Abstract
We consider the problem of offloading secure access-controlled content from central origin servers to distributed caches so clients can access a proximal cache rather than the origin servers. Our security architecture enforces the access-control policies of the origin server without replicating the access-control databases to each of the caches. We describe the security mechanisms to affect such a system and perform an extensive security analysis of our implementation. Our system is an example of how less trustworthy systems can be integrated into a distributed system architecture; it provides mechanisms to preserve the whole distributed system security even in case less trustworthy subsystems are compromised. An application of our system is the cached distribution of access-controlled contents such as subscription-based electronic libraries.
Chapter PDF
References
Akamai Technologies, Inc. Freeflow content distribution service. http://www.akamai.com.
Speedera. SpeedCharge for Site Delivery. http://www.speedera.com.
T. H. Ptacek and T. N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection, 1998. http://secinf.net/info/ids/idspaper/idspaper.html.
J. Dyer, R. Perez, R. Sailer, and L. van Doorn. Personal firewalls and intrusion detection systems. In 2nd Australian Information Warfare & Security Conference (IWAR), November 2001.
USENIX. USENIX online library and index. http://www.usenix.org/publications/library/index.html.
K. Fu, E. Sit, K. Smith, and N. Feamster. Dos and don’ts of client authentication on the web. In The 10th USENIX Security Symposium. USENIX, August 2001.
D. Kristol and L. Montulli. HTTP state management mechanism, February 1997. Request for Comment 2109, Network Working Group.
J. Kohl and C. Neuman. Kerberos network authentication service (V5), September 1993. Request for Comment 1510, Network Working Group.
O. Kornievskaia, P. Honeyman, B. Doster, and K. Coffman. Kerberized credential translation: A solution to web access control. In The 10th USENIX Security Symposium. USENIX, August 2001.
Microsoft Corporation. NET Passport 2.0 Technical Overview. http://www.microsoft.com/myservices/passport/technical.doc, October 2001.
T. Berners-Lee, R. Fielding, and H. Frystyk. Hypertext transfer protocol-HTTP/1.0, May 1996. Request for Comment 1945, Network Working Group.
R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, and T. Berners-Lee. Hypertext transfer protocol-HTTP/1.1, June 1999. Request for Comment 2616, Network Working Group.
A. Freier, P. Karlton, and P. Kocher. The SSL protocol version 3.0, November 1996. http://home.netscape.com/eng/ssl3/draft302.txt.
T. Dierks and C. Allen. The TLS protocol version 1.0, January 1999. Request for Comment 2246, Network Working Group.
S. Kent and R. Atkinson. Security architecture for the internet protocol, November 1998. Request for Comment 2401, Network Working Group.
A. Gulbrandsen, T. Technologies, P. Vixie, and L. Esibov. A DNS RR for specifying the location of services (DNS SRV), February 2000. Request for Comment 2782, Network Working Group.
T. Brisco. DNS support for load balancing, April 1995. Request for Comment 1794, Network Working Group.
R. Rivest. The MD5 message-digest algorithm, April 1992. Request for Comment 1321, Network Working Group.
D. Wallner, E. Harder, and R. Agee. Key management for multicast: Issues and architectures, June 1999. Request for Comment 2627, Network Working Group.
J. Saltzer. Protection and the Control of Information Sharing in MULTICS. Communications of the ACM, 17:388–402, 1974.
A. Tanenbaum, S. Mullender, and R. Renesse. Using sparse capabilities in a distributed operating system. In The 6th IEEE Conference on Distributed Computing Systems. IEEE, June 1986.
Apache project. http://www.apache.org.
OpenLDAP project. http://www.openldap.org.
E. R. Verheul A. K. Lenstra. Selecting cryptographic key sizes. http://www.cryptosavvy.com/Joc.pdf.
E. Amoroso. Fundamentals of Computer Security Technology. Prentice Hall, 1994.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Giles, J., Sailer, R., Verma, D., Chari, S. (2002). Authentication for Distributed Web Caches. In: Gollmann, D., Karjoth, G., Waidner, M. (eds) Computer Security — ESORICS 2002. ESORICS 2002. Lecture Notes in Computer Science, vol 2502. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45853-0_8
Download citation
DOI: https://doi.org/10.1007/3-540-45853-0_8
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44345-2
Online ISBN: 978-3-540-45853-1
eBook Packages: Springer Book Archive