Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Authorization Aspects of the Distributed Dataflow-oriented IoT Framework Calvin
1. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Aspects of the Distributed
Dataflow-oriented IoT Framework Calvin
Master’s Thesis
Tomas Nilsson
June 8, 2016
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 1 / 20
2. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Presentation Outline
Introduction to Calvin
Authorization Considerations
Aims and challenges for this master’s thesis work
Authorization in Calvin
What have I implemented?
Demo
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 2 / 20
3. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Distributed Cloud for IoT
Applications and Actors
Migration, Capabilities, and Requirements
Calvin – Distributed Cloud for IoT
Open-source framework developed by Ericsson Research
Simplify development of distributed applications combining
IoT and cloud computing
Execute different parts of the application on different devices
Migrate to other devices without interrupting execution
Calvin runtime handles data transport, message parsing,
scheduling, etc.
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 3 / 20
4. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Distributed Cloud for IoT
Applications and Actors
Migration, Capabilities, and Requirements
Calvin – Applications and Actors
Dataflow programming methodology
Actors perform certain tasks
Application defines how data flows between actors
State Requirements
Action outin
Actor
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 4 / 20
5. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Distributed Cloud for IoT
Applications and Actors
Migration, Capabilities, and Requirements
Calvin – Applications and Actors
Dataflow programming methodology
Actors perform certain tasks
Application defines how data flows between actors
Application example:
button
io.GPIOReader
state
camera
media.Camera
trigger image
screen
media.ImageRenderer
image
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 4 / 20
6. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Distributed Cloud for IoT
Applications and Actors
Migration, Capabilities, and Requirements
Calvin – Migration, Capabilities, and Requirements
Before migration
A
B
Runtime 1
B
C
Runtime 2
B
C
Actor 1
C
Actor 3
A
Actor 2
Requirements
Capabilities &
Attributes
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 5 / 20
7. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Distributed Cloud for IoT
Applications and Actors
Migration, Capabilities, and Requirements
Calvin – Migration, Capabilities, and Requirements
After migration
A
B
Runtime 1
B
C
Runtime 2
A
Actor 2
B
C
Actor 1
C
Actor 3
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 5 / 20
8. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Aims and Challenges
Attribute-Based Access Control
Adaptable to Constrained Devices
Aims and Challenges for this thesis work
Implement authorization of applications/actors in Calvin
Desired Functionality:
Fine-grained authorization decisions on access to resources offered
by a runtime
Adaptable to different environments
Usable as input for migration decisions in Calvin
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 6 / 20
9. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Aims and Challenges
Attribute-Based Access Control
Adaptable to Constrained Devices
Aims and Challenges for this thesis work
Implement authorization of applications/actors in Calvin
Desired Functionality:
Fine-grained authorization decisions on access to resources offered
by a runtime
Adaptable to different environments
Usable as input for migration decisions in Calvin
Challenges
Dynamic distributed execution model
All runtimes not known when execution starts
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 6 / 20
10. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Aims and Challenges
Attribute-Based Access Control
Adaptable to Constrained Devices
Attribute-Based Access Control (ABAC)
Evaluate policy rules against attributes
Subject attributes
Resource attributes
Action attributes
Environment attributes
Flexible and fine-grained access control
XACML – XML-based ABAC standard
Who? What? When? Where? Why? How?
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 7 / 20
11. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Aims and Challenges
Attribute-Based Access Control
Adaptable to Constrained Devices
Adaptable to Constrained Devices
Compact message and policy formats
JSON instead of XML
Flexibility important
Local authorization – minimize network traffic
External authorization – minimize storage or processing power needs
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 8 / 20
12. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Authorization Flow
Policy
Administration
Point (PAP)
Policy
Enforcement
Point (PEP)
Policy Decision
Point (PDP)
Policy
Information Point
(PIP)
Policy Retrieval
Point (PRP)
2. Authorization request
1. Access required
3. Retrieve policies
4a. Evaluate
policies
4b. Retrieve additional
attributes
Manage policies
5. Authorization
decision
User/Application/
Actor
6. Access
permitted/
denied
Fetch data from
different sources
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 9 / 20
13. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Authorization Request
Request sent by Policy Enforcement Point to Policy Decision Point
to check if access should be granted to an actor
1 {
2 subject: {
3 first_name: Tomas,
4 last_name: Nilsson,
5 actor_signer: Ericsson
6 },
7 action: {
8 requires: [runtime, calvinsys.events.timer]
9 },
10 resource: {
11 node_id: a77c0687-dce8-496f-8d81-571333be6116
12 }
13 }
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 10 / 20
14. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Authorization Response
Response from Policy Decision Point to Policy Enforcement Point
Contains authorization decision and constraints under which the
decision is valid
1 {
2 decision: permit,
3 obligations: [
4 {
5 id: time_range,
6 attributes: {
7 start_time: 09:00,
8 end_time: 17:00
9 }
10 }
11 ]
12 }
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 11 / 20
15. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Find Matching Policies
Use policy target to determine to which requests a policy applies
Examples:
first name must be Tomas or Gustav:
{first_name: [Tomas, Gustav]}
email must end with @ericsson.com:
{email: .*@ericsson.com}
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 12 / 20
16. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Evaluate Policies
Evaluate complete policy if policy target matches the request
Rules with conditions are evaluated to get a policy decision
The following functions can be used in a condition:
==, =, =, !=, AND, OR
Combining algorithms are used to combine decisions if multiple
policies match the request
Permit overrides
Deny overrides
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 13 / 20
18. xxxxx yyyyy zzzzz..
