Upload
lenard-walters
View
214
Download
0
Embed Size (px)
Citation preview
2-levels Access control for HTTP binding
Group Name: WG4 (& WG2/WG3 for information)Source: Shingo Fujimoto, FUJITSU, [email protected] Date: 2014-03-05Agenda Item: Access Control in protocol
© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control
Introduction
• That is not clear yet how to implement 2-levels access control which is introduced in ArchTS
• This contribution proposed how we can implement 2 level of access control on HTTP considering best practices found in real world.
2
© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control
2-levels Access Control Model
AE
Local CSE
IN-CSE
Hosting CSE
Check if AE is registered
Check if AE is authorized to
access resource
Mca
Mcc Mcc
3
© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control
(High Level) Proposal
• Introduce token-based access control mechanism for HTTP Protocol binding as well as traditional password-based access control
• OAuth2 specification should be considered as the solution for HTTP protocol binding for access control mechanism
4
© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control
[FYI] Access Control for HTTP
• Basic Authentication– Widely used to authenticate identity with pre-
shared secret (=password)
• Bearer Authorization [RFC6750]– Widely used to carry the access token data which
can work with OAuth2 based systems
5
© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control
Proposal on implementation
• Local CSE will behave as proxy-server• AE will connect to Local CSE, and request to
establish TLS connection to targeted Host by issuing CONNECT method.
• Targeted CSE may forward the request to 1-hop further CSE.
• The credential to pass the check if AE is registered to be carried by “Proxy-Authorization” header
6
© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control
[FYI] Communication FlowAE Local CSE IN-CSE hosting-CSE
Establish TLS session
CONNECT m2m.example.com:443 HTTP/1.1 Host: lcse.example.comProxy-Authorization: <access_key>
CONNECT incse.example.com:443 HTTP/1.1
GET /cse3/foo/bar HTTP/1.1Host: m2m.example.comAuthorization: Bearer <access_token>
CONNECT hcse.example.com:443 HTTP/1.1
Reqs over TLS connction
7
© 2014 oneM2M PartnersSEC-2014-0222-2-Levels_Access_Control
Proposal
• WG4 member should consider on feasibility of proposed solution to implement 2-levels access control
• WG4 member should consider on required APIs to accommodate proposed solution.
8