wave a decentralized authorization framework with
play

WAVE: A Decentralized Authorization Framework with Transitive - PowerPoint PPT Presentation

Jun 22, 2023 •353 likes •1.09k views

WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al., USENIX Security 2019] Slides credit Michael Andersen Representative authorization example BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT

  1. WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al., USENIX Security 2019] Slides credit Michael Andersen

  2. Representative authorization example BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  3. Traditional approach E.g. OAuth, LDAP BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  4. Traditional approach Problems: Central point of attack BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  5. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  6. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  7. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  8. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  9. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  10. Traditional approach Problems: Central point of attack Can’t even trust operator Sometimes delegation unsupported BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  11. Traditional approach Problems: Central point of attack Can’t even trust operator Sometimes delegation unsupported When supported, not transitive BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  12. Lack of transitive delegation BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  13. Lack of transitive delegation BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  14. Lack of transitive delegation BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  15. What we want: BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  16. Existing work lacks some important features System / Work Avoid central Transitive Permission No ordering Offline Protected authority Delegation Discovery constraints participants permissions LDAP, AD OAuth2 Macaroons SDSI/SPKI

  17. What is WAVE System / Work No central Transitive Permission No ordering Offline Protected authority Delegation Discovery constraints participants permissions WAVE WAVE is a cryptographically enforced decentralized authorization system ● It can be used in place of most mainstream authorization systems ● Anyone can delegate permissions or revoke permissions they have delegated ● Anyone can discover their permissions and form a proof of authorization ● Anyone (even devices) can verify proofs of authorization

  18. WAVE achieves this with three techniques:

  19. Graph Based Authorization Popularized by SDSI/SPKI [Rivest, Lampson, 1996] ● ● Represents permissions as a graph, rather than an ACL table ● Naturally represents transitive delegation BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  20. Graph Based Authorization BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  21. Graph Based Authorization Participants: Entities Collections of cryptographic keys: identifier is PK BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  22. Graph Based Authorization Grants of permissions: Attestations Signed certificates created by Entities BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  23. Graph Based Authorization Permission : Read, Write Attestations grant permissions on a resource Resource : BldgOwner/BLDG2 Expires : 2019/04/05 Building Owner Tenant Company CEO

  24. Graph Based Authorization Permission : Read, Write Attestations grant permissions on a resource Resources are in a namespace Resource : which identifies the authority entity BldgOwner/BLDG2 Expires : 2019/04/05 Namespace Authority Tenant Company CEO

  25. Graph Based Authorization Proof of permissions: A path through the graph from Namespace Authority to the prover Proof grants the intersection of the permissions of each attestation Verifiable by anyone*, attached to messages Proof NS/ BLDG2/Floor3 NS/ BLDG2/Floor3/DOORS Building Owner Tenant Company Employee CEO * In WAVE, not SDSI/SPKI

  26. This forms a single global graph

  27. This forms a single global graph ● Multiple namespace authorities in the graph

  28. This forms a single global graph ● Multiple namespace authorities in the graph ● Different entities will only see portions of the graph

  29. This forms a single global graph ● Multiple namespace authorities in the graph ● Different entities will only see portions of the graph

  30. We need to hide portions of the graph

  31. Reverse Discoverable Encryption Building Owner Tenant Company Employees CEO

  32. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager CEO

  33. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager CEO NS /Floor3 Janitorial Services

  34. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  35. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Discovering permissions Janitorial Services

  36. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO Three kinds of attestations: NS /Floor3 ● On path, intersecting Janitorial Services

  37. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO Three kinds of attestations NS /Floor3 ● On path, intersecting ● On path, not intersecting Janitorial Services

  38. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO Three kinds of attestations NS /Floor3 ● On path, intersecting ● On path, not intersecting ● Not on a path Janitorial Services

  39. Technique in a nutshell Encrypt attestations In each attestation, include a secret that allows you to decrypt upstream attestations that have intersecting permissions (on path, intersecting)

  40. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  41. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  42. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  43. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  44. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  45. Attempt 1: public-key encryption Enc PK ( NS /Floor3) Enc PK ( NS /Floor3) Enc PK ( NS /Floor3) Enc PK ( NS /Floor4) SK, PK SK, PK SK, PK SK, PK Building Owner Tenant Company F3 Manager HVAC Controller CEO Consider that all the encrypted attestations are in Enc PK ( NS /Floor3) a public ledger, so HVAC can see them all What is the problem with this approach? SK, PK HVAC needs to decrypt the entire path to Janitorial Services create a proof of authorization, but it cannot

  46. Attempt 2: public-key encryption Enc PK ( NS /Floor3) Enc PK ( NS /Floor3, Enc PK ( NS /Floor3, SK) Enc PK ( NS /Floor4) SK) SK, PK SK, PK SK, PK SK, PK Building Owner Tenant Company F3 Manager HVAC Controller CEO Now HVAC controller can decrypt the whole path Enc PK ( NS /Floor3) What is the problem with this approach? It can decrypt too much. Basically, all the attestations F3 manager and Tenant CEO SK, PK ever received, even if not intersecting! Janitorial Services

