Abstract
Authentication and access control are normally considered as separate security concepts that have separate goals and are supported by separate security mechanisms. In most operating systems, however, access control is exclusively based on the identity of the requesting principal, e.g., an access control mechanism based on access control lists simply verifies that the authenticated identity of the requesting principal is on the list of authorized users.
In this paper we propose a human-to-human delegation mechanism for nomadic users, which exploits the amalgamation of authentication and access control in most operating systems, by delegating privileges at the identity level. The complexity of classic delegation models, especially if they strictly follow the principle of least privileges, often leads to a poor usability, which motivates a user to circumvent the default delegation mechanism. On the other hand, the identity delegation makes good use of trust relationships among users of a particular environment and offers the possibility of improved usability. Although identity delegation might violate the principle of least privileges, in practice it could increase the over all security of a nomadic environment where users need to delegate their duties frequently. The proposed mechanism is independent of the access control and the delegation event is only logged at the authentication level. Due to its improved usability, the motivation to share authentication tokens is reduced.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems (TOPLAS) 15(4), 706–734 (1993)
Ahsant, M.: On-demand Restricted Delegation: A Framework for Dynamic, Context-Aware, Least-Privilege Delegation in Grids. PhD thesis, Kungliga Tekniska Högskolan (2009)
Bardram, J., Thomas, K., Nielsen, C.: Mobility in health care - reporting on our initial observations and pilot study. Technical Report CfPC 2003-PB-52, Center for Pervasive Computing (2003)
Barka, E., Sandhu, R.: A role-based delegation model and some extensions. In: Proceedings of 16th Annual Computer Security Application Conference, New Orleans, U.S.A. (December 2000)
Barka, E.S.: Framework for Role-Based Delegation Models. PhD thesis, George Mason University (2002)
Gasser, M., McDermott, E.: An architecture for practical delegation a distributed system. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California, U.S.A. (1990)
Gladney, H.M.: Access control for large collections. ACM Transactions on Information Systems 15(2), 154–194 (1997)
Gollmann, D.: Computer Security 2e. John Wiley and Sons, Chichester (2005)
Jøsang, A., Gollmann, D., Au, R.: A method for access authorisation through delegation networks. In: Proceedings of the 2006 Australasian workshops on Grid computing and e-research, pp. 165–174 (2006)
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: theory and practice. ACM Transactions on Computer Systems (TOCS) 10(4), 265–310 (1992)
Li, M., Wang, H.: ABDM: An extended flexible delegation model in RBAC. In: Proceedings of the 8th IEEE International Conference on Computer and Information Technology, Sydney, Australia, July 2008, pp. 390–395 (2008)
Mercredi, D., Frey, R.: User login delegation. United States Patent Application Publication, US 2004/0015702 A1 (January 2004)
Saltzer, J.H., Schroeder, M.D.: The Protection of information in computer systems. Proceedings of IEEE 63(9), 1278–1308 (1975)
Varadharajan, V., Allen, P., Black, S.: An analysis of the proxy problem in distributed systems. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California, U.S.A. (1991)
Wang, H., Cao, J.: Delegating revocations and authorizations. In: ter Hofstede, A.H.M., Benatallah, B., Paik, H.-Y. (eds.) BPM Workshops 2007. LNCS, vol. 4928, pp. 294–305. Springer, Heidelberg (2008)
Wobber, E., Abadi, M., Burrows, M., Lampson, B.: Authentication in the Taos operating system. ACM Transactions on Computer Systems (TOCS) 12(1), 3–32 (1994)
Zhang, L., Ahn, G.-J., Chu, B.-T.: A rule-based framework for role-based delegation and revocation. ACM Transactions on Information and System Security (TISSEC) 6(3), 404–441 (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ahmed, N., Jensen, C.D. (2009). A Mechanism for Identity Delegation at Authentication Level. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds) Identity and Privacy in the Internet Age. NordSec 2009. Lecture Notes in Computer Science, vol 5838. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04766-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-04766-4_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04765-7
Online ISBN: 978-3-642-04766-4
eBook Packages: Computer ScienceComputer Science (R0)