Payload SignatureHeader
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
JSON Web Token for External Authorization
Signed JSON Web Tokens (JWT) are used to secure the
information exchange when the Policy Decision Point is external
Header:
{
typ: JWT,
alg: ES256
}
ES256 = Elliptic Curve Digital Signature Algorithm using the
SHA-256 hash algorithm
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 15 / 20
19. xxxxx yyyyy zzzzz..
Payload SignatureHeader
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
JSON Web Token for External Authorization
Signed JSON Web Tokens (JWT) are used to secure the
information exchange when the Policy Decision Point is external
Payload:
{
iss: ID of runtime that creates JWT,
sub: ID of actor that the response applies to,
aud: ID of runtime to which the JWT is intended,
iat: the time at which the JWT was issued,
exp: the expiration time for the JWT,
response: the authorization response
}
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 15 / 20
20. xxxxx yyyyy zzzzz..
Payload SignatureHeader
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
JSON Web Token for External Authorization
Signed JSON Web Tokens (JWT) are used to secure the
information exchange when the Policy Decision Point is external
Signature:
The digital signature of the concatenation of the encoded header
and the encoded payload (separated by ’.’)
Signed using the private key of the runtime that creates the JWT
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 15 / 20
21. Policy
Decision
Point
1. Access Denied for
Camera, Runtime 1
at 17:00
Camera
Runtime 2 (RT2)
Camera
PDP PDP
Runtime 1 (RT1)
(uses PDP on RT2)
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
22. Policy
Decision
Point
1. Access Denied for
Camera, Runtime 1
at 17:00
Camera
Possible migration
destinations:
RT2 (PDP on RT2)
RT4 (PDP on RT3)
Runtime 2 (RT2)
Camera
2. Get possible
migration destinations
from global storage
PDP PDP
Runtime 1 (RT1)
(uses PDP on RT2)
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
23. Policy
Decision
Point
1. Access Denied for
Camera, Runtime 1
at 17:00
Camera
Possible migration
destinations:
RT2 (PDP on RT2)
RT4 (PDP on RT3)
Runtime 2 (RT2)
Camera
2. Get possible
migration destinations
from global storage
PDP PDP
3. Authorization
search request
Signed by
Runtime 1 Runtime 1 (RT1)
(uses PDP on RT2)
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
24. Policy
Decision
Point
1. Access Denied for
Camera, Runtime 1
at 17:00
4. No runtimes
where access
is permitted
Camera
Possible migration
destinations:
RT2 (PDP on RT2)
RT4 (PDP on RT3)
Runtime 2 (RT2)
Camera
2. Get possible
migration destinations
from global storage
PDP PDP
3. Authorization
search request
Signed by
Runtime 1 Runtime 1 (RT1)
(uses PDP on RT2)
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
25. Camera
Policy
Decision
Point
Runtime 3 (RT3)
Runtime 4 (RT4)
(uses PDP on RT3)
Camera
PDP
PDP
Runtime 1 (RT1)
(uses PDP on RT2)
5. New authorization
search request
Signed by
Runtime 1
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
26. Camera
Policy
Decision
Point
6. Access Permitted
for Camera, Runtime 4
Signed by
Runtime 3
Runtime 3 (RT3)
Runtime 4 (RT4)
(uses PDP on RT3)
Camera
PDP
PDP
Runtime 1 (RT1)
(uses PDP on RT2)
5. New authorization
search request
Signed by
Runtime 1
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
27. 7. Migrate Camera
actor to Runtime 4
(include access decision)
Camera
Policy
Decision
Point
6. Access Permitted
for Camera, Runtime 4
Signed by
Runtime 3
Signed by
Runtime 3
Access Permitted
for Camera, Runtime 4
Runtime 3 (RT3)
Runtime 4 (RT4)
(uses PDP on RT3)
Camera
PDP
PDP
Runtime 1 (RT1)
(uses PDP on RT2)
5. New authorization
search request
Signed by
Runtime 1
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
28. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Authorization Flow
Message and Policy Formats
Smart Migration
Conclusion
Conclusion
All aims achieved
The following combination is highly suitable for dynamic
distributed execution models:
Attribute-Based Access Control – enables flexibility and fine-grained
decisions
JSON-based messages and policies – lightweight and compact
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 17 / 20
29. Calvin Runtime
Name:
laptop
Camera
Address:
Testvägen 1,
Lund, SwedenCalvin Runtime
Name:
entrance
Camera
Address:
Testvägen 1,
Lund, SwedenCalvin Runtime
Name:
secret_room
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Available Runtimes
Application and Deployment Requirements
Authorization Policies
Demo – Available Runtimes
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 18 / 20
30. trigge
std.Cons
Name
laptop
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Available Runtimes
Application and Deployment Requirements
Authorization Policies
Demo – Application and Deployment Requirements
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 19 / 20
31. trigge
std.Cons
Name
laptop
Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Available Runtimes
Application and Deployment Requirements
Authorization Policies
Demo – Application and Deployment Requirements
User attributes:
{
first_name: Tomas,
last_name: Nilsson,
age: 24,
organization: Ericsson,
group: Security
}
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 19 / 20
32. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Available Runtimes
Application and Deployment Requirements
Authorization Policies
Demo – Authorization Policies
Secret room:
Permit camera access if subject belongs to group Security
Only between 08:00 and 10:XX
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 20 / 20
33. Introduction to Calvin
Authorization Considerations
Authorization in Calvin
Demo
Available Runtimes
Application and Deployment Requirements
Authorization Policies
Demo – Authorization Policies
Secret room:
Permit camera access if subject belongs to group Security
Only between 08:00 and 10:XX
Entrance:
Permit camera access if subject belongs to group Security
Only between 08:00 and 18:00
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 20 / 20