Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Birgisson, Arnar ^a   Politz, Joe Gibbs ^b   Erlingsson, Úlfar ^c   Taly, Ankur ^c   Vrable, Michael ^c   Lentczner, Mark ^c  

^a CHALMERS UNIVERSITY OF TECHNOLOGY   (Sweden)

^b BROWN UNIVERSITY   (United States)

^c GOOGLE INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTATION THEORY; NETWORK SECURITY;

CLOUD SERVICES; CONTROLLED SHARING; CREDENTIAL SYSTEMS; CRYPTOGRAPHICS; DECENTRALISED; DECENTRALIZED AUTHORIZATION; DISTRIBUTED SYSTEMS; SIMPLE++; SPKI/SDSI; TARGET SERVICES;

AUTHORIZATION;

EID: 85180628981     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23212     Document Type: Conference Paper

References (54)

1. M. Abadi, “Variations in access control logic,” in Intl. Conf. on Deontic Logic in Computer Science, 2008.
2. M. Abadi, M. Burrows, B. W. Lampson, and G. D. Plotkin, “A calculus for access control in distributed systems,” ACM Trans. Programming Languages and Systems, vol. 15, no. 4, 1993.
3. M. Aguilera, M. Ji, M. Lillibridge, J. MacCormick, E. Oertli, D. Andersen, M. Burrows, T. Mann, and C. Thekkath, “Block-level security for network-attached disks,” in USENIX Conf. on File and Storage Technologies, (FAST), 2003.
4. D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, and D. Song, “Towards a formal foundation of Web security,” in IEEE Computer Security Foundations (CSF), 2010.
5. Amazon Inc., “Example cases for Amazon S3 Bucket Policies,” 2013, http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html.
6. A. W. Appel and E. W. Felten, “Proof-carrying authentication,” in ACM Computer and Communications Security (CCS)). ACM, 1999.
7. D. Balfanz and R. Hamilton, “Transport layer security (TLS) Channel IDs,” IETF Draft, 2013, http://tools.ietf.org/html/draft-balfanz-tlschannelid.
8. C. Bansal, K. Bhargavan, and S. Maffeis, “Discovering concrete attacks on website authorization by formal analysis,” in IEEE Computer Security Foundations (CSF), 2012.
9. M. Y. Becker, C. Fournet, and A. D. Gordon, “SecPAL: Design and semantics of a decentralized authorization language,” Journal of Computer Security, vol. 18, no. 4, 2010.
10. B. Blanchet, “Automatic verification of correspondences for security protocols,” Journal of Computer Security, vol. 17, no. 4, 2009.
11. M. Blaze, J. Feigenbaum, and J. Lacy, “Decentralized trust management,” in IEEE Symp. on Security & Privacy, 1996.
12. N. Borisov and E. A. Brewer, “Active certificates: A framework for delegation,” in Network and Distributed Systems Security Symp. (NDSS), 2002.
13. J. Bradley, P. Hunt, T. Nadalin, and H. Tschofenig, “The OAuth 2.0 authorization framework: Holder-of-the-key token usage,” IETF Draft, http://tools.ietf.org/html/draft-tschofenig-oauth-hotk.
14. E. Carl Ellison, “SPKI certificate theory,” IETF RFC 2693 (Experimental), 1999, http://www.ietf.org/rfc/rfc2693.txt.
15. D. D. Clark and D. R. Wilson, “A comparison of commercial and military computer security policies.” in IEEE Symp. on Security & Privacy, 1987.
16. D. Clarke, J.-E. Elien, C. Ellison, M. Fredette, A. Morcos, and R. L. Rivest, “Certificate chain discovery in SPKI/SDSI,” Journal of Computer Security, vol. 9, no. 4, 2002.
17. E. D. Hardt, “The OAuth 2.0 Authorization Framework,” IETF RFC 6749 (Informational), 2012, http://tools.ietf.org/html/rfc6749.
18. D. Davis and R. R. Swick, “Network security via private-key certificates,” Operating Systems Review, vol. 24, no. 4, 1990.
19. J. DeTreville, “Binder, a logic-based security language,” in IEEE Symp. on Security & Privacy, 2002.
20. T. Dierks and E. Rescola, “The Transport Layer Security (TLS) Protocol,” IETF RFC 5246 (Standards track), 2008, http://www.ietf.org/rfc/rfc5246.txt.
21. M. Dietz, A. Czeskis, D. Balfanz, and D. S. Wallach, “Origin-bound certificates: A fresh approach to strong client authentication for the web,” in Proc. USENIX Security, 2012.
22. I. T. Foster, C. Kesselman, G. Tsudik, and S. Tuecke, “A security architecture for computational grids,” in ACM Computer and Communications Security (CCS)), 1998.
23. Y. Fu, J. Chase, B. Chun, S. Schwab, and A. Vahdat, “Sharp: An architecture for secure resource peering,” in Symp. on Operating Systems Principles (SOSP), 2003.
24. M. Gasser and E. McDermott, “An architecture for practical delegation in a distributed system,” in IEEE Symp. on Security & Privacy, 1990.
