WAVE: A Decentralized Authorization Framework with Transitive Delegation

Most deployed authorization systems rely on a central trusted service whose compromise can lead to the breach of millions of user accounts and permissions. We present WAVE, an authorization framework offering decentralized trust: no central services can modify or see permissions and any participant can delegate a portion of their permissions autonomously. To achieve this goal, WAVE adopts an expressive authorization model, enforces it cryptographically, protects permissions via a novel encryption protocol while enabling discovery of permissions, and stores them in an untrusted scalable storage solution. WAVE provides competitive performance to traditional authorization systems relying on central trust. It is an open-source artifact and has been used for two years for controlling 800 IoT devices.

[1]  Atul Prakash,et al.  Decentralized Action Integrity for Trigger-Action IoT Platforms , 2018, NDSS.

[2]  Marianne Winslett,et al.  Requirements for policy languages for trust negotiation , 2002, Proceedings Third International Workshop on Policies for Distributed Systems and Networks.

[3]  Hilarie K. Orman,et al.  Hidden Credentials , 2003, WPES '03.

[4]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[5]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[6]  Martin Schanzenbach,et al.  A Survey on Authorization in Distributed Systems: Information Storage, Data Retrieval and Trust Evaluation , 2017, 2017 IEEE Trustcom/BigDataSE/ICESS.

[7]  David E. Culler,et al.  JEDI: Many-to-Many End-to-End Encryption and Key Delegation for IoT , 2019, USENIX Security Symposium.

[8]  Stefan Katzenbeisser,et al.  Hiding the Policy in Cryptographic Access Control , 2011, STM.

[9]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[10]  Ninghui Li,et al.  Distributed Credential Chain Discovery in Trust Management , 2003, J. Comput. Secur..

[11]  D. Culler,et al.  WAVE : A Decentralized Authorization System for IoT via Blockchain Smart Contracts , 2017 .

[12]  Randy H. Katz,et al.  Democratizing authority in the built environment , 2017, BuildSys@SenSys.

[13]  Sylvia Ratnasamy,et al.  Droplet: Decentralized Authorization for IoT Data Streams , 2018, ArXiv.

[14]  Ninghui Li,et al.  DATALOG with Constraints: A Foundation for Trust Management Languages , 2003, PADL.

[15]  Philip W. L. Fong Relationship-based access control: protection model and policy language , 2011, CODASPY '11.

[16]  Anna Felkner,et al.  Practical Extensions of Trust Management Credentials , 2015 .

[17]  Julian Schütte,et al.  Practical Decentralized Attribute-Based Delegation Using Secure Name Systems , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[18]  Sandro Etalle,et al.  GEM: A distributed goal evaluation algorithm for trust management , 2012, Theory and Practice of Logic Programming.

[19]  Fan Hong,et al.  Distributed Credential Chain Discovery in Trust-Management with Parameterized Roles , 2005, CANS.

[20]  Christian Cachin,et al.  Architecture of the Hyperledger Blockchain Fabric , 2016 .

[21]  Angelos D. Keromytis,et al.  Key note: Trust management for public-key infrastructures , 1999 .

[22]  Arnar Birgisson,et al.  Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud , 2014, NDSS.

[23]  Andrew D. Gordon,et al.  Design and Semantics of a Decentralized Authorization Language , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[24]  E. Ferrari,et al.  Trust negotiations: concepts, systems, and languages , 2004, Computing in Science & Engineering.

[25]  Jeffrey S. Chase,et al.  SAFE: A Declarative Trust Management System with Linked Credentials , 2015, ArXiv.

[26]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[27]  Marianne Winslett,et al.  Negotiating Trust on the Web , 2002, IEEE Internet Comput..

[28]  Ronald L. Rivest,et al.  SDSI - A Simple Distributed Security Infrastructure , 1996 .

[29]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[30]  Dan Boneh,et al.  Riposte: An Anonymous Messaging System Handling Millions of Users , 2015, 2015 IEEE Symposium on Security and Privacy.

[31]  Andrew D. Gordon,et al.  SecPAL: Design and semantics of a decentralized authorization language , 2010, J. Comput. Secur..

[32]  Nigel P. Smart,et al.  Identity-Based Encryption Gone Wild , 2006, ICALP.

[33]  Christopher Frost,et al.  Spanner: Google's Globally-Distributed Database , 2012, OSDI.

[34]  Mikhail J. Atallah,et al.  Attribute-Based Access Control with Hidden Policies and Hidden Credentials , 2006, IEEE Transactions on Computers.

[35]  Jean-Jacques Quisquater,et al.  Identity Based Encryption Without Redundancy , 2005, ACNS.

[36]  Harry Halpin,et al.  End-to-End Encrypted Messaging Protocols: An Overview , 2016, INSCI.

[37]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[38]  Michael Hicks,et al.  Deanonymizing mobility traces: using social network as a side-channel , 2012, CCS.

[39]  Michael J. Freedman,et al.  CONIKS: Bringing Key Transparency to End Users , 2015, USENIX Security Symposium.

[40]  Ronald L. Rivest,et al.  Certificate Chain Discovery in SPKI/SDSI , 2002, J. Comput. Secur..

[41]  Gang Chen,et al.  Heuristic Discovery of Role-Based Trust Chains in Peer-to-Peer Networks , 2009, IEEE Transactions on Parallel and Distributed Systems.