an oauth-based authorization remote collaboration systems

An OAuth-Based Authorization Framework for Access Control in Remote Collaboration Systems

Srikanth Jonnada, Ram Dantu, Pradhumna Shrestha, Ishan Ranasinghe,

Logan Widick

Outline• Introduction

• CARE

• Access Control Authorization

• Conclusion

Introduction• With advancements in technology the complexity and dependency of

the things around us have also drastically increased.

• The physical world needs the actual presence of an expert at thelocation to analyze, troubleshoot and fix the problem or even toprovide the required inventory.

• We need novel solutions to support the increased demand for experts.

Introduction• We developed a remote collaboration system (CARE) to solve these

problems.

• This system is accessed over the Internet and is thus prone to abuse.

• We developed a framework to protect the consumers’ security andprivacy.

Definitions▪ Worker

▪ A person executing physical tasks on-site who needs expert assistance to complete these tasks.

▪ Helper

▪ A remotely located expert that can guide the worker on how toperform the physical tasks.

Remote HelperWorker

Definitions▪ Identification

▪ A user claims an identity of some sort.

▪ Authentication

▪ A user proves control over the identity.

▪ Authorization

▪ Indicates what a user can and can’t do once authenticated.

Definitions▪ Internet of Things (IoT)

▪ Connecting electronic things (that were previously not connected to anything at all) to the Internet and to each other

▪ Can be:▪ Input-enabled (has one or more traditional input devices), such as a smart

thermostat (touchscreen)

▪ Input-constrained (no keyboards, touchscreens, mice, or other traditional input devices), such as a smart meter


• CARE


• Conclusion

CARE • A Collaborative Appliance for REmote-help

(CARE), equipped with multiple sensors, isdeveloped to facilitate remotecollaboration over physical tasks.

Remote assistance with CARE

Helper dashboard

Figure 2: View of the remote helper through CARE. The woker

unscrewing a screw using a screw driver with instruction from remote helper

Worker’s environment


• CARE


• Conclusion

Introduction• The CARE device is designed to be remotely controlled by a helper over the

Internet.

– This device preserves privacy of the worker only if a helper can:• Access only the resources required to assist with the task

• Use the resources only for the amount of time required to assist with the task

• Access resources only with the consent of the resource owner

– This device can endanger the worker’s security, privacy, and/or safety otherwise

Attack examples• Use sensors (e.g. webcam and microphone) to:

– Eavesdrop on the worker (privacy)

– Steal sensitive information from the worker’s environment and that is stored on the device (confidentiality part of security)

• Misuse gesture and/or mobility of the device to cause damage to people, data, or things (safety and security)

• We need a dynamic access control mechanism for input-constrained devices and which can be utilized even by technically naïve users.

Existing work

• Access Control Lists, Role-based Access Control, Attribute Based Access Control

• Designed for centralized environments

• Driven based on the policies

• Not suitable for CARE– Configuring user accounts and policies for every new helper is not practical.

– Resource owners are technically naïve.

– Are not dynamic

Existing work• Open Authorization (OAuth)

– Designed to allow third-party clients to obtain limited access to resources on behalf of the resource owner

• Resource owner: the entity that owns the resource (e.g. the owner of a file; the worker that owns a CARE device)

• Client: the third party (e.g. mobile app for working with pictures on a Google Images account; a CARE helper’s client software)

• Authorization server (e.g. Google’s account server): issues access tokens to clients with the resource owner’s consent (expressed as an authorization grant)

• Resource server (e.g. Google Images server; CARE device): provides access to the resource upon receipt of a valid access token

Existing work

Existing work• Open Authorization (OAuth)

– Not suitable for CARE

• Only works on input-enabled devices, not input-constrained ones

Authorization Framework

Framework for renewing an access token

Revoking Access to helper

Resource server revokes access & refresh tokens after helper closes the session

Resource owner revokes access & refresh tokens after identifying a malicious activity by helper

Summary• Provided a novel framework based on OAuth.

– Authorization Grant Request

– Access Token Request

– Access Token Validation

– Voice Authorization by user

– Renewing access token

– Revoking access token

• The developed framework satisfies the OAuth security considerations and NIST criteria for access control.

