Check out the new USENIX Web site.

Home About USENIX Events Membership Publications Students
Security '02 Abstract

A General and Flexible Access-Control System for the Web

Lujo Bauer, Michael A. Schneider, and Edward W. Felten, Department of Computer Science, Princeton University


We describe the design, implementation, and performance of a new system for access control on the web. To achieve greater flexibility in forming access-control policies — in particular, to allow better interoperability across administrative boundaries — we base our system on the ideas of proof-carrying authorization (PCA). We extend PCA with the notion of goals and sessions, and add a module system to the proof language. Our access-control system makes it possible to locate and use pieces of the security policy that have been distributed across arbitrary hosts. We provide a mechanism which allows pieces of the security policy to be hidden from unauthorized clients. Our system is implemented as modules that extend a standard web server and web browser to use proof-carrying authorization to control access to web pages. The web browser generates proofs mechanically by iteratively fetching proof components until a proof can be constructed. We provide for iterative authorization, by which a server can require a browser to prove a series of challenges. Our implementation includes a series of optimizations, such as speculative proving, and modularizing and caching proofs, and demonstrates that the goals of generality, flexibility, and interoperability are compatible with reasonable performance.
  • View the full text of this paper in HTML, PDF, and PostScript. Until August 2003, you will need your USENIX membership identification in order to access the full papers.
    The Proceedings are published as a collective work, © 2002 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.

  • To become a USENIX Member, please see our Membership Information.

?Need help? Use our Contacts page.

Last changed: 19 June 2002 aw
Technical Program
Security '02 Home