Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
10.5555/1251327.1251344guideproceedingsArticle/Chapter ViewAbstractPublication PagesConference Proceedingsacm-pubtype
Article

Capability file names: separating authorisation from user management in an internet file system

Published: 13 August 2001 Publication History

Abstract

The ability to access and share information over the Internet has introduced the need for new flexible, dynamic and fine-grained access control mechanisms. None of the current mechanisms for sharing information - distributed file systems and the web - offer adequate support for sharing in a large and highly dynamic group of users. Distributed file systems lack the ability to share information with unauthenticated users, and the web lacks fine grained access controls, i.e. the ability to grant individual users access to selected files.
In this paper we present Capability File Names, a new access control mechanism, in which self-certifying file names are used as sparse capabilities that allow a user ubiquitous access to his files and enables him to delegate this right to a dynamic group of remote users. Encoding the capaility in the file name has two major advantages: it is self-supporting and it ensures full compatablity with existing programs.
Capability file names have been implemented in a new file system called CapaFS. CapaFS separates user identification from authorisation, thus allowing users to share selected files with remote users without the intervention of a system administrator. The implementation of CapaFS is described and evaluated in this paper

References

[1]
{1} T. Aura. Distributed access-rights management with delegation certificates. In J. Vitek and C.D. Jensen, editors, Secure Internet Programming., number 1603 in Lecture Notes in Computer Science LNCS, pages 211-235. Springer Verlag, 1999.]]
[2]
{2} E. Belani, A. Thornton, and M. Zhou. Authentication and security in WebFS, January 1997.]]
[3]
{3} E. Belani, A. Vahdat, T. Anderson, and M. Dahlin. The crisis wide area security architecture. In Proceedings of the 7th USENIX Security Symposium, pages 15-29, San Antonio, Texas, U.S.A., January 1998.]]
[4]
{4} S. M. Bellovin and M. Merrit. Limitations of the Kerberos authentication system. Computer Communications Review, 20(5):119-132, October 1990.]]
[5]
{5} A. Birrell, A. Hisgen, C. Jerian, T. Mann, and G. Swart. The Echo distributed file system. Technical Report 111, Digital Equipment Corp. Systems Research Center, 1993.]]
[6]
{6} K. Coar. Using .htaccess Files with Apache, 2000.]]
[7]
{7} W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644-654, November 1976.]]
[8]
{8} Federal Information Processing Standard Draft. Advanced Encryption Standard (AES). National Institute of Standards and Technology, 2001.]]
[9]
{9} C. Ellison, B. Frantz, B. Lampson, R. Rivest, B. Thomas, and T. Ylonen. SPKI certificate theory. Technical Report 2693, Network Working Group, IETF, September 1999.]]
[10]
{10} C. F. Everhart. Conventions for names in the service directory in the AFS distributed file system. Technical report, Transarc Corporation, March 1990.]]
[11]
{11} R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext transfer protocol - HTTP/1.1. Request for Comments (RFC) 2616, Network Working Group, IETF, 1999.]]
[12]
{12} K. Fu, M. F. Kaashoek, and D. Mazières. Fast and secure distributed read-only file system. In Proceedigs of the 4th Symposium on Operating Systems Design and Implementation , pages 181-196, San Diego, California, U.S.A., October 2000.]]
[13]
{13} S. Garfinkel. PGP: Pretty Good Privacy. O'Reilly & Associates, Inc., 1994.]]
[14]
{14} L. Gong. A secure identity-based capability system. In Proceedings of the IEEE Symposium on Security and Privacy , pages 56-63, Oakland, California, U.S.A., May 1989.]]
[15]
{15} R. G. Guy, J. S. Heidemann, W. Mak, T. W. Page Jr., G.J. Popek, and D. Rothmeier. Implementation of the Ficus replicated file system. In Proceedings of the Summer USENIX Conference, pages 63-71, June 1990.]]
[16]
{16} J. H. Howard, M. L. Kazar, S. G. Menees, D. A. Nichols, m. Satyanarayanan, R. N. Sidebotham, and M. J. West. Scale and performance in a distributed file system. ACM Transactions on Computer Systems, 6(1):51-81, 1988.]]
[17]