25. H. Gobioff, “Security for a high performance commodity storage subsystem,” Ph.D. dissertation, Carnegie Mellon University, 1999.
26. L. Gong, “A secure identity-based capability system,” in IEEE Symp. on Security & Privacy, 1989.
27. Google Inc., “Belay research project,” 2012, https://code.google.com/p/google-belay/.
28. Google Inc., “YouTube video privacy settings,” 2013, http://support.google.com/youtube/bin/answer.py?hl=en&answer=157177.
29. E. Grosse and M. Upadhyay, “Authentication at scale,” IEEE Security & Privacy Magazine, vol. 11, no. 1, 2013.
30. P. Hallam-Baker, C. Kaler, R. Monzillo, and A. Nadalin, “Web Services Security: SAML Token Profile,” OASIS, 2004, http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0.pdf.
31. E. Hammer-Lahav, A. Barth, and B. Adida, “HTTP authentication: MAC access authentication,” IETF Draft, http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token.
32. M. A. Harrison, W. L. Ruzzo, and J. D. Ullman, “Protection in operating systems,” Comm. of the ACM (CACM), vol. 19, no. 8, 1976.
33. J. Howell and D. Kotz, “An access-control calculus for spanning administrative domains,” Dartmouth College, Tech. Rep., 1999.
34. J. Howell and D. Kotz, “A formal semantics for SPKI,” in European Symp. on Research in Computer Security, 2000.
35. B. W. Lampson, “Protection,” Operating Systems Review, vol. 8, no. 1, 1974.
36. B. W. Lampson, M. Abadi, M. Burrows, and E. Wobber, “Authentication in distributed systems: Theory and practice,” ACM Trans. on Computer Systems, vol. 10, no. 4, 1992.
37. C. Lesniewski-Laas, B. Ford, J. Strauss, R. Morris, and M. F. Kaashoek, “Alpaca: Extensible authorization for distributed services,” in ACM Computer and Communications Security (CCS)), 2007.
38. N. Li and C. Mitchell, “Understanding SPKI/SDSI using first-order logic,” Intl. Journal of Inf. Security, vol. 5, no. 1, 2006.
39. T. Lodderstedt, M. McGloin, and P. Hunt, “OAuth 2.0 Threat Model and Security Considerations,” IETF RFC 6819 (Informational), 2013, http://www.ietf.org/rfc/rfc6819.txt.
40. A. López-Alt, “Cryptographic security of macaroon authorization credentials,” New York University, Tech. Rep. TR2013-962, 2013, http://cs.nyu.edu/web/Research/TechReports/TR2013-962/TR2013-962.pdf.
41. Mozilla, “BrowserID specification,” https://github.com/mozilla/id-specs/blob/prod/browserid/index.md.
42. National Institute of Standards and Technology, “FIPS PUB 198-1: The keyed-hash message authentication code (HMAC),” 2008. [Online]. Available: http://csrc.nist.gov/publications/fips/fips198-1/FIPS198-1_final.pdf
43. B. C. Neuman, “Proxy-based authorization and accounting for distributed systems,” in Conf. on Distributed Computing Systems, 1993.
44. A. Project, “Automated validation of Internet security protocols and applications,” http://avispa-project.org/.
45. D. D. Redell, “Naming and protection in extendable operating systems,” Ph.D. dissertation, Massachusetts Institute of Technology, 1974.
46. E. S. Tuecke, “Internet X.509 public key infrastructure (PKI) proxy certificate profile,” IETF RFC 3820 (Standards track), 2004. [Online]. Available: http://www.ietf.org/rfc/rfc3820.txt
47. F. B. Schneider, “Untitled Textbook on Cybersecurity. Chapter 9: Credentials-based authorization,” 2013, http://www.cs.cornell.edu/fbs/publications/chptr.CredsBased.pdf.
48. E. Stark, M. Hamburg, and D. Boneh, “Stanford JavaScript crypto library,” 2013, http://crypto.stanford.edu/sjcl/.
49. S.-T. Sun and K. Beznosov, “The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems,” in ACM Computer and Communications Security (CCS)), 2012.
50. A. Tanenbaum, M. Kaashoek, R. van Renesse, and H. Bal, “The amoeba distributed operating system–a status report,” Computer communications, vol. 14, no. 6, 1991.
51. R. van Renesse, H. D. Johansen, N. Naigaonkar, and D. Johansen, “Secure abstraction with code capabilities,” in Intl. Conf. on Parallel, Distributed, and Network-Based Processing, 2013.
52. E. Wobber, M. Abadi, M. Burrows, and B. Lampson, “Authentication in the Taos operating system,” ACM Trans. on Computer Systems, vol. 12, no. 1, 1994.
53. M. Zalewski, The tangled Web: A guide to securing modern web applications. No Starch Press, 2011.
54. ZDNet: Between the Lines, “Dropbox adds Facebook sharing,” 2012, http://www.zdnet.com/facebook-gets-involved-with-cloud-storage-viadropbox-integration-7000004861/.