Abstract
While groups are generally helpful for the definition of authorization policies, their use in distributed systems is not straightforward. This paper describes a design for authorization in distributed systems that treats groups as formal languages. The design supports forms of delegation and negative clauses in authorization policies. It also considers the wish for privacy and efficiency in group-membership checks, and the possibility that group definitions may not all be available and may contain cycles.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Strictly speaking, the term blessing refers to a certificate chain, and the term blessing name refers to the human-readable name specified in the certificate chain. Blessing name is often abbreviated to blessing when there is no risk of confusion, as in the present paper. Below, we use the term blessing rather broadly: we consider that \({\mathtt{\slash }}\)-separated sequences of names \(n_1 {\mathtt{\slash }} \ldots {\mathtt{\slash }} n_k\) are blessings even when they might never be related to public keys.
- 2.
In general, these two approaches do not always yield equivalent results. Suppose that the group g is defined to contain \(\mathtt{Alice}\) and \(\mathtt{Alice}{\mathtt{\slash }} \mathtt{Phone}\). The ACL \({\mathtt{Allow}}\ g,\; {\mathtt{Deny}}\ g {\mathtt{\slash }} \mathtt{AllBlessings}\) denies access with \(\mathtt{Alice}{\mathtt{\slash }} \mathtt{Phone}\), while the ACL \({\mathtt{Allow}}\ g {\mathtt{\slash }} \mathtt{eob}\) allows access with \(\mathtt{Alice}{\mathtt{\slash }} \mathtt{Phone}{\mathtt{\slash }} \mathtt{eob}\). Both ACLs deny access with \(\mathtt{Alice}{\mathtt{\slash }} \mathtt{Phone}{\mathtt{\slash }} \mathtt{FunnyApp}\) and \(\mathtt{Alice}{\mathtt{\slash }} \mathtt{Phone}{\mathtt{\slash }} \mathtt{FunnyApp}{\mathtt{\slash }} \mathtt{eob}\).
References
Birgisson, A., Politz, J.G., Erlingsson, Ú., Taly, A., Vrable, M., Lentczner, M.: Macaroons: cookies with contextual caveats for decentralized authorization in the cloud. In: 21st Annual Network and Distributed System Security Symposium (2014)
Bodei, C., Degano, P., Focardi, R., Priami, C.: Authentication via localized names. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop, CSFW, pp. 98–110 (1999)
Cramer, R., Damgård, I.: Multiparty computation, an introduction. In: Contemporary Cryptology. Advanced Courses in Mathematics - CRM Barcelona, pp. 41–87. Birkhäuser, Basel (2005)
Gasser, M., Goldstein, A., Kaufman, C., Lampson, B.: The Digital Distributed System Security Architecture. In: Proceedings of the 1989 National Computer Security Conference, pp. 305–319 (1989)
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: theory and practice. ACM Trans. Comput. Syst. 10(4), 265–310 (1992)
Lampson, B.W.: Computer security in the real world. IEEE Comput. 37(6), 37–46 (2004)
Rivest, R.L., Lampson, B.: SDSI – A Simple Distributed Security Infrastructure, version 1.1, 2 October 1996. http://theory.lcs.mit.edu/rivest/sdsi11.html
Wobber, T., Yumerefendi, A., Abadi, M., Birrell, A., Simon, D.R.: Authorizing applications in Singularity. In: EuroSys 2007: Proceedings of the 2007 Eurosys Conference, pp. 355–368 (2007)
Acknowledgments
We are grateful to Cosmos Nicolaou and to Jiřà Šimša for helpful comments on drafts of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Abadi, M., Burrows, M., Pucha, H., Sadovsky, A., Shankar, A., Taly, A. (2015). Distributed Authorization with Distributed Grammars. In: Bodei, C., Ferrari, G., Priami, C. (eds) Programming Languages with Applications to Biology and Security. Lecture Notes in Computer Science(), vol 9465. Springer, Cham. https://doi.org/10.1007/978-3-319-25527-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-25527-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25526-2
Online ISBN: 978-3-319-25527-9
eBook Packages: Computer ScienceComputer Science (R0)