{17} V. Rijmen J. Daemen. The block cipher rijndael. In J.-J. Quisquater and B. Schneier, editors, Smart Card Research and Applications, Lecture Notes in Computer Science (LNCS) 1820, pages 288-296. Springer-Verlag, 2000.]]
[18]
{18} J. Kohl and C. Neuman. The Kerberos network authentication service (v5). Request for Comments (RFC) 1510, Network Working Group, IETF, September 1993.]]
[19]
{19} L. Lamport. LaTeX - A Document Preparation System - User's Guide. Addison-Wesley, 1985.]]
[20]
{20} B. W. Lampson. Protection. In Proceedings of the 5th Princeton Symposium on Information Sciences and Systems , pages 437-443, March 1971. reprinted in Operating Systems Review, 8, 1 January 1974 pages 18-24.]]
[21]
{21} D. Mazières. Security and decentralised control in the SFS distributed file system. Master's thesis, MIT Laboratory of Computer Science, 1997.]]
[22]
{22} D. Mazières, M. Kaminsky, M. F. Kaashoek, and E. Witchel. Separating key management from file system security. In Proceedings of the 17th Symposium on Operating Systems Principles, pages 124-139, Kiawah Island, S.C., U.S.A., 1999.]]
[23]
{23} David Mazières and M. Frans Kaashoek. Escaping the evils of centralized control with self-certifying path-names. In Proceedings of the 8th ACM SIGOPS European workshop: Support for composing distributed applications , pages 118-125, Sintra, Portugal, September 1998.]]
[24]
{24} N. J. Neigus. File transfer protocol for the ARPA network. Request for Comments (RFC) 542, Bolt Beranek and Newman, Inc., August 1973.]]
[25]
{25} B. C. Neuman. Prospero: A tool for organizing internet resources. Electronic Networking: Research, Applications and Policy, 5(4):30-37, 1992.]]
[26]
{26} B. C. Neuman. Proxy-based authorization and accounting for distributed systems. In Proceedings of the 13th International Conference on Distributed Computing Systems , pages 283-291, Pittsburgh, Pennsylvania, U.S.A., May 1993.]]
[27]
{27} Telecommunication Standardization Sector of ITU. Information Technology - Opens Systems Interconnection - The Directory: Authentication Framework. Number X.509 in ITU-T Recomandation. International Telecommunication Union, November 1993. Standard international ISO/IEC 9594-8 : 1995 (E).]]
[28]
{28} J. B. Postel. Simple mail transfer protocol. Request for Comments (RFC) 821, Information Sciences Institute, University of Southern California, August 1982.]]
[29]
{29} H. C. Rao and L. L. Peterson. Accessing files in an internet: The JADE file system. IEEE Transactions on Software Engineering, 19(6):613-624, June 1993.]]
[30]
{30} J. Regan. Capafs: A globally accessible file system. Department Technical Report TCD-CS-1999-70, Department of Computer Science, Trinity College Dublin, 1999.]]
[31]
{31} P. Reiner, T. Page Jr., G. Popek, J. Cook, and S. Crocker. Truffles - a secure service for widespread file sharing. In Proceedings of the Privacy and Security Research Group Workshop on Network and Distributed System Security, 1994.]]
[32]
{32} R. van Renesse, A. S. Tanenbaum, and A. Wilschut. The design of a high-performance file server. In Proceedings of the 9th International Conference on Distributed Computing Systems, pages 22-27, Newport Beach, california, U.S.A., June 1989.]]
[33]
{33} R. L. Rivest, A. Shamir, and L. Adleman. On a method for obtaining digital signatures and public key cryptosystems. Communications of the ACM, 21(2):120-126, February 1978.]]
[34]
{34} R. Sandberg, D. Goldberg, Kleinman S, D. Walsh, and B. Lyon. Design and implementation of the Sun Network File System. In Proceedings of the Summer 1985 USENIX Conference, pages 119-130, Portland, Oregon, U.S.A., June 1985.]]
[35]
{35} M. Satyanarayanan. Integrating security in a large distributed system. ACM Transactions on Computer Systems , 7(3):247-280, 1989.]]
[36]
{36} M. Satyanarayanan. Scalable, secure and highly available file access in a distributed workstation environment. IEEE Computer, pages 9-21, May 1990.]]
[37]
{37} Sun Microsystems Inc. NFS: Network file system protocol specification. Request for Comments (RFC) 1094, Network Working Group, March 1989.]]
[38]
{38} A. S. Tanenbaum, S. J. Mullender, and R. van Renesse. Using sparse capabilities in a distributed operating system. In Proceedings of the 6th International Conference in Computing Systems, pages 558-563, June 1986.]]
[39]
{39} A. Vahdat, P. Eastham, and T. Anderson. Webfs: A global cache coherent file system. Department of Computer Science, UC Berkeley, Technical Draft, 1996.]]

