Research Article
Parameterized Access Control: From Design To Prototype
@INPROCEEDINGS{10.1145/1460877.1460922, author={Ashish Gehani and Surendar Chandra}, title={Parameterized Access Control: From Design To Prototype}, proceedings={4th International ICST Conference on Security and Privacy in Communication Networks}, publisher={ACM}, proceedings_a={SECURECOMM}, year={2008}, month={9}, keywords={Access control Decentralized Peer-to-peer Threshold cryptography Verifiable secret sharing Secret sharing Distributed hash table Identity-based encryption}, doi={10.1145/1460877.1460922} }
- Ashish Gehani
Surendar Chandra
Year: 2008
Parameterized Access Control: From Design To Prototype
SECURECOMM
ACM
DOI: 10.1145/1460877.1460922
Abstract
Peer-to-peer overlays provide a substrate well suited to building distributed storage systems. Applications that use the infrastructure need the ability to control access to their data. However, traditional authorization services were not designed to operate in the face of network partitions, malicious nodes, and on an Internet-wide scale. We describe the implementation of the Decentralized Authentication and Authorization Layer (DAAL), a mechanism to leverage the storage functionality of the overlay and obviate the need for an online, centralized access control service. The system can efficiently identify malicious nodes and continue to operate correctly when an arbitrary, predefined fraction of the network is unreachable (as occurs during an attack against the routing infrastructure or during a distributed denial-of-service attack). DAAL melds the access request efficiency of capability-based systems with the revocation power of reference monitor-based access control lists. It avoids the use of distributed leases as they create a vulnerability window during which there is a gap between the security policy and configuration. Actualizing the design can be challenging. Hence, we describe the protocol details and how they can be abstracted behind a minimal, intuitive application programming interface. As a proof of concept, we implemented DAAL as a Java prototype on a 200-node peer-to-peer overlay distributed across the world.