an oauth-based authorization remote collaboration systems
TRANSCRIPT
An OAuth-Based Authorization Framework for Access Control in Remote Collaboration Systems
Srikanth Jonnada, Ram Dantu, Pradhumna Shrestha, Ishan Ranasinghe,
Logan Widick
Outline• Introduction
• CARE
• Access Control Authorization
• Conclusion
Introduction• With advancements in technology the complexity and dependency of
the things around us have also drastically increased.
• The physical world needs the actual presence of an expert at thelocation to analyze, troubleshoot and fix the problem or even toprovide the required inventory.
• We need novel solutions to support the increased demand for experts.
Introduction• We developed a remote collaboration system (CARE) to solve these
problems.
• This system is accessed over the Internet and is thus prone to abuse.
• We developed a framework to protect the consumers’ security andprivacy.
Definitions▪ Worker
▪ A person executing physical tasks on-site who needs expert assistance to complete these tasks.
▪ Helper
▪ A remotely located expert that can guide the worker on how toperform the physical tasks.
Remote HelperWorker
Definitions▪ Identification
▪ A user claims an identity of some sort.
▪ Authentication
▪ A user proves control over the identity.
▪ Authorization
▪ Indicates what a user can and can’t do once authenticated.
Definitions▪ Internet of Things (IoT)
▪ Connecting electronic things (that were previously not connected to anything at all) to the Internet and to each other
▪ Can be:▪ Input-enabled (has one or more traditional input devices), such as a smart
thermostat (touchscreen)
▪ Input-constrained (no keyboards, touchscreens, mice, or other traditional input devices), such as a smart meter
Outline• Introduction
• CARE
• Access Control Authorization
• Conclusion
CARE • A Collaborative Appliance for REmote-help
(CARE), equipped with multiple sensors, isdeveloped to facilitate remotecollaboration over physical tasks.
Remote assistance with CARE
Helper dashboard
Figure 2: View of the remote helper through CARE. The woker
unscrewing a screw using a screw driver with instruction from remote helper
Worker’s environment
Outline• Introduction
• CARE
• Access Control Authorization
• Conclusion
Introduction• The CARE device is designed to be remotely controlled by a helper over the
Internet.
– This device preserves privacy of the worker only if a helper can:• Access only the resources required to assist with the task
• Use the resources only for the amount of time required to assist with the task
• Access resources only with the consent of the resource owner
– This device can endanger the worker’s security, privacy, and/or safety otherwise
Attack examples• Use sensors (e.g. webcam and microphone) to:
– Eavesdrop on the worker (privacy)
– Steal sensitive information from the worker’s environment and that is stored on the device (confidentiality part of security)
• Misuse gesture and/or mobility of the device to cause damage to people, data, or things (safety and security)
• We need a dynamic access control mechanism for input-constrained devices and which can be utilized even by technically naïve users.
Existing work
• Access Control Lists, Role-based Access Control, Attribute Based Access Control
• Designed for centralized environments
• Driven based on the policies
• Not suitable for CARE– Configuring user accounts and policies for every new helper is not practical.
– Resource owners are technically naïve.
– Are not dynamic
Existing work• Open Authorization (OAuth)
– Designed to allow third-party clients to obtain limited access to resources on behalf of the resource owner
• Resource owner: the entity that owns the resource (e.g. the owner of a file; the worker that owns a CARE device)
• Client: the third party (e.g. mobile app for working with pictures on a Google Images account; a CARE helper’s client software)
• Authorization server (e.g. Google’s account server): issues access tokens to clients with the resource owner’s consent (expressed as an authorization grant)
• Resource server (e.g. Google Images server; CARE device): provides access to the resource upon receipt of a valid access token
Existing work
Existing work• Open Authorization (OAuth)
– Not suitable for CARE
• Only works on input-enabled devices, not input-constrained ones
Authorization Framework
Framework for renewing an access token
Revoking Access to helper
Resource server revokes access & refresh tokens after helper closes the session
Resource owner revokes access & refresh tokens after identifying a malicious activity by helper
Summary• Provided a novel framework based on OAuth.
– Authorization Grant Request
– Access Token Request
– Access Token Validation
– Voice Authorization by user
– Renewing access token
– Revoking access token
• The developed framework satisfies the OAuth security considerations and NIST criteria for access control.
NIST CriteriaMetric Item Evaluation
1 Ease of privilege assignments
Steps required to assign a
privilege
11 steps to grant access to a worker
Steps required to remove a
privilege
3 steps for a worker to revoke access
2 Flexibilities of configuration
into existing systems.
The access control is provided over protocols that run
on top of HTTP.
NIST CriteriaMetric Item Evaluation
3 Horizontal scope (across
platforms and applications)
of control
AC system can authorize multiple users for a single
host and multiple users for multiple hosts via a
network.
4 Vertical scope (between
application, DBMS, and OS)
of control
The scope of access control includes applications, files,
hardware resources and network devices.
