Chained and Delegable Authorization Tokens G. Navarro J. Garca J. - - PowerPoint PPT Presentation

chained and delegable authorization tokens
SMART_READER_LITE
LIVE PREVIEW

Chained and Delegable Authorization Tokens G. Navarro J. Garca J. - - PowerPoint PPT Presentation

Dec 20, 2022 100 likes •489 views

Chained and Delegable Authorization Tokens G. Navarro J. Garca J. A. Ortega-Ruiz Dept. of Computer Science Universitat Autnoma de Barcelona NordSec 2004 G. Navarro et al. (UAB) CADAT NordSec 2004 1 / 15 Outline Introduction 1

slide-1
SLIDE 1

Chained and Delegable Authorization Tokens

  • G. Navarro
  • J. García
  • J. A. Ortega-Ruiz
  • Dept. of Computer Science

Universitat Autònoma de Barcelona

NordSec 2004

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 1 / 15

slide-2
SLIDE 2

Outline

1

Introduction

2

Example Initialization Token delgation Chain delegation

3

Delegation in CADAT

4

Implementation and Applications Implementation SPKI cert without using full tag intersection SPKI cert using full tag intersection

5

Conclusions

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 2 / 15

slide-3
SLIDE 3

Outline

1

Introduction

2

Example Initialization Token delgation Chain delegation

3

Delegation in CADAT

4

Implementation and Applications Implementation SPKI cert without using full tag intersection SPKI cert using full tag intersection

5

Conclusions

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 3 / 15

slide-4
SLIDE 4

Introduction

Chained And Delegable Authorization Tokens

Hash chains as chains of authorization tokens.

tokens represent generic authorizations (not just micropayments).

Delegation

delegation of chains or subchains.

Implemented with a trust management infrastructure. CADAT Chained And Delegable Authorization Tokens

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 4 / 15

slide-5
SLIDE 5

Introduction

Chained And Delegable Authorization Tokens

Hash chains as chains of authorization tokens.

tokens represent generic authorizations (not just micropayments).

Delegation

delegation of chains or subchains.

Implemented with a trust management infrastructure. CADAT Chained And Delegable Authorization Tokens

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 4 / 15

slide-6
SLIDE 6

Introduction

Chained And Delegable Authorization Tokens

Hash chains as chains of authorization tokens.

tokens represent generic authorizations (not just micropayments).

Delegation

delegation of chains or subchains.

Implemented with a trust management infrastructure. CADAT Chained And Delegable Authorization Tokens

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 4 / 15

slide-7
SLIDE 7

Introduction

Chained And Delegable Authorization Tokens

Hash chains as chains of authorization tokens.

tokens represent generic authorizations (not just micropayments).

Delegation

delegation of chains or subchains.

Implemented with a trust management infrastructure. CADAT Chained And Delegable Authorization Tokens

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 4 / 15

slide-8
SLIDE 8

Introduction

Chained And Delegable Authorization Tokens

Hash chains as chains of authorization tokens.

tokens represent generic authorizations (not just micropayments).

Delegation

delegation of chains or subchains.

Implemented with a trust management infrastructure. CADAT Chained And Delegable Authorization Tokens

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 4 / 15

slide-9
SLIDE 9

Example Initialization

Example: first use

{ contract(acme,10) }

AcmeNews Alice

Generate hash chain: h_10, h_9, ..., h_1

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 5 / 15

slide-10
SLIDE 10

Example Initialization

Example: first use

{ contract(acme,10) }

AcmeNews Alice

Generate hash chain: h_10, h_9, ..., h_1

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 5 / 15

slide-11
SLIDE 11

Example Initialization

Example: first use

{ contract(acme,10) }

AcmeNews Alice

Generate hash chain: h_10, h_9, ..., h_1 { contract(h_10) }

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 5 / 15

slide-12
SLIDE 12

Example Initialization

Example: first use

{ contract(acme,10) } h_9

AcmeNews Alice

Generate hash chain: h_10, h_9, ..., h_1 { contract(h_10) }

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 5 / 15

slide-13
SLIDE 13

Example Initialization

Example: first use

{ contract(acme,10) } h_9 h_8

AcmeNews Alice

Generate hash chain: h_10, h_9, ..., h_1 { contract(h_10) }

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 5 / 15

slide-14
SLIDE 14

Example Token delgation

Example: token delegation

AcmeNews Alice ScienceNews

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 6 / 15

slide-15
SLIDE 15

Example Token delgation

Example: token delegation

AcmeNews Alice ScienceNews

{ token-deleg(h_8) }

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 6 / 15

slide-16
SLIDE 16

Example Token delgation

Example: token delegation

h_7

AcmeNews Alice ScienceNews

{ token-deleg(h_8) }

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 6 / 15

slide-17
SLIDE 17

Example Token delgation

Example: token delegation

h_7 h_6

AcmeNews Alice ScienceNews

{ token-deleg(h_8) }

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 6 / 15

slide-18
SLIDE 18

Example Chain delegation

Example: chain delegation

AcmeNews Alice Bob

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 7 / 15

slide-19
SLIDE 19

Example Chain delegation

Example: chain delegation

{ chain-deleg(h_6) }

AcmeNews Alice Bob

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 7 / 15

slide-20
SLIDE 20

Example Chain delegation

Example: chain delegation

{ chain-deleg(h_6) } h_5

AcmeNews Alice Bob

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 7 / 15

slide-21
SLIDE 21

Example Chain delegation

Example: chain delegation

{ chain-deleg(h_6) } h_5

AcmeNews Alice Bob

h_4

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 7 / 15

slide-22
SLIDE 22

Delegation in CADAT

CADAT & Delegation

token-delegation: delegatee is the consumer of tokens, who offers the service (aka server-side delegation). chain-delegation: delegatee is the user of the tokens, who access the service (aka client-side delegation).

