A secure identity-based capability system

Author

Gong, Li

Author_Institution

Comput. Lab., Cambridge Univ., UK

fYear

1989

fDate

1-3 May 1989

Firstpage

56

Lastpage

63

Abstract

The author presents the design of an identity-based capability protection system called ICAP, which is aimed at a distributed system in a network environment. The semantics of traditional capabilities are modified to incorporate subject identities. This enables the monitoring, mediating, and recording of capability propagations to enforce security policies. It also supports administrative activities such as traceability. The author has developed an exception-list approach to achieve rapid revocation and the idea of capability propagation trees for complete revocation. Compared with existing capability system designs, ICAP requires much less storage and has the potential of lower cost and better real-time performance. The author proposes to expand R.Y. Kain and C.E. Landwehr´s (1987) design taxonomy of capability-based systems to cover a wider range of designs

Keywords

network operating systems; security of data; ICAP; Kain; Landwehr; administrative activities; capability propagation trees; complete revocation; distributed system; exception-list; identity-based capability protection system; mediating; monitoring; network environment; rapid revocation; real-time performance; recording; security policies; semantics; subject identities; traceability; Access control; Computer networks; Computerized monitoring; Costs; Data security; Information security; Permission; Protection; Real time systems; Sparse matrices;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy, 1989. Proceedings., 1989 IEEE Symposium on

Conference_Location

Oakland, CA

Print_ISBN

0-8186-1939-2

Type

conf

DOI

10.1109/SECPRI.1989.36277

Filename

36277