Application access control at network level

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Application access control at network level

Full text

Pdf (957 KB)

Source

Conference on Computer and Communications Security archive
Proceedings of the 2nd ACM Conference on Computer and communications security table of contents

Fairfax, Virginia, United States

Pages: 219 - 228

Year of Publication: 1994

ISBN:0-89791-732-4

Authors

Refik Molva	Institut EURECOM, 06904 Sophia-Antipolis, France
Erich Rütsche	Institut EURECOM, 06904 Sophia-Antipolis, France

Sponsor

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 2, Downloads (12 Months): 20, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/191177.191234 What is a DOI?

ABSTRACT

This paper describes an access control mechanism that enforces at the network level an access control decision that is taken at the application level. The mechanism is based on the pre-computation of encrypted counters called tickets. An access enforcement device verifies the existence of a valid ticket in each packet that is subject to access control and kills unauthorized packets. Tickets are not computed as a function of the user data. Due to the timing constraints of shared media LANs the presence of a valid ticket in a packet proves that the operation implied by the user data has been authorized. The access control mechanism is elaborated for Internet protocols over Ethernet and we discuss its properties for internetworking and multicasting.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Estrin, D., Mogul, J.C., Tsudik, G., Anand, K., "Visa Protocols for Controlling Inter-Organizational Datagram Flow: Extended Description," USC TR 88- 50, 1988.
	2	'~Data Encryption Standard", FIPS 46, NBS, Jan 77.
	3	Rivest, R., "The MD5 Message Digest Algorithm Draft," July 1991.
	4	Gene Tsudik, Message authentication with one-way hash functions, Proceedings of the eleventh annual joint conference of the IEEE computer and communications societies on One world through communications (Vol. 3), p.2055-2059, May 1992, Florence, Italy
	5	Reynolds, J., Postel, J., "Assigned Numbers", Network Working Group, Request for Comments: 1340, July 1992.
	6	Rtitsche, E., "Multimedia Communication Subsystems: Architectures, Interfaces and Implementation," Ph.D. Thesis ETH Ziirich, Nr. 10228, VDI Verlag, Reihe 10, Nr. 257, Dtisseldorf 1993, pp. 129 -134.
	7	Cryptech, "DES PROCESSOR," Cryptech, DOC 00552008E-ED01, 1989.
	8	Cheswick, B., 'T)esign of a Secure Interact Gateway", Proceedings of the USENIX Summer 1990 Conference, Anaheim, CA, June 1990, pp. 233-237.
	9	Treese, G.W., Wolman, A., "X Through the Firewall and Other Application Relays," DEC CRL, 93/10, May 1993.
	10	S inah, A., Path, R., "An Introduction to Network Programming Using the Netbios Interface", Microsoft Systems Journal, Mar, 1992
	11	Stephen E. Deering , David R. Cheriton, Multicast routing in datagram internetworks and extended LANs, ACM Transactions on Computer Systems (TOCS), v.8 n.2, p.85-110, May 1990 [doi>10.1145/78952.78953]