Cited By

View all
  • (2018)HCAPProceedings of the 23nd ACM on Symposium on Access Control Models and Technologies10.1145/3205977.3205978(247-258)Online publication date: 7-Jun-2018
  • (2010)Capability-based delegation model in RBACProceedings of the 15th ACM symposium on Access control models and technologies10.1145/1809842.1809861(109-118)Online publication date: 9-Jun-2010
  • (2010)CapaConProceedings of the 2010 ACM Symposium on Applied Computing10.1145/1774088.1774233(706-712)Online publication date: 22-Mar-2010
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings
SSYM'01: Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
August 2001
350 pages

Publisher

USENIX Association

United States

Publication History

Published: 13 August 2001

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 11 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2018)HCAPProceedings of the 23nd ACM on Symposium on Access Control Models and Technologies10.1145/3205977.3205978(247-258)Online publication date: 7-Jun-2018
  • (2010)Capability-based delegation model in RBACProceedings of the 15th ACM symposium on Access control models and technologies10.1145/1809842.1809861(109-118)Online publication date: 9-Jun-2010
  • (2010)CapaConProceedings of the 2010 ACM Symposium on Applied Computing10.1145/1774088.1774233(706-712)Online publication date: 22-Mar-2010
  • (2010)Practical protection for personal storage in the cloudProceedings of the Third European Workshop on System Security10.1145/1752046.1752048(8-14)Online publication date: 13-Apr-2010
  • (2009)Secure file system services for web 2.0 applicationsProceedings of the 2009 ACM workshop on Cloud computing security10.1145/1655008.1655011(11-18)Online publication date: 13-Nov-2009
  • (2008)Decentralized access control in distributed file systemsACM Computing Surveys10.1145/1380584.138058840:3(1-30)Online publication date: 13-Aug-2008
  • (2007)Scalable security for petascale parallel file systemsProceedings of the 2007 ACM/IEEE conference on Supercomputing10.1145/1362622.1362644(1-12)Online publication date: 16-Nov-2007
  • (2005)Secure capabilities for a petabyte-scale object-based distributed file systemProceedings of the 2005 ACM workshop on Storage security and survivability10.1145/1103780.1103791(64-73)Online publication date: 11-Nov-2005
  • (2003)WebDAVAProceedings of the Twelfth International Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises10.5555/938984.939757Online publication date: 9-Jun-2003
  • (2003)Decentralized user authentication in a global file systemProceedings of the nineteenth ACM symposium on Operating systems principles10.1145/945445.945452(60-73)Online publication date: 19-Oct-2003
  • Show More Cited By

View Options

View options

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media