A new approach for delegation using hierarchical delegation tokens

  • Yun Ding
  • Patrick Horster
  • Holger Petersen
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT)


In this paper we give a classification of delegation schemes into four main classes. To solve the problem with simply chained tokens in cascaded delegations we introduce the concept of hierarchical delegation tokens. To realize this concept we use the Schnorr signature scheme and self—certified public keys introduced by Girault. We describe the first approach for hierarchical key generation based on an unregarded idea of Günther and the generation of designated verifier signatures. Using these tools, we present efficient delegation schemes for the four main classes, which are efficient in generating and using delegation keys compared with other existing approaches. This is one of the few works, that combines cryptographic algorithms and protocols to benefit for the complexity and the efficiency of the resulting delegation mechanisms.


Delegation access control distributed systems hierarchical certificates 


  1. CCITT, (1988), Recommendation X.509: The Directory—Authentication Framework, Blue Book–Melbourne, Fascicle VIII.8: Data communication networks: directory, International Telecommunication Union, Geneve, 1989, pp. 48–81.Google Scholar
  2. R. Cramer, T. Pedersen, (1995), Efficient and provable security amplifications, CS-R9529, Computer Science, Dept. of Algorithms and Architecture, CWI, Amsterdam, 9 pages.Google Scholar
  3. M. Gasser, E. McDermott, (1990), An Architecture for Practical Delegation in a Distributed System, Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 20–30.Google Scholar
  4. M. Gasser, A. Goldstein, C. Kaufman, B. Lampson, (1989), The Digital Distributed System Security Architecture, Proceedings of the 1989 National Computer Security Conference, pp. 305–319.Google Scholar
  5. M. Girault, (1991), Self-Certified Public Keys, Lecture Notes in Computer Science 547, Advances in Cryptology: Proc. Eurocrypt ’81, Berlin: Springer Verlag. pp. 490–497.CrossRefGoogle Scholar
  6. C. G. Girling, (1982), Object Representation on a Heterogeneous Network, Operating Systems Review, Vol. 16, pp. 49–59.CrossRefGoogle Scholar
  7. C. G. Gunther, (1990), An identity based key exchange protocol, Lecture Notes in Computer Science 434, Advances in Cryptology: Proc. Eurocrypt ’89, Berlin: Springer Verlag, pp. 29–37.CrossRefGoogle Scholar
  8. T. Hardjono, T. Ohta, (1994), Secure end-to-end delegations in distributed systems, Computer Communications, Vol. 17, No. 3, pp. 230–238.CrossRefGoogle Scholar
  9. P. Horster, M. Michels, H. Petersen, (1994), Meta-ElGamal signature schemes, Proc. 2. ACM conference on Computer and Communications security, pp. 96–107.Google Scholar
  10. International Organization for Standardization, (1990), ISO/IEC 9594 8. Information technology — Open systems interconnection — The Directory-Part 8: Authentication framework.Google Scholar
  11. P. Kaijser, T. Parker, D. Pinkas, (1994), SESAME: The solution to security for open distributed systems, Computer Communications, Vol. 17, No. 7, pp. 501–518.CrossRefGoogle Scholar
  12. P.A. Karger,(1986),Authentication and Discretionary Access Control in Computer Net-works,Computers and Security, Vol. 5,pp. 314–324.CrossRefGoogle Scholar
  13. M. R. Low, B. Christianson, (1994), Self Authenticating Proxies, The Computer Journal, Vol. 37, No. 5, pp. 422–428.Google Scholar
  14. B. C. Neuman, (1993), Proxy–Based Authorization and Accounting for Distributed Systems, International Conference on Distributed Computing Systems, pp. 283–291.Google Scholar
  15. NIST, (1994), Federal Information Processing Standards Publication National Institute of Standards and Technology, TIPS Pub 186: Digital Signature Standard (DSS), May 19, 20 pages.Google Scholar
  16. T. A. Parker, (1991), A Secure European System for Applications in a Multi-vendor Environment, Proceedings of the 14th American National Security Conference, Washington, pp. 505–513.Google Scholar
  17. C. P. Schnorr, (1991), Efficient Signature generation by smart cards, Journal of Cryptology, Vol. 4, pp. 161 174.zbMATHCrossRefGoogle Scholar
  18. K. R. Sollins, (1988), Cascaded Authentication, Proceedings of the 1990 IEEE’ Symposium on Research in Security and Privacy, pp. 156–163.Google Scholar
  19. V. Varadharajan, P. Allen, S. Black, (1991), An Analysis of the Proxy Problem in Distributed Systems, Proceedings of the 1991 IEEE Symposium on Research in Security and Privacy, pp. 255–275.CrossRefGoogle Scholar
  20. S. M. Yen, C. S. Laih, (1993), A fast cascade exponentiation algorithm and its application on cryptography, Lecture Notes in Computer Science 718, Advances in Cryptology: Proc. Auscrypt ’82, Berlin: Springer Verlag, pp. 447 458.CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 1996

Authors and Affiliations

  • Yun Ding
    • 1
  • Patrick Horster
    • 2
  • Holger Petersen
    • 2
  1. 1.Institute of Parallel and Distributed High-Performance SystemsUniversity of StuttgartStuttgartGermany
  2. 2.Theoretical Computer Science and Information SecurityUniversity of TechnologyChemnitzGermany

Personalised recommendations