Distributed Authorisation

The objective of this work package was to define a consistent framework for authorisation and access control in emerging and future applications distributed on large networks such as Internet, electronic commerce, virtual libraries, teleworking, telemedicine, etc. These applications exhibit new security requirements that current authorisation schemes and access control mechanisms cannot cope with.

For instance, most current authorisation schemes are based on a client-server model, while many of these new applications involve more than two entities. For example, an electronic commerce transaction may need co-operation between the customer, the merchant, the customers bank, the merchants bank, and possibly other parties (broker, delivery company, electronic cash issuer or credit card company, etc.).

Each of these parties may be considered by the others as not absolutely trustworthy, and even possibly malicious.

Many, sometimes conflicting, dependability aspects need to be taken into account and can be partly enforced by authorisation schemes: confidentiality of personal or proprietary information, reliability of services and communications (e.g., by preventing denial of service), survivability against information warfare or terrorist attacks, protection of intellectual property, etc.

In the usual client-server model, the authorisation is enforced by the server: the server decides to fulfil or deny the client request, according to the client identity (verified by some authentication scheme) and according to some locally-enforced rules. When more than two entities are involved, the client can delegate some of its rights to a server, which can then act on behalf of the client in requesting a service from another server. This can be done by using a proxy, such as in Kerberos V5, SESAME, or CORBA.

This scheme presents several drawbacks. First, the delegate has to be trusted by the client: the delegate is authorised to use (and possibly abuse) the clients privileges to perform actions, usually even with the clients identity. If malicious, the delegate can perform actions unwanted by the client.

Moreover, he does so with impunity since these actions will be attributed to the client. The second drawback is that the client must possess more privileges than necessary, in order to be able to transfer these privileges (e.g., a client must possess the read right on a file to transfer this privilege to a print spooler). Finally, another drawback is that the server has too much responsibility: since the server is the only entity that enforces the authorisation, this scheme is ill adapted to peer-to-peer communications or other transactions involving several mutually suspicious entities.

Authorisation servers implementing simple schemes have already been proposed, for instance, in Delta-4, HP Praesidium, or Adage. However, in addition to implementing more comprehensive authorisation schemes, the MAFTIA authorisation servers benefit from the results of WP4 and are designed to be intrusion-tolerant.