Idea of Capability-Based Access Control

#1

Hi there,

searching for implementation details of access control systems,

I came across the topic of capability-based access control

and wonder if this could be implemented via WAMP (especially with Crossbar).

Especially in the IoT area with many rpc calls and limited io and processing power,

capabilities should have clear advantages over ACLs, because not every call

requires the ACL to be searched. Only a capability validation might be necessary or usefull.

What is a capability?

"…a capability (known in some systems as a key) is a communicable,

unforgeable token of authority. It refers to a value that references

an object along with an associated set of access rights" (http://en.wikipedia.org/wiki/Capability-based_security).

The (basic) implementation idea:

Initial situation:

  • Components: user Alice, component Authorizer

  • All components have an asymmetric key pair.

  • RPC to query the capabilities of Alice

  • User Alice is logged into the router via WAMPCRA

  • File (File X) exists under the path /tmp/filex

  • simple ACL

user | file | rights |

—|---|—|

alice | /tmp/filex | read |

Scenario: Reading content of FileX by Alice

  • Alice asks her capabilities via RPC

  • The authorizer uses the ACL to create a capability as JWT with the following payload.


{

    "owner": "alice",

    "file": "/tmp/filex",

    "right": "read"

}

  • The authorizer signs the CapJWT with its own private key.

  • The authorizer registers an RPC with the name of the CapJWT, which supplies the contents of FileX.

  • The authorizer sends the CapJWT to Alice.

  • Alice validates the CapJWT with the public key of the Authorizer.

  • Alice calls the CapJWT-RPC.

  • The authorizer validates the URI of the RPC and thus the CapJWT.

  • The authorizer compares the owner attribute of the CapJWT with the userid of Alice RPC call.

  • The authorizer gives the right to use the RPC (or declines if the ids are different).

  • The CapJWT RPC delivers the contents of FileX to Alice.

Would this be a valid implementation of a capability-based access control or are there

obvious errors?

I’am happy about your feedback. :slight_smile:

0 Likes