NIST CriteriaMetric Item Evaluation

1 Ease of privilege assignments

Steps required to assign a

privilege

11 steps to grant access to a worker

Steps required to remove a

privilege

3 steps for a worker to revoke access

2 Flexibilities of configuration

into existing systems.

The access control is provided over protocols that run

on top of HTTP.


3 Horizontal scope (across

platforms and applications)

of control

AC system can authorize multiple users for a single

host and multiple users for multiple hosts via a

network.

4 Vertical scope (between

application, DBMS, and OS)

of control

The scope of access control includes applications, files,

hardware resources and network devices.

5 Least privilege principle

support

This AC system enforces the principle of least privilege

and the principle of least time. A human must verbally

approve all resource requests.


6 Safety (confinements and

constraints)

This AC system prevents unauthorized access to

resources and relaying permissions to unauthorized

users.

7 Operational/Situational

awareness

A human aware of the situation must approve all

resource requests.

8 Granularity of control This AC system allows configuring the granularity of

permissions with respect to the controlled objects

and their features


9 Response Time It takes approx. 584 milliseconds from start to

finish, excluding the time required for the worker to

approve the access request (which varies)

10 Integrated with

authentication function

This AC system can be integrated with identity

providers for authenticating users.

11 OS compatibility This AC system is independent of Operating System

of the device.

12 User interfaces and API This AC system provides a GUI for AC policy

management and authoring

Conclusion• This research provides a novel framework for dynamic access control of

resources in input-constrained devices.

• This dynamic access-control framework can be utilized for accesscontrol of Internet of Things.

References1. Leila Alem and Jane Li, A study of gestures in a video-mediated collaborative assembly task, Advances in Human-Computer Interaction 2011 (2011), 1.2. Robert E Kraut, Susan R Fussell, and Jane Siegel, Visual information as a conversational resource in collaborative physical tasks, Human-computer interaction 18 (2003), no. 1, 13-49.3. Susan R Fussell, Leslie D Setlock, and Robert E Kraut, Effects of head-mounted and scene-oriented video systems on remote collaboration on physical tasks , Proceedings of the SIGCHI conference on

Human factors in computing systems, ACM, 2003, pp. 513-520.4. Takeshi Kurata, Nobuchika Sakata, Masakatsu Kourogi, Hideaki Kuzuoka, and Mark Billinghurst, Remote collaboration using a shoulder-worn active camera/laser, Wearable Computers, 2004. ISWC 2004.

Eighth International Symposium on, vol. 1, IEEE, 2004, pp. 62-69.5. Jiazhi Ou, Susan R Fussell, Xilin Chen, Leslie D Setlock, and Jie Yang, Gestural communication over video stream: supporting multimodal interaction for remote collaborative physical tasks, Proceedings of

the 5th international conference on Multimodal interfaces, ACM, 2003, pp. 242-249.6. Susan R Fussell, Leslie D Setlock, Jie Yang, Jiazhi Ou, Elizabeth Mauer, and Adam DI Kramer, Gestures over video streams to support remote collaboration on physical tasks , Human-Computer Interaction

19 (2004), no. 3, 273-309.7. Weidong Huang and Leila Alem, Handsinair: a wearable system for remote collaboration on physical tasks, Proceedings of the 2013 conference on Computer supported cooperative work companion,

ACM, 2013, pp. 153-156.8. John Cugini, Laurie Damianos, Lynette Hirschman, Robyn Kozierok, Jeff Kurtz, Sharon Laskowski, and Jean Scholtz, Methodology for evaluation of collaboration systems, The evaluation working group of

the DARPA intelligent collaboration and visualization program, Rev 3 (1997).9. Laurie Damianos, Lynette Hirschman, Robyn Kozierok, Jeffrey Kurtz, Andrew Greenberg, Kimberley Walls, Sharon Laskowski, and Jean Scholtz, Evaluation for collaborative systems, ACM Computing