5 Least privilege principle
support
This AC system enforces the principle of least privilege
and the principle of least time. A human must verbally
approve all resource requests.
NIST CriteriaMetric Item Evaluation
6 Safety (confinements and
constraints)
This AC system prevents unauthorized access to
resources and relaying permissions to unauthorized
users.
7 Operational/Situational
awareness
A human aware of the situation must approve all
resource requests.
8 Granularity of control This AC system allows configuring the granularity of
permissions with respect to the controlled objects
and their features
NIST CriteriaMetric Item Evaluation
9 Response Time It takes approx. 584 milliseconds from start to
finish, excluding the time required for the worker to
approve the access request (which varies)
10 Integrated with
authentication function
This AC system can be integrated with identity
providers for authenticating users.
11 OS compatibility This AC system is independent of Operating System
of the device.
12 User interfaces and API This AC system provides a GUI for AC policy
management and authoring
Conclusion• This research provides a novel framework for dynamic access control of
resources in input-constrained devices.
• This dynamic access-control framework can be utilized for accesscontrol of Internet of Things.
References1. Leila Alem and Jane Li, A study of gestures in a video-mediated collaborative assembly task, Advances in Human-Computer Interaction 2011 (2011), 1.2. Robert E Kraut, Susan R Fussell, and Jane Siegel, Visual information as a conversational resource in collaborative physical tasks, Human-computer interaction 18 (2003), no. 1, 13-49.3. Susan R Fussell, Leslie D Setlock, and Robert E Kraut, Effects of head-mounted and scene-oriented video systems on remote collaboration on physical tasks , Proceedings of the SIGCHI conference on
Human factors in computing systems, ACM, 2003, pp. 513-520.4. Takeshi Kurata, Nobuchika Sakata, Masakatsu Kourogi, Hideaki Kuzuoka, and Mark Billinghurst, Remote collaboration using a shoulder-worn active camera/laser, Wearable Computers, 2004. ISWC 2004.
Eighth International Symposium on, vol. 1, IEEE, 2004, pp. 62-69.5. Jiazhi Ou, Susan R Fussell, Xilin Chen, Leslie D Setlock, and Jie Yang, Gestural communication over video stream: supporting multimodal interaction for remote collaborative physical tasks, Proceedings of
the 5th international conference on Multimodal interfaces, ACM, 2003, pp. 242-249.6. Susan R Fussell, Leslie D Setlock, Jie Yang, Jiazhi Ou, Elizabeth Mauer, and Adam DI Kramer, Gestures over video streams to support remote collaboration on physical tasks , Human-Computer Interaction
19 (2004), no. 3, 273-309.7. Weidong Huang and Leila Alem, Handsinair: a wearable system for remote collaboration on physical tasks, Proceedings of the 2013 conference on Computer supported cooperative work companion,
ACM, 2013, pp. 153-156.8. John Cugini, Laurie Damianos, Lynette Hirschman, Robyn Kozierok, Jeff Kurtz, Sharon Laskowski, and Jean Scholtz, Methodology for evaluation of collaboration systems, The evaluation working group of
the DARPA intelligent collaboration and visualization program, Rev 3 (1997).9. Laurie Damianos, Lynette Hirschman, Robyn Kozierok, Jeffrey Kurtz, Andrew Greenberg, Kimberley Walls, Sharon Laskowski, and Jean Scholtz, Evaluation for collaborative systems, ACM Computing
Surveys (CSUR) 31 (1999), no. 2es, 15.10. Robert E Kraut, Mark D Miller, and Jane Siegel, Collaboration in performance of physical tasks: Effects on outcomes and communication, Proceedings of the 1996 ACM conference on Computer supported
cooperative work, ACM, 1996, pp. 57-66.11. Broadleafconsulting, Tools for measuring collaboration12. Abhishek Ranjan, Jeremy P Birnholtz, and RavinBalakrishnan, An exploratory analysis of partner action and camera control in a video-mediated collaborative task , Proceedings of the 2006 20th
anniversary conference on Computer supported cooperative work, ACM, 2006, pp. 403-412.13. Robert E Wood, Task complexity: Definition of the construct, Organizational behavior and human decision processes 37 (1986), no. 1, 60-82.14. Thorvald Harem, Brian T Pentland, and Kent D Miller, Task complexity: Extending a core concept, Academy of Management Review 40 (2015), no. 3, 446-460.15. Danail Bonchev, On the complexity of directed biological networks, SAR and QSAR in Environmental Research 14 (2003), no. 3, 199-214.16. Danail Bonchev and Gregory A Buck, Quantitative measures of network complexity, Complexity in chemistry, biology, and ecology, Springer, 2005, pp. 191{235.
