Password Capabilities Revisited

With reference to a distributed system consisting of nodes connected by a local area network, we present a new formulation of the password capability paradigm that takes advantage of techniques of symmetric-key cryptography to represent password capabilities in memory. We assign a cryptographic key to each application; the password capabilities held by a process of a given application are encrypted by using the key of this application. Passwords are associated with object types; two or more objects of the same type, which are allocated in the same node, share the same set of passwords. Our password capability paradigm preserves all the advantages concerning simplicity in access right representation and administration (distribution, verification, review and revocation) that characterize the classical paradigm, while keeping the memory requirements for password storage low, and solving the problems connected with password capability stealing and forging.