfc1510.txt

  8. Kornievskaia, O., Honeyman, P., Doster, B., Coffman, K.: Kerberized Credential Translation: A Solution to Web Access Control. In: Proc. 10th USENIX Security Symposium, pp. 235–250 (2001), http://www.usenix.org/events/sec01/full_papers/kornievskaia/

  9. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: Simple public key certificate. IETF Internet Draft (1999)

    Google Scholar 

  10. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI Certificate Theory. RFC 2693 (1999)

    Google Scholar 

  11. Goffee, N.C., Kim, S.H., Smith, S., Taylor, P., Zhao, M., Marchesini, J.: Greenpass: Decentralized, PKI-based Authorization for Wireless LANs. In: Proceedings 3rd Annual PKI R&D Workshop, pp. 16–30 (2004)

    Google Scholar 

  12. Butler, R., Welch, V., Engert, D., Foster, I., Tuecke, S., Volmer, J., Kesselman, C.: A National-Scale Authentication Infrastructure. IEEE Computer 33, 60–66 (2000)

    Google Scholar 

  13. Tuecke, S., Welch, V., Engert, D., Pearlman, L., Thompson, M.: Internet X.509 Public Key Infrastructure (PKI) – Proxy Certificate Profile. RFC 3820 (2004), http://www.ietf.org/rfc/rfc3820.txt

  14. Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization. RFC 3281 (2002), http://www.ietf.org/rfc/rfc3281.txt

  15. Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (1999), http://www.ietf.org/rfc/rfc2616.txt

  16. Luotonen, A.: Tunneling TCP Based Protocols Through Web Proxy Servers (1998), http://www.web-cache.com/Writings/Internet-Drafts/draft-luotonen-web-proxy-tunneling-01.txt

  17. Khare, R., Lawrence, S.: Upgrading to TLS Within HTTP/1.1. RFC 2817 (2000), http://www.ietf.org/rfc/rfc2817.txt

  18. Gauthier, P., Cohen, J., Dunsmuir, M., Perkins, C.: Web Proxy Auto-Discovery Protocol. Internet draft (1999), http://www.web-cache.com/Writings/Internet-Drafts/draft-ietf-wrec-wpad-01.txt

  19. Netscape Communications Corporation: Navigator Proxy Auto-Config File Format (1996), http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html

  20. Rhee, M.Y.: Internet Security. John Wiley & Sons, Chichester (2003) ISBN 0-470-85285-2

    Google Scholar 

  21. Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617 (1999), http://www.ietf.org/rfc/rfc2617.txt

  22. Glass, E.: The NTLM Authentication Protocol (2003), http://davenport.sourceforge.net/ntlm.html

  23. Microsoft Corporation: Microsoft NTLM. Microsoft Developer Network Library (2004), http://msdn.microsoft.com/library/en-us/secauthn/security/microsoft_ntlm.asp

  24. Raggett, D., Hors, A.L., Jacobs, I.: HTML 4.01 Specification W3C Recommendation (1997), http://www.w3.org/TR/html4/

  25. Kristol, D., Montulli, L.: HTTP State Management Mechanism. RFC 2965 (2000), http://www.ietf.org/rfc/rfc2965.txt

  26. Hickman, K.: SSL 2.0 Protocol Specification. Technical report, Netscape Communications Corp. (1994), http://wp.netscape.com/eng/security/SSL_2.html

  27. Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol – Version 3.0. Internet draft, Netscape Communications Corp. (1996), http://wp.netscape.com/eng/ssl3/draft302.txt

  28. Dierks, T., Allen, C.: The TLS Protocol – Version 1.0. RFC 2246 (1999), http://www.ietf.org/rfc/rfc2246.txt

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Darmstadt University of Technology, D-64283, Darmstadt, Germany

    Tobias Straub & Johannes Buchmann

  2. TG Byte Software GmbH, D-64625, Bensheim, Germany

    Thilo-Alexander Ginkel

Authors
  1. Tobias Straub
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Thilo-Alexander Ginkel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Johannes Buchmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computing Laboratory, University of Kent, UK

    David Chadwick

  2. The Computing Laboratory, University of Kent, CT2 7NF, Canterbury, UK

    Gansen Zhao

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Straub, T., Ginkel, TA., Buchmann, J. (2005). A Multipurpose Delegation Proxy for WWW Credentials. In: Chadwick, D., Zhao, G. (eds) Public Key Infrastructure. EuroPKI 2005. Lecture Notes in Computer Science, vol 3545. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11533733_1

Download citation

  • DOI: https://doi.org/10.1007/11533733_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-28062-0

  • Online ISBN: 978-3-540-31585-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics