Skip to main content
SpringerLink
Log in

A Mechanism for Identity Delegation at Authentication Level

  • Conference paper
Identity and Privacy in the Internet Age (NordSec 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5838))

Included in the following conference series:

Abstract

Authentication and access control are normally considered as separate security concepts that have separate goals and are supported by separate security mechanisms. In most operating systems, however, access control is exclusively based on the identity of the requesting principal, e.g., an access control mechanism based on access control lists simply verifies that the authenticated identity of the requesting principal is on the list of authorized users.

In this paper we propose a human-to-human delegation mechanism for nomadic users, which exploits the amalgamation of authentication and access control in most operating systems, by delegating privileges at the identity level. The complexity of classic delegation models, especially if they strictly follow the principle of least privileges, often leads to a poor usability, which motivates a user to circumvent the default delegation mechanism. On the other hand, the identity delegation makes good use of trust relationships among users of a particular environment and offers the possibility of improved usability. Although identity delegation might violate the principle of least privileges, in practice it could increase the over all security of a nomadic environment where users need to delegate their duties frequently. The proposed mechanism is independent of the access control and the delegation event is only logged at the authentication level. Due to its improved usability, the motivation to share authentication tokens is reduced.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M., Burrows, M., Lampson, B., Plotkin, G.: A calculus for access control in distributed systems. ACM Transactions on Programming Languages and Systems (TOPLAS) 15(4), 706–734 (1993)

    Article  Google Scholar 

  2. Ahsant, M.: On-demand Restricted Delegation: A Framework for Dynamic, Context-Aware, Least-Privilege Delegation in Grids. PhD thesis, Kungliga Tekniska Högskolan (2009)

    Google Scholar 

  3. Bardram, J., Thomas, K., Nielsen, C.: Mobility in health care - reporting on our initial observations and pilot study. Technical Report CfPC 2003-PB-52, Center for Pervasive Computing (2003)

    Google Scholar 

  4. Barka, E., Sandhu, R.: A role-based delegation model and some extensions. In: Proceedings of 16th Annual Computer Security Application Conference, New Orleans, U.S.A. (December 2000)

    Google Scholar 

  5. Barka, E.S.: Framework for Role-Based Delegation Models. PhD thesis, George Mason University (2002)

    Google Scholar 

  6. Gasser, M., McDermott, E.: An architecture for practical delegation a distributed system. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California, U.S.A. (1990)

    Google Scholar 

  7. Gladney, H.M.: Access control for large collections. ACM Transactions on Information Systems 15(2), 154–194 (1997)

    Article  Google Scholar 

  8. Gollmann, D.: Computer Security 2e. John Wiley and Sons, Chichester (2005)

    Google Scholar 

  9. Jøsang, A., Gollmann, D., Au, R.: A method for access authorisation through delegation networks. In: Proceedings of the 2006 Australasian workshops on Grid computing and e-research, pp. 165–174 (2006)

    Google Scholar 

  10. Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: theory and practice. ACM Transactions on Computer Systems (TOCS) 10(4), 265–310 (1992)

    Article  Google Scholar 

  11. Li, M., Wang, H.: ABDM: An extended flexible delegation model in RBAC. In: Proceedings of the 8th IEEE International Conference on Computer and Information Technology, Sydney, Australia, July 2008, pp. 390–395 (2008)

    Google Scholar 

  12. Mercredi, D., Frey, R.: User login delegation. United States Patent Application Publication, US 2004/0015702 A1 (January 2004)

    Google Scholar 

  13. Saltzer, J.H., Schroeder, M.D.: The Protection of information in computer systems. Proceedings of IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  14. Varadharajan, V., Allen, P., Black, S.: An analysis of the proxy problem in distributed systems. In: Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, California, U.S.A. (1991)

    Google Scholar 

  15. Wang, H., Cao, J.: Delegating revocations and authorizations. In: ter Hofstede, A.H.M., Benatallah, B., Paik, H.-Y. (eds.) BPM Workshops 2007. LNCS, vol. 4928, pp. 294–305. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  16. Wobber, E., Abadi, M., Burrows, M., Lampson, B.: Authentication in the Taos operating system. ACM Transactions on Computer Systems (TOCS) 12(1), 3–32 (1994)

    Article  Google Scholar 

  17. Zhang, L., Ahn, G.-J., Chu, B.-T.: A rule-based framework for role-based delegation and revocation. ACM Transactions on Information and System Security (TISSEC) 6(3), 404–441 (2003)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Informatics and Mathematical Modelling, Technical University of Denmark, DK, 2800, Lyngby, Denmark

    Naveed Ahmed & Christian D. Jensen

Authors
  1. Naveed Ahmed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian D. Jensen
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. University of Oslo, University Graduate Center, Kjeller, Norway

    Audun Jøsang

  2. Norwegian Defence Research Establishment, Kjeller, Norway

    Torleiv Maseng

  3. Norwegian University of Science and Technology, Centre for Quantifiable Quality of Service in Communication Systems, Trondheim, Norway

    Svein Johan Knapskog

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ahmed, N., Jensen, C.D. (2009). A Mechanism for Identity Delegation at Authentication Level. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds) Identity and Privacy in the Internet Age. NordSec 2009. Lecture Notes in Computer Science, vol 5838. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04766-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04766-4_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04765-7

  • Online ISBN: 978-3-642-04766-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation