txt e-solutions spa (italy) - wordpress.com · security issues, auditability scalability is a key...
TRANSCRIPT
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
1
Domenico Rotondi, Cristoforo Seccia, Salvatore Piccione
TXT e-solutions SpA (Italy)
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
2
The Problem
Access Control solutions that:
• face the IoT scalability challenge
• can be deployed on simple devices (e.g.: reduce the amount of
supporting data, communications, etc.)
• are flexible
• Support advanced features (e.g.: access rights delegation, auditability, …)
• are secure
• are easy to manage
• …
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
3
Current Approaches & Related Issues
Traditional Access Control models:
RBAC (Role Based Access Control) – we have to manage:
• Identities
• Roles
• Identities Roles assignment
• Trust of Identity Providers (IdP) and/or Service Providers (SP)
ABAC (Attributes Based Access Control) – we have to manage:
• Attribute names
• Attribute meanings
• Identities
• Trust of IdPs, SPs, Attributes Providers (APs)
Issues: Do not scale
Require significant Management effort
Identity/Right delegation is complex
Security issues, auditability
Scalability is a key issue in IoT contexts (explosion of resources/subjects)
Management a nightmare in IoT contexts (explosion of resources/operations)
IoT can require complex and efficient delegation chains (many more services to orchestrate/integrate)
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
4
Capability Based Security
Capability based security: what is it?
• is a security model in which “… a capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights”
(http://en.wikipedia.org/wiki/Capability-based_security)
Not a new concept:
• Levy “Capability-Based Computer Systems” (1984)
• Tanenbaum “Using Sparse Capabilities in a Distributed Operating System” (1986)
• “RFC2693 - SPKI Certificate Theory” (1999)
• Miller “Capability Myths Demolished” (2003)
• Karp “Solving the Transitive Access Problem for the Services Oriented Architecture” (2010)
• …
Alice
R
R
R
/etc/passwd
BobW
W/u/markm/foo
CarolR
R/etc/motd
Access Control List
/etc/passwdR
WAlice
/u/markm/fooR
RBob
/etc/motd
R
W
R
Carol
Capability List
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
5
Capability Based Access Control model
Trust
Bob Capability
Capability ID: Cap03-##???^^^
Resource ID: Resource A1
Issuer: [email protected]
Assignee: [email protected]
Rights:
* Create
* Read (Delegable)
* Update (Delegable)
IssuerCapability ID: Cap02-XX!!!##
…
Dave Capability
Capability ID: Cap04-!!»»>>@@
Resource ID: Resource A1
Issuer: [email protected]
Assignee: [email protected]
Rights:
* Read
IssuerCapability ID: Cap03-##???^^^
…
Operation Request Resource ID: Resource A1
Requester Capability: ….
Requester Signature: ….
Requested Operation: …
….
[email protected](resource controller)
Resource A1
Resource A1
Manager
Resource A1
Root Capability
Capability ID: Cap01-X@£$
Resource ID: Resource A1
Issuer: [email protected]
Assignee: [email protected]
Rights:
* Create (Delegable)
* Read (Delegable)
* Update (Delegable)
* Delete (Delegable)
…
Trust Alice Capability
Capability ID: CAp02-XX!!!##
Resource ID: Resource A1
Issuer: [email protected]
Assignee: [email protected]
Rights:
* Create (Delegable)
* Read (Delegable)
* Update (Delegable)
* Delete (Delegable)
IssuerCapability ID: Cap01-X@£$
…
Trust
Trust
The Server has: • full visibility of the authorization chain • No need of knowledge of subjects • No need to authenticate users • Knowledge of who is accountable for what
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
6
Capability Based Access Control Pros
Capability Based Authorization Pros: Principle of Least Authority (PoLA) (Least Privilege) is the default
More Fine-grained access control
Less security issues (e.g. no Confused Deputy problem)
capability model externalizes the authorization management process
No need to manage issues related to complexity and dynamics of subject’s identities
Why Capability based authorization in FP7 IoT@Work: Many subjects (suppliers, maintainers, etc.) need to access resources in the
production plant
Least Privilege is a must!
Need to easily delegate rights and to have full auditability of resource access
Need to offload management to face external subjects dynamics
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
7
Car Control Unit
Alice Cooper(Bob’s wife)
Bob Smith(Car’s owner)
Dave(FIAT Maintenance
Service Manager)
Bob’s Car
Bob’s Car Location
Access Capability α2
Resourse ID: Car Location
Assigner ID: Bob Smith
Assignee ID: Alice Cooper
Rights:
* Query (Delegable)
Granularity: High
Since: dd1/mm1/yy1
Until: dd2//mm2/yy2
Auth Capability: Root Capab.
….
Assigner Signature: $%&@
Bob’s Car Engine Data
Access Capability b1
Resourse ID: Car Control Unit
Assigner ID: Bob Smith
Assignee ID: Maint. Srv Mgr
Rights:
* Query (Delegable)
* Change (Delegable)
Granularity: High
Since: dd11/mm11/yy11
Until: dd22//mm22/yy22
Auth Capability: Root Capab.
….
Assigner Signature: $%&@
City Traffic Mgm Service
FIAT Maintenance Service(Car’s Manufacturer)
Bob’s Car Engine Data
Access Capability b2
Resourse ID: Car Control Unit
Assigner ID: [email protected]
Assignee ID: FIAT Maint. Srv
Rights:
* Query
Granularity: High
Since: dd11x/mm11x/yy11x
Until: dd22x//mm22x/yy22x
Auth. Capability: Capab. b1
….
Assigner Signature: $%&@
Operation Request
Resourse ID: Car Control Unit
Requester ID: [email protected]
Operation: Query ‘Engine RPM’
Requester Rights: Capability b2
….
Requester Signature: $%&@
Operation Request
Resourse ID: Car Location
Requester ID: [email protected]
Operation: Query ‘Car Location’
Requester Rights: Capability α1
….
Requester Signature: $%&@
Bob’s Car Location
Access Capability α1
Resourse ID: Car Location
Assigner ID: Bob Smith
Assignee ID: City Traffic Mgm
Rights:
* Query
Granularity: Block level
Since: ddx1/mmx1/yyx1
Until: ddx2//mmx2/yyx2
Auth Capability: Root Capab.
….
Assigner Signature: $%&@
Information Control
Information Details Control
Greater End User Control
Capability
Based
Authorization
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
8
Privacy in Capability Based Access Control
Encrypted capability
Anonymous IDs
Bob
Access Capability W1
Resource ID: Service A
Assigner ID: [email protected]
Assignee ID: [email protected]
Rights:
* Operation A1 (Delegable)
* Operation A2 (Delegable)
* ...
Since: dd1/mm1/yy1
Until: dd2//mm2/yy2
Auth. Capability: Root Capability
….
Assigner Signature: $%&@
Alice
Bob Nym
«Share Your Pictures» Community Service
(www.SYP.com)
«High Quality Pictures» Printing Service
(www.HQP.com)
Bob
Access Capability A2
Resource ID: http://www.SYP.com/photo341
Assigner ID: [email protected]
Assignee ID: [email protected]
Rights:
* HTTP GET
Since: dd1x/mm1x/yy1x
Until: dd2x//mm2x/yy2x
Auth. Capability: Encrypt(Capab. A1)….
Assigner Signature: $%&@
Access Capability A1
Resource ID: http://www.SYP.com/photo341
Assigner ID: [email protected]
Assignee ID: [email protected]
Rights:
* HTTP GET (Delegable)
* HTTP PUT (Delegable)
* ...
….
Operation Request
Resource ID: http://www.SYP.com/photo341
Requester ID: [email protected]
Operation: HTTP GET
Requester Rights: Capability A2
….
Requester Signature: $%&@
TXT Corporate Research Division – IoT International Forum – November 23°-24° 2011
9
References and Contacts
• Papers and prototypes
IoT Forum paper “Access Control & IoT: Capability Based Authorization Access Control System”
FP7 IoT@Work project web site (http://www.iot-at-work.eu)
• Contact information
TXT e-solutions SpA
Domenico Rotondi: [email protected]
Thanks for your attention!
Questions?