wave a decentralized authorization framework with
play

WAVE: A Decentralized Authorization Framework with Transitive - PowerPoint PPT Presentation

Jun 22, 2023 •353 likes •1.09k views

WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al., USENIX Security 2019] Slides credit Michael Andersen Representative authorization example BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT

  1. WAVE: A Decentralized Authorization Framework with Transitive Delegation [Andersen et al., USENIX Security 2019] Slides credit Michael Andersen

  2. Representative authorization example BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  3. Traditional approach E.g. OAuth, LDAP BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  4. Traditional approach Problems: Central point of attack BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  5. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  6. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  7. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  8. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  9. Traditional approach Problems: Central point of attack Can’t even trust operator BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  10. Traditional approach Problems: Central point of attack Can’t even trust operator Sometimes delegation unsupported BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  11. Traditional approach Problems: Central point of attack Can’t even trust operator Sometimes delegation unsupported When supported, not transitive BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  12. Lack of transitive delegation BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  13. Lack of transitive delegation BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  14. Lack of transitive delegation BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  15. What we want: BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  16. Existing work lacks some important features System / Work Avoid central Transitive Permission No ordering Offline Protected authority Delegation Discovery constraints participants permissions LDAP, AD OAuth2 Macaroons SDSI/SPKI

  17. What is WAVE System / Work No central Transitive Permission No ordering Offline Protected authority Delegation Discovery constraints participants permissions WAVE WAVE is a cryptographically enforced decentralized authorization system ● It can be used in place of most mainstream authorization systems ● Anyone can delegate permissions or revoke permissions they have delegated ● Anyone can discover their permissions and form a proof of authorization ● Anyone (even devices) can verify proofs of authorization

  18. WAVE achieves this with three techniques:

  19. Graph Based Authorization Popularized by SDSI/SPKI [Rivest, Lampson, 1996] ● ● Represents permissions as a graph, rather than an ACL table ● Naturally represents transitive delegation BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  20. Graph Based Authorization BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  21. Graph Based Authorization Participants: Entities Collections of cryptographic keys: identifier is PK BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  22. Graph Based Authorization Grants of permissions: Attestations Signed certificates created by Entities BLDG2/Floor3/HVAC BLDG2/Floor3 BLDG2/Floor3/LIGHT BLDG2/Floor3/DOORS Building Owner Tenant Company Employees CEO

  23. Graph Based Authorization Permission : Read, Write Attestations grant permissions on a resource Resource : BldgOwner/BLDG2 Expires : 2019/04/05 Building Owner Tenant Company CEO

  24. Graph Based Authorization Permission : Read, Write Attestations grant permissions on a resource Resources are in a namespace Resource : which identifies the authority entity BldgOwner/BLDG2 Expires : 2019/04/05 Namespace Authority Tenant Company CEO

  25. Graph Based Authorization Proof of permissions: A path through the graph from Namespace Authority to the prover Proof grants the intersection of the permissions of each attestation Verifiable by anyone*, attached to messages Proof NS/ BLDG2/Floor3 NS/ BLDG2/Floor3/DOORS Building Owner Tenant Company Employee CEO * In WAVE, not SDSI/SPKI

  26. This forms a single global graph

  27. This forms a single global graph ● Multiple namespace authorities in the graph

  28. This forms a single global graph ● Multiple namespace authorities in the graph ● Different entities will only see portions of the graph

  29. This forms a single global graph ● Multiple namespace authorities in the graph ● Different entities will only see portions of the graph

  30. We need to hide portions of the graph

  31. Reverse Discoverable Encryption Building Owner Tenant Company Employees CEO

  32. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager CEO

  33. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager CEO NS /Floor3 Janitorial Services

  34. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  35. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Discovering permissions Janitorial Services

  36. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO Three kinds of attestations: NS /Floor3 ● On path, intersecting Janitorial Services

  37. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO Three kinds of attestations NS /Floor3 ● On path, intersecting ● On path, not intersecting Janitorial Services

  38. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO Three kinds of attestations NS /Floor3 ● On path, intersecting ● On path, not intersecting ● Not on a path Janitorial Services

  39. Technique in a nutshell Encrypt attestations In each attestation, include a secret that allows you to decrypt upstream attestations that have intersecting permissions (on path, intersecting)

