delegated authenticated authorization framework dcaf
play

Delegated Authenticated Authorization Framework (DCAF) - PowerPoint PPT Presentation

Jul 11, 2023 •459 likes •750 views

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie Gerdes, Olaf Bergmann, Carsten Bormann { gerdes | bergmann | cabo } @tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 27 Review Comments Renzo:

  1. Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie Gerdes, Olaf Bergmann, Carsten Bormann { gerdes | bergmann | cabo } @tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 27

  2. Review Comments ◮ Renzo: included in 04-version of DCAF: ◮ Improved readability. ◮ Removed inconsistencies. ◮ Clarified definitions of CBOR keys. ◮ Clarified handling of Ticket Request Messages. ◮ Improved description of Nonces. ◮ Ludwig: addressed with 04-version of DCAF and DCAF-COSE ◮ Also support COSE. ◮ Address Server-Initiated Token Request (“Pull”). ◮ Adress piggy-backed protected content in SAM Information Message (“client-pull”). ◮ Use a resource to store tokens (DCAF-COSE). ◮ Bind an authorization token to the security context between C and RS using COSE. 2 / 27

  3. Features of DCAF ◮ Secure exchange of authorization information. ◮ Establish security association between constrained nodes (secure distribution of session keys). ◮ Establish security association between a constrained and a less-constrained nodes. ◮ Support of class-1 devices (RFC 7228). ◮ Requires only symmetric key cryptography on the constrained nodes. ◮ DCAF-DTLS supports CoAP Observe (RFC 7641) and blockwise transfer without additional overhead. ◮ Relieve constrained nodes from managing complex authentication and authorization tasks. 3 / 27

  4. Features of DCAF (2) ◮ Supports multiple owners. ◮ Defines cross-domain constrained to constrained communication (Required for constrained environments - > t2trg Meeting Prague). ◮ Relay security associations of less-constrained devices to constrained devices: Constrained devices only need the security association with their less-constrained device. ◮ Protects both sides of the communication (not only access to resources). ◮ Privacy: no device identifiers required on the constrained level. ◮ Provides a high level of implementation details. ◮ Explicit transfer of authorization information to the constrained devices possible: no additional knowledge required by the constrained nodes. ◮ Other formats for transmission of authorization information possible. ◮ Supports DTLS and Object Security (COSE). 4 / 27

  5. The DCAF universe ◮ Communication Security using DTLS (draft-gerdes-ace-dcaf-authorize) ◮ Server-Initiated Ticket Request (draft-gerdes-ace-dcaf-sitr) ◮ Application Level Security using COSE (draft-bergmann-ace-dcaf-cose) related: ◮ Examples for using DCAF with less-constrained devices (draft-gerdes-ace-dcaf-examples) ◮ Authorization Transitions in the lifecycle of constrained devices (draft-gerdes-ace-a2a) 5 / 27

  6. Contact S’s Less Constrained Device for Authorization 6 / 27

  7. Access Ticket 7 / 27

  8. Access Ticket: Adding Client Information 8 / 27

  9. Use Access Ticket to Establish Security Context 9 / 27

  10. Key Derivation 10 / 27

  11. Access Ticket Parts 11 / 27

  12. RS Permits Authorized Requests Over Secure Channel 12 / 27

  13. Combined Actors 13 / 27

  14. Flexibility ◮ DCAF can be used as a simple protocol for secure transmission of dynamically created session keys (implicit authorization). ◮ DCAF can additionally securely transmit authorization information to the server and / or the client. ◮ DCAF defines how combinations of actors work together. ◮ DCAF can be used as needed. 14 / 27

  15. Evaluation Reference implementation of DCAF-DTLS adds ◮ about 440 Bytes Code ◮ 54 Bytes data for ticket face ◮ 722 Bytes parser for CBOR payload to existing CoAP/DTLS server (ARM Cortex M3). 15 / 27

  16. Evaluation: DCAF Memory Usage (ROM, RAM) 16 / 27

  17. Server-Initiated Ticket Request (SITR) draft-gerdes-ace-dcaf-sitr ◮ In some scenarios, C might not be able to reach CAM or SAM ◮ S requests ticket for C ◮ C sends CAM information message to S to initiate SITR 17 / 27

  18. CAM Information Message 18 / 27

  19. SI Access Ticket 19 / 27

  20. SI Access Ticket: Adding Server Information 20 / 27

  21. SIT Key Derivation 21 / 27

  22. Problem with Server-Initiated Solutions ◮ All solutions where the server requests a ticket for the client (“Pull Model”) are prone to DOS attacks. ◮ Use solutions where the Client request the ticket whenever possible 22 / 27

  23. Summary ◮ mutual authentication client-server, with symmetric keys (no need to separately obtain RPK to authenticate server) ◮ can make good use of DTLS-PSK ◮ can also use COSE with MAC, for transition of untrusted proxies 23 / 27

  24. DCAF-COSE vs. OSCOAP 24 / 27

  25. DCAF-COSE vs. OAuth Profiling 25 / 27

  26. Discussion Transport of Ticket Face for DTLS-PSK: ◮ psk identity ◮ Opaque for the client, no semantic restrictions ◮ mandatory - > good interoperability ◮ All known DTLS libraries pass it to the application to determine the PSK ◮ supplemental data (RFC 4680) ◮ Client and server must support this extension. ◮ Needs to define a new SupplementalDataType or a new AuthzDataFormat for client authz (cf. RFC 5878) ◮ Derivation of master-secret from supplemental data is not allowed ( “Information provided in a supplemental data object [. . . ] MUST NOT need to be processed by the TLS protocol.” , RFC 4680) 26 / 27

  27. How to proceed ◮ Accept DCAF as one of the building blocks that ACE is working on 27 / 27

Recommend

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded Message Syntax draft-bergmann-ace-dcaf-cose Olaf Bergmann, Stefanie Gerdes { gerdes | bergmann } @tzi.org Presented by Carsten Bormann cabo@tzi.org

502 views • 18 slides
Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann

Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann

Delegated Authenticated Authorization for Constrained Environments Stefanie Gerdes, Olaf Bergmann , Carsten Bormann { gerdes | bergmann | cabo } @tzi.org Universit at Bremen NPSec14, 2014-10-21 Motivation Smart objects small

466 views • 27 slides
A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle

A Formal Model for Delegated Authorization of IoT Devices Using ACE-OAuth LUCA ARNABOLDI, Newcastle University, UK HANNES TSCHOFENIG, Arm Limited, UK As our daily lives become ever more connected, the need for security becomes more important. This

164 views • 13 slides
Cybersecurity and good governance in Europe Franziska Klopfer DCAF - Geneva Centre for Security

Cybersecurity and good governance in Europe Franziska Klopfer DCAF - Geneva Centre for Security

Cybersecurity and good governance in Europe Franziska Klopfer DCAF - Geneva Centre for Security Sector Governance f.klopfer@dcaf.ch Brief overview of DCAFs engagement in cybersecurity DCAF- security sector governance focus From

160 views • 4 slides
WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al.,

WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al.,

WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al., USENIX Security 2019] Slides credit Michael Andersen Representative authorization example BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT

1.09k views • 73 slides
WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam Kumar , Hyung-Sin Kim, John Kolb, Kaifei Chen, Moustafa AbdelBaky, Gabe Fierro, David E. Culler, Raluca Ada Popa This material is based on work

1.25k views • 30 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
Framework Agreement/FNLMA Indian Act Self Government Delegated Management Brought into force

Framework Agreement/FNLMA Indian Act Self Government Delegated Management Brought into force

Framework Agreement/FNLMA Indian Act Self Government Delegated Management Brought into force 1999 Brought into force 1839 Cannot be amended/changed without consent of First Nation Can be amended/changed without consent of First Nations

384 views • 21 slides
Delegated Access for Hadoop Clusters in the Cloud David Nu nez , Isaac Agudo, and Javier Lopez

Delegated Access for Hadoop Clusters in the Cloud David Nu nez , Isaac Agudo, and Javier Lopez

Outline Introduction The Hadoop Framework Proxy Re-Encryption DASHR Experimental results Conclusions Delegated Access for Hadoop Clusters in the Cloud David Nu nez , Isaac Agudo, and Javier Lopez Network, Information and Computer Security

615 views • 30 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT

DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT

ETSC RESPONSE TO THE DRAFT COMMISSION DELEGATED REGULATION ON INTELLIGENT SPEED ASSISTANCE (ISA) DRAFT DELEGATED ACT ALLOWS FOR 4 TYPES OF FEEDBACK 1. visual warning + cascaded acoustic warning 2. visual warning + cascaded haptic warning:

410 views • 19 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia,

Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia,

Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia, Duminda Wijesekera Dep. of Information and Communication Technology, University of Trento

675 views • 19 slides
Delegated Underwriting / MGAs Why would you? Charles Manchester 4th June 2018 Definitions

Delegated Underwriting / MGAs Why would you? Charles Manchester 4th June 2018 Definitions

Delegated Underwriting / MGAs Why would you? Charles Manchester 4th June 2018 Definitions Delegated authority: Out-sourcing of certain underwriting tasks by an insurer Entering into contracts of insurance Documentation

310 views • 9 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Changes to Delegated Authority with Real Estate Board of Trustees September 24, 2019 1

Changes to Delegated Authority with Real Estate Board of Trustees September 24, 2019 1

BAC-4.1 Changes to Delegated Authority with Real Estate Board of Trustees September 24, 2019 1 Timeline to Change December 2017: UNCG Board of Trustees authorized University to pursue delegated authority for leasing consistent with

169 views • 12 slides
EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos Nicolas Liampotis - GRNET WP3 Meeting - 2017.03.24 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union

352 views • 14 slides
The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA

The Evolution of Authenticated Encryption Phillip Rogaway University of California, Davis, USA Includes joint work with Mihir Bellare, John Black, Ted Krovetz, and Tom Shrimpton DIAC Directions in Authenticated Ciphers 05 July 2012

748 views • 52 slides
Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It is designed to : Assist in benefit determination Prevent unanticipated denials of coverage Create a collaborative approach to

187 views • 18 slides
Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
Board Process Review: Delegated Authority to Board Committees and CEO Board of Directors

Board Process Review: Delegated Authority to Board Committees and CEO Board of Directors

Board Process Review: Delegated Authority to Board Committees and CEO Board of Directors September 27, 2018 This Presentation This presentation is a high-level summary of the proposed update to the Boards delegated authority policy

184 views • 15 slides
Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents https://cametoolbox.fnal.gov/Project/WADReports?ProjectName=HL-L... Work Authorization Documents Work Authorization Document Control Account Information Control Account Manager: 10629N Nobrega, Fred Control

56 views • 5 slides
Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1

PAKE Game-based Security Universal Composability LAKE Outline Password-based Authenticated Key Exchange Password-based Authenticated Key Exchange 1 David Pointcheval Ecole Normale Sup erieure Game-based Security 2 Universal

927 views • 10 slides

More recommend