Disallowing Unauthorized State Changes of Distributed Shared Objects J. Leiwo, C. Hanle, P. Homburg and A.S. Tanenbaum Vrije Universiteit, FEW, De Boelelaan 1081A, 1081 HV Amsterdam, The Netherlands {leiwo,chris,philip,ast}@cs.vu.nl Abstract Attaching digital signatures to state update messages in global dis- tributed shared object (DSO) systems is not trivial. If the DSO consists of a number of autonomous local representative that use open, public networks for maintaining the state consistency, allowing a local repre- sentative to sign state update messages is not appropriate. More so- phisticated schemes are required to prevent unauthorized state updates by malicious local representative or external parties. This paper exam- ines the problem in detail, compares a number of possible solutions, and identifies the most suitable one and demonstrates how the state update messages can be signed using the identified solution. 1. INTRODUCTION Assume a distributed shared object (DSO) consisting of a number of local objects (representatives), i.e. components that reside in a sin- gle address space and communicate with other local objects in different address spaces. To use the DSO for, say, delivering digital products (e.g. software packages), it is meaningful to structure the DSO so that the authority to update the state of the DSO is only granted to an administrator accessing a limited number of trusted core local objects. The updated state is then propagated, according to a particular replication policy, to a larger number of less trusted caching local objects to which clients can bind to and download the product of interest. A number of schemes have been developed to provide authorization in distributed object systems. Access control, however, is not enough. Each caching local object must verify the authenticity and integrity of the state they receive as a result of a DSO state update. The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: © IFIP International Federation for Information Processing 2000 S. Qing et al. (eds.), Information Security for Global Information Infrastructures 10.1007/978-0-387-35515-3_53