  40. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  41. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  42. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  43. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  44. Reverse Discoverable Encryption NS /Floor3 NS /Floor3 NS /Floor3 NS /Floor4 Building Owner Tenant Company F3 Manager HVAC Controller CEO NS /Floor3 Janitorial Services

  45. Attempt 1: public-key encryption Enc PK ( NS /Floor3) Enc PK ( NS /Floor3) Enc PK ( NS /Floor3) Enc PK ( NS /Floor4) SK, PK SK, PK SK, PK SK, PK Building Owner Tenant Company F3 Manager HVAC Controller CEO Consider that all the encrypted attestations are in Enc PK ( NS /Floor3) a public ledger, so HVAC can see them all What is the problem with this approach? SK, PK HVAC needs to decrypt the entire path to Janitorial Services create a proof of authorization, but it cannot

  46. Attempt 2: public-key encryption Enc PK ( NS /Floor3) Enc PK ( NS /Floor3, Enc PK ( NS /Floor3, SK) Enc PK ( NS /Floor4) SK) SK, PK SK, PK SK, PK SK, PK Building Owner Tenant Company F3 Manager HVAC Controller CEO Now HVAC controller can decrypt the whole path Enc PK ( NS /Floor3) What is the problem with this approach? It can decrypt too much. Basically, all the attestations F3 manager and Tenant CEO SK, PK ever received, even if not intersecting! Janitorial Services

Recommend

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam

WAVE: A Decentralized Authorization Framework with Transitive Delegation Michael P Andersen, Sam Kumar , Hyung-Sin Kim, John Kolb, Kaifei Chen, Moustafa AbdelBaky, Gabe Fierro, David E. Culler, Raluca Ada Popa This material is based on work

1.25k views • 30 slides
Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A. Siris joint work with D. Dimopoulos, N. Fotiou, S. Voulgaris, G.C. Polyzos Mobile Multimedia Laboratory Athens University of Economics and Business,

289 views • 28 slides
Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without

Authorization the permission or power given to sb to do sth: enter a security area without authorization Authorization in Oxford Advanced Learner's Dictionary Object-oriented Databases authorization is the concept of allowing

70 views • 6 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
CrowdBC: A Blockchain-based Decentralized Framework for Crowdsourcing Hailiang ZHAO

CrowdBC: A Blockchain-based Decentralized Framework for Crowdsourcing Hailiang ZHAO

CrowdBC: A Blockchain-based Decentralized Framework for Crowdsourcing Hailiang ZHAO htp://hliangzhao.me December 10, 2019 This paper was published on IEEE Trans. on Parallel and Distributed Systems (TPDS) , Jun 2019. Hailiang ZHAO @ ZJU-CS

493 views • 30 slides
Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded

Using The Delegated CoAP Authentication and Authorization Framework (DCAF) With CBOR Encoded Message Syntax draft-bergmann-ace-dcaf-cose Olaf Bergmann, Stefanie Gerdes { gerdes | bergmann } @tzi.org Presented by Carsten Bormann cabo@tzi.org

502 views • 18 slides
Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably

Authorization We will use the terms authorization and access control interchangeably Authorization answers the question who is allowed to do what ? A first step in the development of an access control system is the

651 views • 53 slides
Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie

Delegated Authenticated Authorization Framework (DCAF) draft-gerdes-ace-dcaf-authorize Stefanie Gerdes, Olaf Bergmann, Carsten Bormann { gerdes | bergmann | cabo } @tzi.org IETF-94, ACE Meeting, 2015-11-02 1 / 27 Review Comments Renzo:

750 views • 27 slides
GENwave What is Google wave? What is a wave? A wave is equal parts conversation and

GENwave What is Google wave? What is a wave? A wave is equal parts conversation and

GENwave What is Google wave? What is a wave? A wave is equal parts conversation and document. People can communicate and work together with richly formatted text, photos, videos, maps, and more. A wave is shared. Any participant can

942 views • 7 slides
Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of

Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of

Security Framework for Decentralized Shared Calendars Jagdish Prasad Achara Research Master of Computer Science (Specialty : Services, Security and Networks) 24 juin 2011 Universit Henri Poincar Jagdish Prasad Achara (UHP Nancy 1)

