delegated authenticated authorization for constrained
play

Delegated Authenticated Authorization for Constrained Environments - PowerPoint PPT Presentation

Feb 03, 2024 •181 likes •466 views

Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann , Carsten Bormann { gerdes | bergmann | cabo } @tzi.org Universit at Bremen NPSec14, 2014-10-21 Motivation Smart objects small

  1. Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann , Carsten Bormann { gerdes | bergmann | cabo } @tzi.org Universit¨ at Bremen NPSec’14, 2014-10-21

  2. Motivation ◮ Smart objects ◮ small devices with specific purpose ◮ low cost, limited abilities ◮ Internet of Things ◮ interconnect things and their users to enable new applications ◮ 50 billion connected devices expected by 2020 (Cisco) ◮ Smart objects are expected to be integrated in all aspects of everyday life ◮ entrusted with vast amounts of data important to our lives. ◮ need to communicate unseen and autonomously.

  3. Limitations of “Constrained Environments” ◮ processing power ◮ storage space ◮ network capacities ◮ lack of user interfaces and displays ◮ energy (often powered from primary batteries) ◮ RFC 7228: Terminology for Constrained-Node Networks ◮ device classification ◮ energy profile ◮ sleep strategies

  4. Classes of Constrained Devices Source: RFC 7228

  5. Classes of Constrained Devices Source: RFC 7228

  6. Communication in Constrained Environments ◮ Constrained Application Protocol (CoAP, RFC 7252) ◮ designed for special requirements of constrained environments ◮ Similar to HTTP (RESTful architecture style) ◮ server has items of interest ◮ client requests representation of current state ◮ Datagram Transport Layer Security (DTLS) binding ◮ How can users keep the control over their data and devices? - > Authorization

  7. Problem Statement ◮ A Client (C) wants to access an item of interest, a web resource (R), on a Resource Server (RS). ◮ A priori, C and RS do not know each other, have no trust relationship. They might belong to different owners. ◮ C and / or RS are located on a constrained node.

  8. Goals of an Authenticated Authorization Protocol in Constrained Environments ◮ Secure exchange of authorization information ◮ Establish DTLS channel between constrained nodes ◮ Use only symmetric key cryptography on constrained nodes ◮ Support of class-1 devices ◮ RESTful architectural style ◮ Relieve constrained nodes from managing authentication and authorization

  9. Authenticated Authorization ◮ Determine if the owner of an item of interest allows an entity to access this item as requested. ◮ Authentication: Verify that an entity has certain attributes (cf. RFC4949). ◮ Authorization: Grant permission to an entity to access an item of interest. ◮ Authenticated Authorization: Use the verified attributes to determine if an entity is authorized.

  10. Tasks for Authenticated Authorization ◮ Beforehand: Provide information for Authenticated Authorization ◮ Make attribute-verifier-binding verifiable: Validate that an entity actually has the attributes it claims to have (e.g. that it belongs to a certain user) and bind the attributes to a verifier (e.g. a key) using the endorsement info. ◮ Define access policies (entity with attribute x has this set of permissions). ◮ At the time of the request: Check access request against the provided information ◮ Check the verifier a received access request is bound to. ◮ Check the verifier-attribute binding. ◮ Determine the authorization using the attributes. ◮ Enforce the authorization.

  11. Constrained Level Actors ◮ C and RS are constrained level actors: able to operate on a constrained node. ◮ C attempts to access a resource. ◮ RS hosts one or more resources. ◮ Tasks: ◮ Determine if sender is authorized to access as requested. ◮ Enforce the authorization

  12. Principal Level Actors ◮ C and RS are under control of principals in the physical world. ◮ CO is in charge of C: specifies security policies, e.g. with whom RS is allowed to communicate. ◮ RO is in charge of RS: specifies security policies, e.g. authorization policies.

  13. Security Domains ◮ A priori, C and RS do not know each other, might belong to different security domains

  14. Constraints ◮ C and RS ◮ are constrained in terms of power, memory, storage space. ◮ may not have user interfaces and displays. ◮ can only fulfill a limited number of tasks. ◮ may not have network connectivity all the time. ◮ are not able to manage complex authorization policies. ◮ are not able to manage a large number of keys. ◮ Add another complexity level: less-constrained devices for more difficult tasks

  15. Less-Constrained Level ◮ AM and AS act in behalf of their respective owner. ◮ Tasks: ◮ Obtain the security objectives from their owner. ◮ Authenticate the other party. ◮ Provide simplified authorization rules and means for authentication to their constrained devices.

  16. Unauthorized Access Request

  17. Contact RS’s Less Constrained Device for Authorization

  18. Access Ticket

  19. Use Access Ticket to Establish DTLS Channel

  20. PSK Derivation

  21. RS Permits Authorized Requests Over DTLS

  22. Initial Trust Relationships

  23. Trust: The Complete Picture

  24. Evaluation Reference implementation adds ◮ about 440 Bytes Code ◮ 54 Bytes data for ticket face ◮ 722 Bytes parser for CBOR payload to existing CoAP/DTLS server (ARM Cortex M3).