References17. Herbert H Clark, Susan E Brennan, et al., Grounding in communication, Perspectives on socially shared cognition 13 (1991), no. 1991, 127-149.18. United States Census Bureau, 2014 national population projections tables, https://www.census.gov/data/tables/2014/demo/popproj/2014-summary-tables.html19. Pfizer, Medication safety for the elderly: A guide for patients and caregivers ,http://www.pfizer.com/files/health/medicine_safety/4-6_Med_Safety_for_Elderly.pdf20. Council on Family Health, Medicines and you: A guide for older adults, https://www.fda.gov/downloads/Drugs/ResourcesForYou/UCM163961.pdf21. Karen Dorman Marek and Lisa Antle, Medication management of the community-dwelling older adult (2008)22. Newsroom AAA, Despite vehicle advances, break downs at record high, http://newsroom.aaa.com/2016/07/ despite-vehicle-advances-break-downs-at-record-high/, July 2016, (Accessed on
06/21/2017).23. EH Choi et al., Tire-related factors in the pre-crash phase, Report No. DOT HS 811 (2012), 61724. True cost guide report for home maintenance services, http://www.homeadvisor.com/r/wp-content/uploads/2015/04/2015-cost-report.pdf, (Accessed on 07/06/2017).
THANK YOU
APPENDIX
Existing work• Access Control Matrix
– Implemented as
• Access Control List (ACL): objects store lists of permissions for subjects
• Capability list: Subjects store lists of permissions for objects
– Not suitable for CARE
• Subjects and objects are NOT typically predefined in CARE
• Extremely difficult for a resource owner to keep the access control policies for each helper.
Existing work• Role-Based Access Control (RBAC)
– Permissions are assigned to roles, not subjects
– Subjects are assigned to roles
– Not suitable for CARE• Subjects and their role assignments are NOT predefined in CARE
• The roles and permissions assigned to each role are likely not predefined in CARE either
• Extremely difficult for a resource owner to keep the policies in line with what the resource owner consents to
Existing work• Attribute-Based Access Control (ABAC)
– Subjects, objects, actions, and the context (environment) have attributes
– Policies that dictate access to objects are combinations of attributes that are often expressed as conditions
– Not suitable for CARE
• Policies are NOT predefined in CARE
• Extremely difficult for a resource owner to keep the policies in line with what the resource owner consents to
CARE vs Robot
CARE Robot
Can work on unknown tasks Has to be pre-programmed for every action
Can work on numerous domains of tasks Has designated tasks and domains
Can work in unknown environments Cannot work in every environment
Can work in changing environments May require retraining each time the environment changes
CARE vs Robot
CARE Robot
Can located an expert and connect worker securely across the continents
This is an autonomous device
Can dynamically adapt to situations, and get the things right the first time.
Cannot dynamically adapt to situations
Can be tailored automatically to aworker’s skill level
Has fixed pre-programmed steps to execute and cannot adapt to a worker’s skill level
User Satisfaction Survey
OAuth security considerationsSecurity
Consideration
Solution in our OAuth Architecture
Client Authentication The authorization server validates the client’s identity using the ID and
secret that the client obtained during registration with the
authorization server.Client Impersonation To get an access token from the authorization server, the client
requires an auth grant from the resource owner in addition to the
client’s ID and secret.Even if a legitimate client fails to protect the client ID and secret, an
impersonating user will not be able to obtain an access token from the
authorization server without an auth grant from the resource owner.
OAuth security considerationsSecurity
Consideration
Solution in our OAuth Architecture
Client Impersonation To grant access to the resources, the resource server
requires both an access token and the resource owner’s
permission. In our case, the system announces information
such as the desired resources and access time, and requests
voice authorization from the resource owner.
Access Tokens Only the authorization server, client application, and
resource server share access tokens.
The authorization server tags an access token to a client ID
so that only the user to whom the token was issued can use
the token.
OAuth security considerationsSecurity
Consideration
Solution in our OAuth Architecture
Access Tokens An access token is tagged with information about resources
it can be used to request, such as the resource server’s ID. A
client cannot use the access token for any other purpose.The resource owner can revoke access tokens at any time.
Access tokens can be transmitted over TLS to prevent man-
in-the-middle attacks.
OAuth security considerationsSecurity
Consideration
Solution in our OAuth Architecture
Refresh Tokens Refresh tokens are tagged with the access token and the
client ID.
The points about how our architecture addresses the
security considerations of access tokens also apply to
refresh tokens.
Authorization Codes Authorization codes cannot be used for multiple requests.
The authorization server can revoke access tokens when an
attack using an authorization grant is detected.
OAuth security considerationsSecurity
Consideration
Solution in our OAuth Architecture
Authorization Codes The authorization server validates the client’s identity using the
client’s ID and secret (received after initially registering with the
authorization server) before providing an access token.Request
Confidentiality
Use TLS
Endpoint
Authenticity
Use TLS
Credentials-Guessing
Attacks
The authorization server generates random numbers, and then
puts these numbers through the SHA-512 hash algorithm to
generate keys.