Abstract
In a distributed system, dynamically dividing execution between nodes is essential for service robustness. However, when all of the nodes cannot be equally trusted, and when some users are more honest than others, controlling where code may be executed and by whom resources may be consumed is a nontrivial problem. In this paper we describe a generic authorisation certificate architecture that allows dynamic control of resource consumption and code execution in an untrusted distributed network. That is, the architecture allows the users to specify which network nodes are trusted to execute code on their behalf and the servers to verify the users’ authority to consume resources, while still allowing the execution to span dynamically from node to node, creating delegations on the fly as needed. The architecture scales well, fully supports mobile code and execution migration, and allows users to remain anonymous.
We are implementing a prototype of the architecture using SPKI certificates and ECDSA signatures in Java 1.2. In the prototype, agents are represented as Java JAR packages.
This work was partially funded by the TeSSA research project at Helsinki University of Technology under a grant from TEKES.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Amoroso, E., Fundamentals of Computer Security Technology, Prentice Hall, Englewood Cliffs, New Jersey, 1994.
Arnold, K. and Gosling, J., The Java Programming Language, Addison-Wesley, 1996.
Aura, T.,“Comparison of Graph-Search Algorithms for Authorisation Verification in Delegation”, Proceedings of the 2nd Nordic Workshop on Secure Computer Systems, Helsinki, 1997.
Beth, T., Borcherding, M., Klein, B., Valuation of Trust in Open Networks, University of Karlsruhe, 1994.
Blaze, M., Feigmenbaum, J., and Lacy, J., “Decentralized trust management”, Proceedings of the 1996 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, May 1996.
Chadwick, D., Young, A., “Merging and Extending the PGP and PEM Trust Models-The ICE-TEL Trust Model”, IEEE Network Magazine, May/June, 1997.
Ellison, C. M., Frantz, B., Lampson, B., Rivest, R., Thomas, B.M. and Ylönen, T., Simple Public Key Certificate, Internet-Draft draft-ietf-spki-cert-structure-05.txt, work in progress, Internet Engineering Task Force, March 1998.
Ellison, C. M., Frantz, B., Lampson, B., Rivest, R., Thomas, B.M. and Ylönen, T., SPKI Certificate Theory, Internet-Draft draft-ietf-spki-cert-theory-02.txt, work in progress, Internet Engineering Task Force, March1998.
Ellison, C. M., Frantz, B., Lampson, B., Rivest, R., Thomas, B.M. and Ylönen, T., SPKI Examples, Internet-Draft draft-ietf-spki-cert-examples-01.txt, work in progress, Internet Engineering Task Force, March 1998.
Ellison, C., “Establishing Identity Without Certification Authorities”, In Proceedings of the USENIX Security Symposium, 1996.
Gong, Li, Java TM Security Architecture (JDK 1.2), DRAFT DOCUMENT (Revision 0.8), http://java.sun.com/products/jdk/1.2/docs/guide/security/spec/security-spec.doc.htmlSun Microsystems, March 1998.
Gong, Li and Schemers, R.,“Implementing Protection Domains in the Java Development Kit 1.2”, Proceedings of the 1998 Network and Distributed System Security Symposium, San Diego, CA, March 11–13 1998, Internet Society, Reston, VA, March 1998.
International Telegraph and Telephone Consultative Committee(CCITT): Recommendation X.509, The Directory-Authentication Framework, CCITT Blue Book, Vol. VIII.8, pp. 48–81, 1988.
Kohl, J. and Neuman, C., The Kerberos Network Authentication Service (V5), RFC1510, Internet Engineering Task Force, 1993.
Kortesniemi, Y., “Implementing Elliptic Curve Cryptosystems in Java 1.2”, in Proceedings of NordSec’98, 6–7 November 1998, Trondheim, Norway, November 1998.
Landau, C., Security in a Secure Capability-Based System, Operating Systems Review, pp. 2–4, October 1989.
Lehti, I. and Nikander, P., “Certifying trust”, Proceedings of the Practice and Theory in Public Key Cryptography (PKC)’ 98, Yokohama, Japan, Springer-Verlag, February 1998.
Maughan, D., Schertler, M., Schneider, M. and Turner, J., Internet Security Association and Key Management Protocol (ISAKMP), Internet-Draft draft-ietfipsec-isakmp-10.txt, work in progress, Internet Engineering Task Force, July 1998.
McMahon, P.V.,“SESAME V2 Public Key and Authorisation Extensions to Kerberos”, in Proceedings of 1995 Network and Distributed Systems Security, February 16–17, 1995, San Diego, California, Internet Society 1995.
Nikander, P. and Karila, A.,“A Java Beans Component Architecture for Cryptographic Protocols”, Proceedings of the 7th USENIX Security Symposium, San Antonio, Texas, Usenix Association, 26–29 January 1998.
Nikander, P. and Partanen, J., “Distributed Policy Management for JDK 1.2”, In Proceedings of the 1999 Network and Distributed Systems Security Symposium, 3–5 February 1999, San Diego, California, Internet Society, February 1999.
Nikander, P. and Viljanen, L., “Storing and Retrieving Internet Certificates”, in Proceedings of NordSec’98, 6–7 November 1998, Trondheim, Norway, November 1998.
OMG, CORBAservices: Common Object Services Specification, Revised Edition, Object Management Group, Farmingham, MA, March1997.
Partanen, J. and Nikander, P., “Adding SPKI certificates to JDK 1.2”, in Proceedings of NordSec’98, 6–7 November 1998, Trondheim, Norway, November 1998.
Partanen, J., Using SPKI certificates for Access Control in Java 1.2, Master’s Thesis, Helsinki University of Technology, August 1998.
Rivest, R. L. and Lampson, B., “SDSI — a simple distributed security infrastructurerd, Proceedings of the 1996 Usenix Security Symposium, 1996.
Wilhelm, G. U., Staamann, S., Buttyán, L., “On the Problem of Trust in Mobile Agent Systems”, In Proceedings of the 1998 Network And Distributed System Security Symposium, March 11–13, 1998, San Diego, California, Internet Society, 1998.
Yahalom, R., Klein, B., Beth, T., “Trust Relationships in Secure Systems-A Distributed Authentication Perspective”, In Proceedings of the IEEE Conference on Research in Security and Privacy, 1993.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Nikander, P., Kortesniemi, Y., Partanen, J. (1999). Preserving Privacy in Distributed Delegation with Fast Certificates. In: Public Key Cryptography. PKC 1999. Lecture Notes in Computer Science, vol 1560. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-49162-7_11
Download citation
DOI: https://doi.org/10.1007/3-540-49162-7_11
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-65644-9
Online ISBN: 978-3-540-49162-0
eBook Packages: Springer Book Archive