A Multipurpose Delegation Proxy for WWW Credentials

  • Tobias Straub
  • Thilo-Alexander Ginkel
  • Johannes Buchmann
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3545)


Credentials like passwords or cryptographic key pairs are a means to prove one’s identity to a web server. A practical problem in this context is the question of how a user can temporarily delegate the right to use a credential to another person without revealing the secret. Related to this is the issue of sharing a single credential among members of a group such that all of them may use the credential, but no one actually gets to know it. This paper presents and compares several solutions to solve these problems. One is a client-side approach, while the other three are man-in-the-middle architectures. We have implemented one of these, the HTTP proxy variant, as a prototype. Our TLS Authentication Proxy is capable of transparently authenticating with a target web server on behalf of users. It supports the major authentication methods used on the Internet, both for standard HTTP and SSL connections.


Credential Delegation Man-In-The-Middle Usability X.509 Certificate WWW Authentication 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    CCITT: Recommendation X.509: The Directory - Authentication Framework. Technical report (1988)Google Scholar
  2. 2.
    Ginkel, T.-A.: Entwurf und Implementierung eines Authentifikations-Proxys für das World Wide Web. Diploma thesis, Technische Universität Darmstadt (2004),
  3. 3.
    RSA Laboratories: PKCS#12 v1.0: Personal Information Exchange Syntax. Standard (1999),
  4. 4.
    Pashalidis, A., Mitchell, C.J.: A Taxonomy of Single Sign-On Systems. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 249–264. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    De Clercq, J.: Kerberized Credential Translation: A Solution to Web Access Control. In: Davida, G.I., Frankel, Y., Rees, O. (eds.) InfraSec 2002. LNCS, vol. 2437, pp. 40–58. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Basney, J., Yurcik, W., Bonilla, R., Slagell, A.: Credential Wallets: A Classification of Credential Repositories Highlighting MyProxy. In: Proc. 31st Research Conference on Communication, Information and Internet Policy (2003),
  7. 7.
    Kohl, J., Neuman, C.: The Kerberos Network Authentication Service (V5). RFC 1510 (1993),
  8. 8.
    Kornievskaia, O., Honeyman, P., Doster, B., Coffman, K.: Kerberized Credential Translation: A Solution to Web Access Control. In: Proc. 10th USENIX Security Symposium, pp. 235–250 (2001),
  9. 9.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: Simple public key certificate. IETF Internet Draft (1999)Google Scholar
  10. 10.
    Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI Certificate Theory. RFC 2693 (1999)Google Scholar
  11. 11.
    Goffee, N.C., Kim, S.H., Smith, S., Taylor, P., Zhao, M., Marchesini, J.: Greenpass: Decentralized, PKI-based Authorization for Wireless LANs. In: Proceedings 3rd Annual PKI R&D Workshop, pp. 16–30 (2004)Google Scholar
  12. 12.
    Butler, R., Welch, V., Engert, D., Foster, I., Tuecke, S., Volmer, J., Kesselman, C.: A National-Scale Authentication Infrastructure. IEEE Computer 33, 60–66 (2000)Google Scholar
  13. 13.
    Tuecke, S., Welch, V., Engert, D., Pearlman, L., Thompson, M.: Internet X.509 Public Key Infrastructure (PKI) – Proxy Certificate Profile. RFC 3820 (2004),
  14. 14.
    Farrell, S., Housley, R.: An Internet Attribute Certificate Profile for Authorization. RFC 3281 (2002),
  15. 15.
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext Transfer Protocol – HTTP/1.1. RFC 2616 (1999),
  16. 16.
    Luotonen, A.: Tunneling TCP Based Protocols Through Web Proxy Servers (1998),
  17. 17.
    Khare, R., Lawrence, S.: Upgrading to TLS Within HTTP/1.1. RFC 2817 (2000),
  18. 18.
    Gauthier, P., Cohen, J., Dunsmuir, M., Perkins, C.: Web Proxy Auto-Discovery Protocol. Internet draft (1999),
  19. 19.
    Netscape Communications Corporation: Navigator Proxy Auto-Config File Format (1996),
  20. 20.
    Rhee, M.Y.: Internet Security. John Wiley & Sons, Chichester (2003) ISBN 0-470-85285-2Google Scholar
  21. 21.
    Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617 (1999),
  22. 22.
    Glass, E.: The NTLM Authentication Protocol (2003),
  23. 23.
    Microsoft Corporation: Microsoft NTLM. Microsoft Developer Network Library (2004),
  24. 24.
    Raggett, D., Hors, A.L., Jacobs, I.: HTML 4.01 Specification W3C Recommendation (1997),
  25. 25.
    Kristol, D., Montulli, L.: HTTP State Management Mechanism. RFC 2965 (2000),
  26. 26.
    Hickman, K.: SSL 2.0 Protocol Specification. Technical report, Netscape Communications Corp. (1994),
  27. 27.
    Freier, A.O., Karlton, P., Kocher, P.C.: The SSL Protocol – Version 3.0. Internet draft, Netscape Communications Corp. (1996),
  28. 28.
    Dierks, T., Allen, C.: The TLS Protocol – Version 1.0. RFC 2246 (1999),

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Tobias Straub
    • 1
  • Thilo-Alexander Ginkel
    • 2
  • Johannes Buchmann
    • 1
  1. 1.Computer Science DepartmentDarmstadt University of TechnologyDarmstadtGermany
  2. 2.TG Byte Software GmbHBensheimGermany

Personalised recommendations