Abstract
Trust-management systems address the authorization problem in distributed systems. They offer several advantages over other approaches, such as support for delegation and making authorization decisions in a decentralized manner. Nonetheless, trust-management systems such as KeyNote and SPKI/SDSI have seen limited deployment in the real world. One reason for this is that both systems require a public-key infrastructure (PKI) for authentication, and PKI has proven difficult to deploy, because each user is required to manage his/her own private/public key pair. The key insight of our work is that issuance of certificates in trust-management systems, a task that usually requires public-key cryptography, can be achieved using secret-key cryptography as well. We demonstrate this concept by showing how SPKI/SDSI can be modified to use Kerberos, a secret-key based authentication system, to issue SPKI/SDSI certificates. The resulting trust-management system retains all the capabilities of SPKI/SDSI, but is much easier to use because a public key is only required for each SPKI/SDSI server, but no longer for every user. Moreover, because Kerberos is already well established, our approach makes SPKI/SDSI-based trust management systems easier to deploy in the real world.
Chapter PDF
Similar content being viewed by others
Keywords
- USENIX Security Symposium
- Authorization Request
- Secure Communication Channel
- Service Grant Ticket
- Pushdown System
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bauer, L., Garriss, S., Reiter, M.K.: Distributed proving in access-control systems. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp. 81–95 (May 2005)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The KeyNote trust-management system version 2. RFC 2704 (September 1999)
Blaze, M., Feigenbaum, J., Ioannidis, J., Keromytis, A.: The role of trust management in distributed systems security. In: Vitek, J. (ed.) Secure Internet Programming. LNCS, vol. 1603, pp. 185–210. Springer, Heidelberg (1999)
Brezak, J.: Utilizing the Windows 2000, Authorization data in Kerberos tickets for access control to resources, http://msdn.microsoft.com/library/default.asp?myurl=/library/enus/dnkerb/html/MSDN_PAC.asp
Caucal, D.: On the regular structure of prefix rewriting. Theoretical Computer Science 106(1), 61–86 (1992)
CITI: Projects. Kerberos leveraged PKI, http://www.citi.umich.edu/projects/kerb_pki/
Clarke, D., Elien, J.-E., Ellison, C.M., Fredette, M., Morcos, A., Rivest, R.L.: Certficate chain discovery in SPKI/SDSI. Journal of Computer Security 9(1/2), 285–322 (2001)
Davis, D., Swick, R.: Network security via private-key certificates. In: Proceedings of the 3rd USENIX Security Symposium (September 1992)
Ellison, C.M., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylönen, T.: RFC 2693: SPKI Certificate Theory. The Internet Society (September 1999)
European Computer Manufacturers Association (ECMA). Secure European system for applications in a multi-vendor environment (SESAME), https://www.cosic.esat.kuleuven.ac.be/sesame/html/sesame_documents.html
Howell, J., Kotz, D.: A formal semantics for SPKI. Technical Report 2000-363, Department of Computer Science, Dartmouth College, Hanover, NH (March 2000)
Hur, M., Tung, B., Ryutov, T., Neuman, C., Medvinsky, A., Tsudik, G., Sommerfeld, B.: Public key cryptography for cross-realm authentication in Kerberos, Internet-Draft, draft-ieft-cat-kerberos-pk-cross-08.txt (November 2001)
Jha, S., Reps, T.: Model checking SPKI/SDSI. Journal of Computer Security 12(3–4), 317–353 (2004)
Jha, S., Schwoon, S., Wang, H., Reps, T.: Weighted pushdown systems and trust-management systems. In: TACAS (2006)
Kornievskaia, O., Honeyman, P., Doster, B., Coffman, K.: Kerberized credential translation: A solution to web access control. In: 10th USENIX Security Symposium, pp. 235–250 (2001)
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems 10(4), 265–310 (1992)
Linn, J., Branchaud, M.: An examination of assorted PKI issues and proposed alternatives. In: Proceedings of the 3rd Annual PKI R&D Workshop (April 2004)
Neuman, B.C.: Proxy-based authorization and accounting for distributed systems. In: ICDCS, pp. 283–291 (1993)
Neuman, B.C., Ts’o, T.: Kerberos: An authentication service for computer networks. IEEE Communications Magazine 32(9), 33–38 (1994)
Schwoon, S., Jha, S., Reps, T., Stubblebine, S.: On generalized authorization problems. In: Proceedings of the 16th IEEE Computer Security Foundations Workshop (CSFW), pp. 202–218. IEEE Computer Society, Los Alamitos (2003)
Sirbu, M., Chuang, J.: Distributed authentication in Kerberos using public key cryptography (February 1997)
The Open Group. DCE 1.1: Authentication and security services, http://www.opengroup.org/onlinepubs/9668899/
Tung, B., Neuman, C., Hur, M., Medivinsky, A., Medvinsky, S., Wray, J., Trostle, J.: Public key cryptography for initial authentication in Kerberos, Internet-Draft, draft-ieft-cat-kerberos-pk-init-17.txt (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, H., Jha, S., Reps, T., Schwoon, S., Stubblebine, S. (2006). Reducing the Dependence of SPKI/SDSI on PKI. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds) Computer Security – ESORICS 2006. ESORICS 2006. Lecture Notes in Computer Science, vol 4189. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11863908_11
Download citation
DOI: https://doi.org/10.1007/11863908_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44601-9
Online ISBN: 978-3-540-44605-7
eBook Packages: Computer ScienceComputer Science (R0)