Both types of systems share the property that a (relatively) small set of users have read/write access to files, as current access control systems rely on authentication requiring that the user is known to the system. This works in closed administrative domains (e.g., NIS domains or Kerberos realms [21]), where an administrator creates a user account and assigns access rights to it.
Consider a local user, Alice, who wishes to share files with Bob, who does not have an account on Alice's file server. The local system administrator must open an account for Bob, but this may create administrative and legal problems, and may conflict with local policies (e.g., only employees may have accounts).
We propose a mechanism that allows Alice, without the intervention of any centralized administrative authority, to authorize Bob to access her files. This is done by having Alice create a credential that contains Bob's key, the DisCFS file handle and the permissions. Alice signs the credential, and confers to Bob the authority to access the file. Alice may simply e-mail the authorization credential to Bob as cleartext because the credential itself does not contain any secrets (apart from the information that Alice wishes to share a file with Bob). By combining Alice's credential with one signed by himself, Bob may further delegate access to the file.
We show that this simple mechanism is secure and scalable. Further, by requiring the cooperation of only the users involved in the file exchange, this mechanism offers great flexibility and low administrative overheads. The system monitors all access to files, and can identify, using the offered public key, any entity issuing file requests. Mechanisms for restricting access or imposing access controls are also provided.
The access control mechanism that is presented in this paper is independent of the actual mechanism used for the exchange of data (e.g., ftp, NFS, http, and so on). We implement two prototypes, one for ftp-like access (not covered in this discussion) and another using the NFS protocol.
In the following sections we demonstrate how our mechanism may be deployed in practice using the NFS prototype as an example. We integrate our access mechanism with a user-level NFSv2 server using IPsec [16]; our intention is to offer this access mechanism eventually as part of the standard NFS authentication framework. The performance measurements collected by running common file-related benchmarks indicate performance roughly comparable to existing systems.