Abstract
The use of web technology within organisational Intranets is increasing. The combination of a standardised interface and the security features provided by TLS have made web technology very attractive. The TLS technology however has some limitations, especially in its lack of access control functionality. This paper focusses on alternatives to provide improved security services to web based applications. The SESAME security architecture is shown to provide all of the TLS security services, with the addition of other services such as the access control service. Also because SESAME uses the connection based GSS-API which is the same paradigm used by TLS, it is shown to be a suitable replacement. Unfortunately because web servers and web browsers do not provide hooks for replacing the TLS security technology, SESAME is not easily used. Two alternatives are therefore considered that overcome this limitation: a new proposal before the IETF of extending TLS to carry attribute certificates and a hybrid solution built by the authors.
Chapter PDF
Similar content being viewed by others
References
P. Ashley and M. Vandenwauver. Practical Intranet Security: An Overview of the State of the Art and Available Technologies. Kluwer Academic Publishers, 1999.
E. Baize, S. Farrell, and T. Parker. The SESAME GSS-API Mechanism, November 1996. Internet Draft (expired). [Com95] D. Comer. Internetworking with TCP/IP, volume 1. Prentice Hall, Inc., 3rd edition, 1995.
T. Dierks and C. Allen. The TLS Protocol Version 1.0, January 1999. RFC2246.
DASCOM. The Webseal Home Page, 1999. Available at http://www.dascom.com/prod/webseal/index.html.
ECMA 219. ECMA-219 Security in Open Systems - Authentication and Privilege Attribute Security Application with Related Key Distribution Functionality, 2nd Edition, March 1996. European Computer Manufacturers Association.
S. Farrell. TLS Extensions for AttributeCertificate Based Authorization, August 1998. Internet Draft.
S. Farrell and R. Housley. An Internet AttributeCertificate Profile for Authorization, April 1999. Internet Draft.
ITU. ITU-T Rec. X.509 (revised). The Directory - Authentication Framework, 1993. International Telecommunication Union, Geneva, Switzerland.
J. Kahan. WDAI: A Simple World Wide Web Distributed Authorization Infrastructure. In Proceedings of 8th Internation World Wide Web Conference, pages 521–531, 1999.
KM97] D. Kristol and L. Montulli. HTTP State Management Mechanism, February 1997. RFC2109.
J. Kohl and C. Neuman. The Kerberos Network Authentication Service V5, September 1993. RFC1510.
J. Linn. Generic Security Service Application Program Interface Version 2, January 1997. RFC2078.
F. McKay. Fortify for Netscape. Available at http://www.fortify.net.
Netscape. Persistent Client State HTTP Cookies (Prelim-inary Specification), http://home.netscape.com/newsref/std/ cookie.spec.html.
E. Rescorla and A. Schiffman. The Secure Hypertext Transfer Protocol, May 1996. Internet Draft (expired).
W. Rosenberry, D. Kenney, and G. Fisher. Understanding DCE. O’Reilly & Associates, Inc., 1992.
Vipin Samer. Single Sign On Using Cookies for Web Applications. In Proceedings of the 8-th Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises. IEEE Computer Society, 1999.
R. Sandhu, E.J. Coyne, H.L. Feinstein, and C.E. Youman. Role-Based Access Control Models. IEEE Computer, pages 3847, February 1996.
SESAME. The SESAME Home, https://www.cosic.esat. kuleuven.ac.be/sesame.
SSE. TrustedWeb. Available at http://www.sse.ie/ trusted-web/.
Sun. Java Code Signing. Available at http://java.sun.com/security/codesign/index.html.
The Source for Java Technology. Available at http:// java.sun.com.
B. Tung, C. Neuman, J. Wray, A. Medvinsky, M. Hur, S. Medvinsky, and J. Trostle. Public Key Cryptography for Initial Authentication in Kerberos, December 1998. Internet Draft.
Verisign. Verisign Global Server ID. Available at http://www.verisign.com/globalserver/.
M. Vandenwauver, R. Govaerts, and J. Vandewalle. Security of Client-Server Systems. In J. Eloff and R. von Solms, editors, Information Security, pages 39–54, 1997.
YHK93] W. Yeong, T. Howes, and S. Kille. X.500 Lightweight Directory Access Protocol, July 1993. RFC1487.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1999 Springer Science+Business Media Dordrecht
About this chapter
Cite this chapter
Ashley, P., Vandenwauver, M., Claessens, J. (1999). Using Sesame to Secure Web Based Applications on an Intranet. In: Preneel, B. (eds) Secure Information Networks. IFIP — The International Federation for Information Processing, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35568-9_21
Download citation
DOI: https://doi.org/10.1007/978-0-387-35568-9_21
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6487-1
Online ISBN: 978-0-387-35568-9
eBook Packages: Springer Book Archive