Peer-to-peer overlays provide a substrate well suited to building distributed storage systems. Applications that use the infrastructure need the ability to control access to their data. However, traditional authorization services were not designed to operate in the face of network partitions, malicious nodes, and on an Internet-wide scale.

We describe the implementation of the Decentralized Authentication and Authorization Layer (DAAL), a mechanism to leverage the storage functionality of the overlay and obviate the need for an online, centralized access control service. The system can efficiently identify malicious nodes and continue to operate correctly when an arbitrary, predefined fraction of the network is unreachable (as occurs during an attack against the routing infrastructure or during a distributed denial-of-service attack).

DAAL melds the access request efficiency of capability-based systems with the revocation power of reference monitor-based access control lists. It avoids the use of distributed leases as they create a vulnerability window during which there is a gap between the security policy and configuration. Actualizing the design can be challenging. Hence, we describe the protocol details and how they can be abstracted behind a minimal, intuitive application programming interface. As a proof of concept, we implemented DAAL as a Java prototype on a 200-node peer-to-peer overlay distributed across the world.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Eshwar Belani , Amin Vahdat , Thomas Anderson , Michael Dahlin, The CRISIS wide area security architecture, Proceedings of the 7th conference on USENIX Security Symposium, p.2-2, January 26-29, 1998, San Antonio, Texas
	2	Steven M. Bellovin and Michael Merritt, Limitations of the Kerberos Authentication System, USENIX Conference, 1991.
	3	Dan Boneh , Matthew Franklin, Identity-Based Encryption from the Weil Pairing, SIAM Journal on Computing, v.32 n.3, p.586-615, 2003  [doi>10.1137/S0097539701398521]
	4	A. Duffy and T. Dowling, An Object Oriented Approach to an Identity Based Encryption Cryptosystem, 8th IASTED International Conference on Software, 2004.
	5	Steven D. Galbraith , Keith Harrison , David Soldera, Implementing the Tate Pairing, Proceedings of the 5th International Symposium on Algorithmic Number Theory, p.324-337, July 07-12, 2002
	6	Ashish Gehani and Surendar Chandra, Parameterizing Access Control for Heterogeneous Peer-to-Peer Applications, 3rd International Conference on Security and Privacy in Communication Networks (SecureComm), IEEE Computer Society, 2007.
	7	Eu-Jin Goh, Hovav Shacham, Nagendra Modadugu and Dan Boneh, SiRiUS: Securing Remote Untrusted Storage, Network and Distributed Systems Security Symposium, 2003.
	8	Michael A. Harrison , Walter L. Ruzzo , Jeffrey D. Ullman, Protection in operating systems, Communications of the ACM, v.19 n.8, p.461-471, Aug. 1976  [doi>10.1145/360303.360333]
	9	A. Hisgen, A. Birrell, T. Mann, M. Schroeder and G. Swart, Availability and Consistency Tradeoffs in the Echo Distributed File System, 2nd IEEE Workshop on Workstation Operating Systems, 1989.
	10	Mahesh Kallahalla , Erik Riedel , Ram Swaminathan , Qian Wang , Kevin Fu, Plutus: Scalable Secure File Sharing on Untrusted Storage, Proceedings of the 2nd USENIX Conference on File and Storage Technologies, March 31-31, 2003, San Francisco, CA
	11	Butler W. Lampson, Protection, 5th Princeton Symposium on Information Sciences and Systems, 1971.
	12	David Mazières , Michael Kaminsky , M. Frans Kaashoek , Emmett Witchel, Separating key management from file system security, Proceedings of the seventeenth ACM symposium on Operating systems principles, p.124-139, December 12-15, 1999, Charleston, South Carolina, United States
	13	Torben P. Pedersen, Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing, Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology, p.129-140, August 11-15, 1991
	14	http://www.planet-lab.org
	15	Sean Rhea , Brighten Godfrey , Brad Karp , John Kubiatowicz , Sylvia Ratnasamy , Scott Shenker , Ion Stoica , Harlan Yu, OpenDHT: a public DHT service and its uses, Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications, August 22-26, 2005, Philadelphia, Pennsylvania, USA
	16	M. Satyanarayanan, Integrating security in a large distributed system, ACM Transactions on Computer Systems (TOCS), v.7 n.3, p.247-280, Aug. 1989  [doi>10.1145/65000.65002]
	17	Adi Shamir, How to share a secret, Communications of the ACM, v.22 n.11, p.612-613, Nov. 1979  [doi>10.1145/359168.359176]
	18	Adi Shamir, Identity-based cryptosystems and signature schemes, Proceedings of CRYPTO 84 on Advances in cryptology, p.47-53, August 1985, Santa Barbara, California, United States
	19	J. G. Steiner, B. C. Neuman and J. I. Schiller, Kerberos: An Authentication Service for Open Network Systems, Winter Usenix Conference, 1988.
	20	Edward Wobber , Martín Abadi , Michael Burrows , Butler Lampson, Authentication in the Taos operating system, Proceedings of the fourteenth ACM symposium on Operating systems principles, p.256-269, December 05-08, 1993, Asheville, North Carolina, United States
	21	Fareed Zaffar , Gershon Kedem , Ashish Gehani, Paranoid: A Global Secure File Access Control System, Proceedings of the 21st Annual Computer Security Applications Conference, p.322-332, December 05-09, 2005  [doi>10.1109/CSAC.2005.42]