• PDF / 435,904 Bytes
• 12 Pages / 430 x 660 pts Page_size
• 43 Downloads / 147 Views

DOWNLOAD

REPORT

Abstract. This paper develops a language and a reference architecture supporting the management and enforcement of authentication policies. Such language directly supports multi-factor authentication and the high level specification of authentication factors, in terms of conditions against the features of the various authentication mechanisms and modules. In addition the language supports a rich set of constraints; by using these constraints, one can specify for example that a subject must be authenticated by two credentials issued by different authorities. The paper presents a logical definition of the language and its corresponding XML encoding. It also reports an implementation of the proposed authentication system in the context of the FreeBSD Unix operating system (OS). Critical issues in the implementation are discussed and performance results are reported. These results show that the implementation is very efficient.

1

Introduction

Authentication is the process by which systems verify the identity claims of their users. It determines who the user is and if his claim to a particular identity is true; authenticated identities are then the basis for applying other security mechanisms, such as access control. Generally speaking, a user can be authenticated on the basis of something he holds, he is, or he knows.Something you know is typically implemented through mechanisms such as password, or challengeresponse protocols. The something you hold approach is implemented through token-based mechanisms, smartcards, or a PIN that the user possesses and must present in order to be authenticated. Finally, the who you are paradigm is based on biometrics and includes techniques such as fingerprint scans, retina scans, voiceprint analysis, and others. A same system may have resources with different requirements concerning authentication strengths for the users wishing to access them. A straightforward solution to authentication for resources with such heterogeneous requirements is based on a conservative approach that maximizes authentication checks each time a user connects to the system. However, such a solution may result in S. Qing, H. Imai, and G. Wang (Eds.): ICICS 2007, LNCS 4861, pp. 386–397, 2007. c Springer-Verlag Berlin Heidelberg 2007 

Auth-SL - A System for the Specification and Enforcement

387

computationally consuming authentication tasks and may also be very expensive and complex to deploy. For example, adopting one-time passwords [12] for all users of an organization, independently from the tasks they have to perform and the resources they have to access, may be very expensive; ideally one would like to require such authentication measures only for users who need to access sensitive resources and use conventional passwords for the other users. Additionally, such an approach does not avoid the risk of session hijacking. We believe that authentication should be based on a variety of mechanisms targeted to the resource security requirements and be easily configurable. Identity of users should always be known and

Recommend Documents

System Specification and Design

195 52 8MB

A Helium Plant (System) Technical Specification

215 116 39MB

Collaborative Enforcement of Firewall Policies in Virtual Private Networks

159 33 11MB

Specification and Analysis of ABAC Policies in a Rule-Based Framework

131 27 6MB

A Robust Authentication System Using Multiple Biometrics

195 83 17MB

Fuzzy Vault for Behavioral Authentication System

150 51 24MB

A language and a pattern system for temporal property specification: advanced metering infrastructure case study

156 39 784KB

A Secure and Robust Object-Based Video Authentication System

170 87 2MB

A Model Specification Implementation for Trust Negotiation

183 108 27MB

Cryptanalysis of Two Authentication Scheme for DRM System

186 94 149KB

BCAD: A Bayesian CAD System for Geometric Problems Specification and Resolution

142 36 34MB

Implementation of an Authentication System GTPass

187 74 6MB