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 8 / 15

slide-23
SLIDE 23

Delegation in CADAT

CADAT & Delegation

token-delegation: delegatee is the consumer of tokens, who offers the service (aka server-side delegation). chain-delegation: delegatee is the user of the tokens, who access the service (aka client-side delegation).

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 8 / 15

slide-24
SLIDE 24

Implementation and Applications Implementation

Implementation

CADAT is implemented in Java. Contracts and delegations encoded as SPKI/SDSI authorization certificates. Basic functionality provided by JSDSI;

Chain discovery algorithm = ⇒ all computations needed by CATAD. Extended to support hash chain verification in the algorithm.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 9 / 15

slide-25
SLIDE 25

Implementation and Applications Implementation

Implementation

CADAT is implemented in Java. Contracts and delegations encoded as SPKI/SDSI authorization certificates. Basic functionality provided by JSDSI;

Chain discovery algorithm = ⇒ all computations needed by CATAD. Extended to support hash chain verification in the algorithm.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 9 / 15

slide-26
SLIDE 26

Implementation and Applications Implementation

Implementation

CADAT is implemented in Java. Contracts and delegations encoded as SPKI/SDSI authorization certificates. Basic functionality provided by JSDSI;

Chain discovery algorithm = ⇒ all computations needed by CATAD. Extended to support hash chain verification in the algorithm.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 9 / 15

slide-27
SLIDE 27

Implementation and Applications SPKI cert without using full tag intersection

Token as SPKI authorization certificate

Partial tag intersection

Authorization token: p = (cid, i, hi(m)) Token-cert without hash verification

(cert (issuer ...) (subject ...) (tag (h-chain-id |123456789|) (h-chain-index (* range numeric ge 7))) (comment (h-val (hash md5 |899b786bf7dfad58aa3844f2489aa5bf|))))

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 10 / 15

slide-28
SLIDE 28

Implementation and Applications SPKI cert without using full tag intersection

Token as SPKI authorization certificate

Partial tag intersection

Authorization token: p = (cid, i, hi(m)) Token-cert without hash verification

(cert (issuer ...) (subject ...) (tag (h-chain-id |123456789|) (h-chain-index (* range numeric ge 7))) (comment (h-val (hash md5 |899b786bf7dfad58aa3844f2489aa5bf|))))

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 10 / 15

slide-29
SLIDE 29

Implementation and Applications SPKI cert using full tag intersection

Token as SPKI authorization certificate

Full tag intersection

Authorization token: p = (cid, i, hi(m)) Token-cert with hash verification

(cert (issuer ...) (subject ...) (tag (hash-auth (hchain-id |lksjfSDFIsdfkj0sndKIShfoMSKJSD|) (hchain-index 15) (hash md5 |d52885e0c4bc097f6ba3b4622e147c30|))))

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 11 / 15

slide-30
SLIDE 30

Implementation and Applications SPKI cert using full tag intersection

Token as SPKI authorization certificate

Full tag intersection

Authorization token: p = (cid, i, hi(m)) Token-cert with hash verification

(cert (issuer ...) (subject ...) (tag (hash-auth (hchain-id |lksjfSDFIsdfkj0sndKIShfoMSKJSD|) (hchain-index 15) (hash md5 |d52885e0c4bc097f6ba3b4622e147c30|))))

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 11 / 15

slide-31
SLIDE 31

Implementation and Applications SPKI cert using full tag intersection

Applications

Generic token-based access control system. Micropayment schemes. Current application:

Token-based access control for mobile agents.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 12 / 15

slide-32
SLIDE 32

Implementation and Applications SPKI cert using full tag intersection

Applications

Generic token-based access control system. Micropayment schemes. Current application:

Token-based access control for mobile agents.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 12 / 15

slide-33
SLIDE 33

Implementation and Applications SPKI cert using full tag intersection

Applications

Generic token-based access control system. Micropayment schemes. Current application:

Token-based access control for mobile agents.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 12 / 15

slide-34
SLIDE 34

Implementation and Applications SPKI cert using full tag intersection

CADAT and mobile agent access control

Alice

Alice’s mobile agent

Agent Platform 1

token-contract-cert

token Authority

initial chain-contrac-cert publish access tokens for her agents verify contract, and accept tokens for M, if all verifications are successful

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 13 / 15

slide-35
SLIDE 35

Conclusions

Conclusions

A system for token-based access control and micropayment systems.

hash chains, delegation.

Implemented with SPKI/SDSI. Current application: access control in mobile agent systems.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 14 / 15

slide-36
SLIDE 36

Conclusions

Conclusions

A system for token-based access control and micropayment systems.

hash chains, delegation.

Implemented with SPKI/SDSI. Current application: access control in mobile agent systems.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 14 / 15

slide-37
SLIDE 37

Conclusions

Conclusions

A system for token-based access control and micropayment systems.

hash chains, delegation.

Implemented with SPKI/SDSI. Current application: access control in mobile agent systems.

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 14 / 15

slide-38
SLIDE 38

Conclusions

[C-x C-c]

Thank you! questions?

  • G. Navarro et al. (UAB)

CADAT NordSec 2004 15 / 15