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam Kumar , Hyung-Sin Kim, John Kolb, Kaifei Chen, Moustafa AbdelBaky, Gabe Fierro, David E. Culler, Raluca Ada Popa This material is based on work

1.25k views • 30 slides
Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A. Siris joint work with D. Dimopoulos, N. Fotiou, S. Voulgaris, G.C. Polyzos Mobile Multimedia Laboratory Athens University of Economics and Business,

289 views • 28 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
CrowdBC: A Blockchain-based Decentralized Framework for Crowdsourcing Hailiang ZHAO

CrowdBC: A Blockchain-based Decentralized Framework for Crowdsourcing Hailiang ZHAO

CrowdBC: A Blockchain-based Decentralized Framework for Crowdsourcing Hailiang ZHAO htp://hliangzhao.me December 10, 2019 This paper was published on IEEE Trans. on Parallel and Distributed Systems (TPDS) , Jun 2019. Hailiang ZHAO @ ZJU-CS

493 views • 30 slides
Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded Message Syntax draft-bergmann-ace-dcaf-cose Olaf Bergmann, Stefanie Gerdes { gerdes | bergmann } @tzi.org Presented by Carsten Bormann cabo@tzi.org

502 views • 18 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie Gerdes, Olaf Bergmann, Carsten Bormann { gerdes | bergmann | cabo } @tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 27 Review Comments Renzo:

750 views • 27 slides
GENwave What is Google wave? What is a wave? A wave is equal parts conversation and

GENwave What is Google wave? What is a wave? A wave is equal parts conversation and

GENwave What is Google wave? What is a wave? A wave is equal parts conversation and document. People can communicate and work together with richly formatted text, photos, videos, maps, and more. A wave is shared. Any participant can

942 views • 7 slides
Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of

Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of

Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of Computer Science (Specialty : Services, Security and Networks) 24 juin 2011 Universit Henri Poincar Jagdish Prasad Achara (UHP Nancy 1)

653 views • 25 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann -

Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann -

Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann - bubu@bubu1.eu 1 / 31 About Me Hi, I'm Marcus! Free software developer from Berlin. Working on a free Android ecosystem. F-Droid core

358 views • 31 slides
Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia,

Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia,

Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia, Duminda Wijesekera Dep. of Information and Communication Technology, University of Trento

675 views • 19 slides
A Hybrid Evolutionary Algorithm Framework for Optimising Power Take Off and Placements of Wave

A Hybrid Evolutionary Algorithm Framework for Optimising Power Take Off and Placements of Wave

A Hybrid Evolutionary Algorithm Framework for Optimising Power Take Off and Placements of Wave Energy Converters Mehdi Neshat, Bradley Alexander, Nataliia Sergiienko, Markus Wagner GECCO '19 Slide 1 Neshat et al., Optimisation and Logistics

627 views • 44 slides
EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos Nicolas Liampotis - GRNET WP3 Meeting - 2017.03.24 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union

352 views • 14 slides
A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized and Distributed Systems Laboratory Andy Caforio Responsible: Prof. Bryan Ford Supervision: Linus Gasser, Philipp Jovanovic 1 Way back when

445 views • 20 slides
CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD,

CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD,

National Center for Immunization & Respiratory Diseases CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD, MPH, MBA CDC COVID-19 Vaccine Task Force Vaccine Safety Team October 30, 2020

509 views • 31 slides
Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106,

Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106,

Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106, 21.11.2019, Singapore Brian Campbell, Nat Sakimura, Dave Tonge, Filip Skokan, Torsten Lodderstedt { "userinfo":{

340 views • 16 slides
Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Why

1.06k views • 22 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
IDfusion An Open-Architecture for Kerberos based Authorization Dr. Greg Wettstein, Ph.D., John

IDfusion An Open-Architecture for Kerberos based Authorization Dr. Greg Wettstein, Ph.D., John

IDfusion An Open-Architecture for Kerberos based Authorization Dr. Greg Wettstein, Ph.D., John Grosen, MS Information Technology Services North Dakota State University Enrique Rodriquez Safehaus/Apache Software Foundation Background

399 views • 22 slides
Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems

Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems

Security and Authorization CS430/630 Lecture 18 Slides based on Database Management Systems 3 rd ed, Ramakrishnan and Gehrke Definitions Security policy specifies who is authorized to do what Security mechanism allows to

892 views • 26 slides
Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a

Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a

Authorization, Security, and Privacy 5DV119 Introduction to Database Management Ume a University Department of Computing Science Stephen J. Hegner hegner@cs.umu.se http://www.cs.umu.se/~hegner Authorization, Security, and Privacy

537 views • 40 slides
International Student Employment & Degree Level Changes Topics to Cover > Background on

International Student Employment & Degree Level Changes Topics to Cover > Background on

International Student Employment & Degree Level Changes Topics to Cover > Background on International Student Services (ISS) > Newcomers Intro to International Student Employment Background on CPT & OPT Recent OPT Changes

870 views • 54 slides

More recommend