  25. Summary: The DCAF Protocol ◮ Requires less-contrained nodes to do the hard work (possibly including public-key crypto) ◮ Utilize DTLS to transmit authorization info and access tickets ◮ Authenticate origin client by its access ticket: ◮ RS and AS share at least one session key ◮ AS creates Ticket Face + Verifier, tells AM, C ◮ C initiates DTLS handshake with RS ◮ Ticket Face is PSK identity, Verifier is PSK ◮ RS derives PSK from Ticket Face ◮ Knowledge of Verifier authenticates C to RS! ◮ Knowledge of PSK authenticates RS to C! ◮ Authorization information valid for the entire session ◮ Verifier ensures Face’s integrity

  26. Conclusion ◮ Problem ◮ IoT devices may be too constrained to perform Authenticated Authorization ◮ enable multi-domain scenario ◮ Our solution ◮ Offload complex tasks to less constrained devices ◮ use DTLS with symmetric cryptography for secure communication ◮ Future Work ◮ Demonstrate interworking of less constrained devices, e.g. using OAuth ◮ Define authorization information format for simplified policies

  27. References ◮ http://share.cisco.com/internet-of-things.html ◮ http://tools.ietf.org/rfc/rfc7228 ◮ http://tools.ietf.org/rfc/rfc4949 ◮ https://tools.ietf.org/id/draft-gerdes-ace-dcaf-authorize ◮ http://tools.ietf.org/pdf/draft-gerdes-ace-actors

Recommend

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie Gerdes, Olaf Bergmann, Carsten Bormann { gerdes | bergmann | cabo } @tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 27 Review Comments Renzo:

750 views • 27 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded Message Syntax draft-bergmann-ace-dcaf-cose Olaf Bergmann, Stefanie Gerdes { gerdes | bergmann } @tzi.org Presented by Carsten Bormann cabo@tzi.org

502 views • 18 slides
Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A. Siris joint work with D. Dimopoulos, N. Fotiou, S. Voulgaris, G.C. Polyzos Mobile Multimedia Laboratory Athens University of Economics and Business,

289 views • 28 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT

DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT

ETSC RESPONSE TO THE DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT ALLOWS FOR 4 TYPES OF FEEDBACK 1. visual warning + cascaded acoustic warning 2. visual warning + cascaded haptic warning:

410 views • 19 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
Delegated Underwriting / MGAs Why would you? Charles Manchester 4th June 2018 Definitions

Delegated Underwriting / MGAs Why would you? Charles Manchester 4th June 2018 Definitions

Delegated Underwriting / MGAs Why would you? Charles Manchester 4th June 2018 Definitions Delegated authority: Out-sourcing of certain underwriting tasks by an insurer Entering into contracts of insurance Documentation

310 views • 9 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Changes to Delegated Authority with Real Estate Board of Trustees September 24, 2019 1

Changes to Delegated Authority with Real Estate Board of Trustees September 24, 2019 1

BAC-4.1 Changes to Delegated Authority with Real Estate Board of Trustees September 24, 2019 1 Timeline to Change December 2017: UNCG Board of Trustees authorized University to pursue delegated authority for leasing consistent with

169 views • 12 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It is designed to : Assist in benefit determination Prevent unanticipated denials of coverage Create a collaborative approach to

187 views • 18 slides
Board Process Review: Delegated Authority to Board Committees and CEO Board of Directors

Board Process Review: Delegated Authority to Board Committees and CEO Board of Directors

Board Process Review: Delegated Authority to Board Committees and CEO Board of Directors September 27, 2018 This Presentation This presentation is a high-level summary of the proposed update to the Boards delegated authority policy

184 views • 15 slides
Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents https://cametoolbox.fnal.gov/Project/WADReports?ProjectName=HL-L... Work Authorization Documents Work Authorization Document Control Account Information Control Account Manager: 10629N Nobrega, Fred Control

56 views • 5 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides
The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich

The LOCAL attack: Cryptanalysis of the authenticated encryption scheme ALE Dmitry Khovratovich and Christian Rechberger University of Luxembourg and DTU (Denmark) Presented by Yu Sasaki (NTT, Japan) 15 August 2013 Authenticated encryption

556 views • 22 slides
Mixed-Integer PDE-Constrained Optimization Frontiers in PDE-constrained Optimization Pelin Cay,

Mixed-Integer PDE-Constrained Optimization Frontiers in PDE-constrained Optimization Pelin Cay,

Mixed-Integer PDE-Constrained Optimization Frontiers in PDE-constrained Optimization Pelin Cay, Bart van Bloemen Waanders, Drew Kouri, Anna Thuenen and Sven Leyffer Lehigh University, Universit at Magdeburg, Argonne National Laboratory, and

874 views • 45 slides
Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance Synchronization Robustness Lecture 13 CS 111 Page 1 Summer 2013 Authorization and Authentication Authorization is determined if someone

886 views • 41 slides
Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated

Desiderata Current AEAD use Evolution Conclusions Authenticated Encryption Requirements David McGrew mcgrew@cisco.com Directions in Authenticated Ciphers, 2012 Desiderata Current AEAD use Evolution Conclusions Many desirable attributes

284 views • 26 slides
Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and

(A brief, incomplete) Introduction to Authenticated Encryption Tom Shrimpton Summer School on Real-World Crypto and Privacy June 11, 2018 Authenticated Encryption M M Its complicated Probabilistic or deterministic AE? Nonce based AE?

868 views • 47 slides
A Nonlinear Trust Region Framework for PDE-Constrained Optimization Using

A Nonlinear Trust Region Framework for PDE-Constrained Optimization Using

Motivation PDE-Constrained Optimization ROM-Constrained Optimization Numerical Experiments Conclusion References A Nonlinear Trust Region Framework for PDE-Constrained Optimization Using Progressively-Constructed Reduced-Order Models

458 views • 34 slides
Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva

Security Aspects of Authenticated Encryption (in light of the CAESAR competition) Elena Andreeva COSIC, KU Leuven, Belgium Cryptoday 2014 Technion, Haifa, Israel 30/12/2014 Outline Authenticated Encryption: AE Generic AE composition

732 views • 55 slides
Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul

ELmD Authenticated Encryption Scheme EME based Authenticated Encryption Schemes Comparative Study of ELmD with other EME based AEs Different Features of ELmD, EME Based Authenticated Encryption Schemes Nilanjan Datta and Mridul Nandi Indian

364 views • 20 slides

More recommend