When small, personal computers are integrated into systems, users will store secrets in them, in particular, users will store encryption keys that they can use to access remote services. We investigate how to delegate authority using those secrets when the user does not have access to a computer network. For example, how can one issue a delegation token while speaking in the phone; it is highly impractical to dictate several hundred hexadecimal digits.
The syntax should be compact, the semantics unambiguously reconstructed from the compact form, while not compromising security. These properties are essential to off-line delegation. In other words, how much can the syntax of delegation tokens be relaxed in order to minimize message size, and how can the contents be encoded, without compromising security.
Furthermore, there is a tradeoff between the contents of messages (size) and the knowledge the receiver can deduce from the contents, that is, which messages the receiver can construct based on a compact message. The ability to see the contents of a message is not sufficient, since a compact message does not have meaning without knowledge about its semantics.
The term delegation as we used it above covers any setting where there is a transaction between two parties, where one trusts the other, and a third party possessing the assets in question. For example, Alice meets Bob and issues a (compact) token to him. He builds a certificate that he presents to the file server (his bank) to obtain a file (money). Bob trusts Alice to have access to the file (money in the bank), and the file server trusts Alice's signature, but not Bob. In other words: we have a non-trusted third party.
We are using a distributed file repository (with trusted servers) as our research vehicle. In our setting, we issue and forward delegation tokens (without using a computer network) to other users, enabling once-only access to the repository for a specific file. The token, together with information supplied by the user, together forms a delegation certificate. This certificate will authorize the intended recipient to a one-time access of the file in question (even though the owner may hold a lock on it). Since the certificate will be created in a compact form, it is necessary that the recipient of the delegation token have some a~priori knowledge.
The secret context can, for example, be a password and/or a timestamp. This type of information is much easier to convey between humans than nounces and digital signatures. The token resembles a capability since it can not be verified or used without context.
We believe that blending once-only semantics with compact certificates will give us an environment well suited for the coming generation infrastructure, built around portable, personal machines.
A prototype of the file repository is available and provides a distributed file storage. We are experimenting with different ways to implement once-only semantics in such a distributed system, and how to make the compact tokens.
For more information, contact {arne,tage}@acm.org