DToken: A Lightweight and Traceable Delegation Architecture for Distributed Systems

Several major techniques have been proposed to address delegation problems in distributed computing environments of various scales, ranging from LAN, WAN, to the Internet. One of the major characteristics of existing public key cryptography based delegation mechanisms is their use of a fresh key pair every step along the delegation chain. This has led to a range of open issues, including a non-negligible performance overhead imposed by using a fresh key pair in proxy credentials; the lack of traceability of the principals in a delegation chain; and the complexity of managing the dynamically created key pairs in the distributed environment. This paper focuses on the architectural issues of delegation. We propose a new delegation architecture, called DToken, that takes advantage of the PKI. DToken is lightweight as it eliminates the use of freshly generated key pairs in a distributed setting. DToken is also traceable because the identity of the principals in a delegation chain is preserved by cryptographically verifiable mechanisms. A preliminary evaluation demonstrates that DToken outperforms the popular delegation solution of proxy certificate. In a single-level delegation, the cost of creating a DToken, the major cost of delegation, is roughly 1/3, 1/5, and 1/10 of that of creating a proxy certificate when the certificate key size is 512, 1024, and 2048 bits, respectively.