Abstract
Authentication and access control are normally considered
separate security concepts that have separate goals and are supported
by separate security mechanisms. In most operating systems, however,
access control is exclusively based on the identity of the requesting principal, e.g., an access control mechanism based on Access Control Lists
simply verifies that the authenticated identity of the requesting principal
is on the list of authorized users.
In this paper we propose a delegation mechanism for nomadic users,
which exploits the amalgamation of authentication and access control
in most operating systems, by delegating privileges at the identity level.
The complexity of classic delegation models, especially if it strictly fol-
lows the principle of least privileges, often leads to poor usability which
motivates a user to circumvent the default delegation mechanism. On the
other hand, the identity delegation makes good use of trust relationships
between users of a particular environment and offers the possibility of
improved usability. Although it might violate the principle of least privileges, but practically it could increase the over all security of a nomadic
environment where users need to frequently delegate their duties. The
proposed mechanism is independent of the choice of access control mechanism, as there is no distinction between a delegator and a delegatee for
the rest of the system and the delegation event is only logged at the
authentication level. Due to its improved usability, the motivation of
sharing authentication tokens is reduced.
Original language | English |
---|---|
Title of host publication | Identity and Privacy in the Internet Age, Proceedings : Lecture Notes in Computer Science |
Volume | 5838 |
Publisher | Springer |
Publication date | 2009 |
Pages | 148-162 |
Publication status | Published - 2009 |
Event | NordSec 2009 - Duration: 1 Jan 2009 → … |
Conference
Conference | NordSec 2009 |
---|---|
Period | 01/01/2009 → … |