Abstract
Current approaches to access control on Web servers do not scale to enterprise-wide systems, since they are mostly based on individual users. Therefore, we were motivated by the need to manage and enforce the strong access control technology of RBAC in large-scale Web environments. Cookies can be used to support RBAC on the Web, holding users’ role information. However, it is insecure to store and transmit sensitive information in cookies. Cookies are stored and transmitted in clear text, which is readable and easily forged. In this paper, we describe an implementation of Role-Based Access Control with role hierarchies on the Web by secure cookies. Since a user’s role information is contained in a set of secure cookies and transmitted to the corresponding Web servers, these servers can trust the role information in the cookies after cookie-verification procedures and use it for role-based access control. In our implementation, we used CGI scripts and PGP (Pretty Good Privacy) to provide security services to secure cookies. The approach is transparent to users and applicable to existing Web servers and browsers.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35508-5_22
Chapter PDF
Similar content being viewed by others
References
Booch, G., Jacobson, I., and Rumbaugh, J. (1998). The unified modeling language user guide. Addison-Wesley.
Callas, J., Donnerhacke, L., Finney, H., and Thayer, R. (1998). OpenPGP massage Format. RFC 2440.
Diffie, W. and Hellman, M. (1997). ANSI X9.42: Establishment of Symmetric Algorithm Keys Using Diffie-Hellman. American National Standards Institute.
Ferraiolo, D., Cugini, J., and Kuhn, R. (1995). Role-based access control (RBAC): Features and motivations. Proceedings of the Eleventh Annual Computer Security Application Conference, pp. 241–248.
Kristol, D. M. and Montulli, L. (1998). HTTP state management mechanism. draft-ietf-http-state-man-mec-8.txt.
Kristol, D. M. and Montulli, L. (1998). HTTP state management mechanism. draft-ietf-http-state-man-mec-10.txt.
Lai, X. and Massey, J. (1991). A proposal for a new block encryption standard. In Advances in Cryptography–CRYPTO’90 Proceedings,Spinger-Verlag, pp. 389–404.
Neuman, B. C. (1994). Using Kerberos for authentication on computer networks. IEEE Communications, 32 (9).
Park, J. S. and Sandhu, R. (1999). RBAC on the Web by smart certificates. Proceedings of Fourth ACM Workshop on Role-Based Access Control.
Rescorla, E. and Schiffman, A. (1998). Security Extensions For HTML. draft-ietf-wts-shtml-05.txt.
Rigney, C., Rubens, A., Simpson, W. A., and Willens, S. (1997). Remote Authentication Dial In User Service RADIUS. RFC 2138.
Rivest, R. (1992). The MD5 message digest algorithm. RFC 1321.
Rivest, R., Shamir, A., and Adleman, L. (1978). A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21 (2), pp. 120–126.
Sandhu, R. (1998). Role-based access control. Advances in Computers, 46.
Sandhu, R. and Bhamidipati, V. (1997). The URA97 model for role-based administration of user-role assignment. Database Security XI: Status and Prospects (eds. T.Y. Lin and X. Qian ), North-Holland.
Sandhu, R., Bhamidipati, V., Coyne, E., Ganta, S., and Youman, C. (1997). The ARBAC97 model for role-based administration of roles: Preliminary description and outline. Proceedings of Second ACM Workshop on Role-Based Access Control, pp. 41–50.
Sandhu, R. and Park, J. S. (1998). Decentralized user-role assignment for Web-based intranets. Proceedings of Third ACM Workshop on Role-Based Access Control, pp. 1–12.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L. and Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29 (2), pp. 38–47.
Schiffman, A. and Rescorla, E. (1998). The Secure HyperText Transfer Protocol. draft-ietf-wts-shttp-06.txt.
Steiner, J., Neuman, C. and Schiller, J. (1988). Kerberos: An authentication service for open network systems. Proceedings of the Winter USENIX Conference.
Wagner, D. and Schneier, B. (1996). Analysis of the SSL 3.0 protocol. Proceedings of the Second UNIX Workshop on Electronic Commerce.
Zimmermann, P. R. (1995). The Official PGP User’s Guide. MIT Press.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2000 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Park, J.S., Sandhu, R., Ghanta, S. (2000). RBAC on the Web by Secure Cookies. In: Atluri, V., Hale, J. (eds) Research Advances in Database and Information Systems Security. IFIP — The International Federation for Information Processing, vol 43. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35508-5_4
Download citation
DOI: https://doi.org/10.1007/978-0-387-35508-5_4
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6411-6
Online ISBN: 978-0-387-35508-5
eBook Packages: Springer Book Archive