653 views • 25 slides
1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel

1 Travel Authorization and Expense Process 1. Introduction 2. Travel Authorization 3. Travel Expense 4. Travel Regulations 2 Travel Authorization (See Next Slide for Detailed Steps) 2. Trip Information goes here 1. Budgetary Coding goes

319 views • 11 slides
Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann -

Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann -

Introducing OpenPush A Free, Decentralized Push Messaging Framework for Android Marcus Hoffmann - bubu@bubu1.eu 1 / 31 About Me Hi, I'm Marcus! Free software developer from Berlin. Working on a free Android ecosystem. F-Droid core

358 views • 31 slides
Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia,

Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia,

Dept of Information and Communication Technology Creating Objects in Flexible Authorization Framework Nicola Zannone, Sushil Jajodia, Duminda Wijesekera Dep. of Information and Communication Technology, University of Trento

675 views • 19 slides
A Hybrid Evolutionary Algorithm Framework for Optimising Power Take Off and Placements of Wave

A Hybrid Evolutionary Algorithm Framework for Optimising Power Take Off and Placements of Wave

A Hybrid Evolutionary Algorithm Framework for Optimising Power Take Off and Placements of Wave Energy Converters Mehdi Neshat, Bradley Alexander, Nataliia Sergiienko, Markus Wagner GECCO '19 Slide 1 Neshat et al., Optimisation and Logistics

627 views • 44 slides
EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos

EGI-Engage JRA1.1 Authentication and Authorization Infrastructure Christos Kanellopoulos Nicolas Liampotis - GRNET WP3 Meeting - 2017.03.24 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union

352 views • 14 slides
A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized

A Decentralized and Distributed E-voting Scheme Based on Cryptographic Shuffles Decentralized and Distributed Systems Laboratory Andy Caforio Responsible: Prof. Bryan Ford Supervision: Linus Gasser, Philipp Jovanovic 1 Way back when

445 views • 20 slides
A Wave Simulator and Active Heave Compensation Framework for Demanding O ff shore Crane Operations

A Wave Simulator and Active Heave Compensation Framework for Demanding O ff shore Crane Operations

Introduction System architecture and communication protocol Experimental results, conclusion and future work A Wave Simulator and Active Heave Compensation Framework for Demanding O ff shore Crane Operations F. Sanfilippo 1 , L. I. Hatledal 1 ,

143 views • 13 slides
Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It

Molina Healthcare Prior Authorization Prior Authorization is a request for prospective review. It is designed to : Assist in benefit determination Prevent unanticipated denials of coverage Create a collaborative approach to

187 views • 18 slides
Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents https://cametoolbox.fnal.gov/Project/WADReports?ProjectName=HL-L... Work Authorization Documents Work Authorization Document Control Account Information Control Account Manager: 10629N Nobrega, Fred Control

56 views • 5 slides
Slide 7 / 102 Slide 8 / 102 4 Compare/Contrast Pulse and Wave. 5 In a transverse wave, compare

Slide 7 / 102 Slide 8 / 102 4 Compare/Contrast Pulse and Wave. 5 In a transverse wave, compare

Slide 1 / 102 Slide 2 / 102 8th Grade Wave Properties Classwork-Homwork Slides 2015-10-15 www.njctl.org Slide 3 / 102 Slide 4 / 102 1 What causes a wave? Classwork #1: What is a Wave? Slide 5 / 102 Slide 6 / 102 2 In terms of wave

692 views • 17 slides
Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized

Fixing healthcare data exchange with decentralized FOSS Protect your API's with a decentralized trust layer Steven van der Vegt Open standard to enable safe and correct exchange of healthcare data. Goal Create a (inter)national network of

708 views • 35 slides
Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance Synchronization Robustness Lecture 13 CS 111 Page 1 Summer 2013 Authorization and Authentication Authorization is determined if someone

886 views • 41 slides
The 8th Wave Process and Outcomes Jesse Marsh 8th Wave

The 8th Wave Process and Outcomes Jesse Marsh 8th Wave

8th Wave Launch Ceremony The 8th Wave Process and Outcomes Jesse Marsh 8th Wave Coordinator Amsterdam, 5 September 2014 The 8 th Wave Process and

463 views • 21 slides

More recommend