Surveys (CSUR) 31 (1999), no. 2es, 15.10. Robert E Kraut, Mark D Miller, and Jane Siegel, Collaboration in performance of physical tasks: Effects on outcomes and communication, Proceedings of the 1996 ACM conference on Computer supported

cooperative work, ACM, 1996, pp. 57-66.11. Broadleafconsulting, Tools for measuring collaboration12. Abhishek Ranjan, Jeremy P Birnholtz, and RavinBalakrishnan, An exploratory analysis of partner action and camera control in a video-mediated collaborative task , Proceedings of the 2006 20th

anniversary conference on Computer supported cooperative work, ACM, 2006, pp. 403-412.13. Robert E Wood, Task complexity: Definition of the construct, Organizational behavior and human decision processes 37 (1986), no. 1, 60-82.14. Thorvald Harem, Brian T Pentland, and Kent D Miller, Task complexity: Extending a core concept, Academy of Management Review 40 (2015), no. 3, 446-460.15. Danail Bonchev, On the complexity of directed biological networks, SAR and QSAR in Environmental Research 14 (2003), no. 3, 199-214.16. Danail Bonchev and Gregory A Buck, Quantitative measures of network complexity, Complexity in chemistry, biology, and ecology, Springer, 2005, pp. 191{235.

References17. Herbert H Clark, Susan E Brennan, et al., Grounding in communication, Perspectives on socially shared cognition 13 (1991), no. 1991, 127-149.18. United States Census Bureau, 2014 national population projections tables, https://www.census.gov/data/tables/2014/demo/popproj/2014-summary-tables.html19. Pfizer, Medication safety for the elderly: A guide for patients and caregivers ,http://www.pfizer.com/files/health/medicine_safety/4-6_Med_Safety_for_Elderly.pdf20. Council on Family Health, Medicines and you: A guide for older adults, https://www.fda.gov/downloads/Drugs/ResourcesForYou/UCM163961.pdf21. Karen Dorman Marek and Lisa Antle, Medication management of the community-dwelling older adult (2008)22. Newsroom AAA, Despite vehicle advances, break downs at record high, http://newsroom.aaa.com/2016/07/ despite-vehicle-advances-break-downs-at-record-high/, July 2016, (Accessed on

06/21/2017).23. EH Choi et al., Tire-related factors in the pre-crash phase, Report No. DOT HS 811 (2012), 61724. True cost guide report for home maintenance services, http://www.homeadvisor.com/r/wp-content/uploads/2015/04/2015-cost-report.pdf, (Accessed on 07/06/2017).

THANK YOU

APPENDIX

Existing work• Access Control Matrix

– Implemented as

• Access Control List (ACL): objects store lists of permissions for subjects

• Capability list: Subjects store lists of permissions for objects


• Subjects and objects are NOT typically predefined in CARE

• Extremely difficult for a resource owner to keep the access control policies for each helper.

Existing work• Role-Based Access Control (RBAC)

– Permissions are assigned to roles, not subjects

– Subjects are assigned to roles

– Not suitable for CARE• Subjects and their role assignments are NOT predefined in CARE

• The roles and permissions assigned to each role are likely not predefined in CARE either

• Extremely difficult for a resource owner to keep the policies in line with what the resource owner consents to

Existing work• Attribute-Based Access Control (ABAC)

– Subjects, objects, actions, and the context (environment) have attributes

– Policies that dictate access to objects are combinations of attributes that are often expressed as conditions


• Policies are NOT predefined in CARE

• Extremely difficult for a resource owner to keep the policies in line with what the resource owner consents to

CARE vs Robot

CARE Robot

Can work on unknown tasks Has to be pre-programmed for every action

Can work on numerous domains of tasks Has designated tasks and domains

Can work in unknown environments Cannot work in every environment

Can work in changing environments May require retraining each time the environment changes

CARE vs Robot

CARE Robot

Can located an expert and connect worker securely across the continents

This is an autonomous device

Can dynamically adapt to situations, and get the things right the first time.

Cannot dynamically adapt to situations

Can be tailored automatically to aworker’s skill level

Has fixed pre-programmed steps to execute and cannot adapt to a worker’s skill level

User Satisfaction Survey

OAuth security considerationsSecurity

Consideration

Solution in our OAuth Architecture

Client Authentication The authorization server validates the client’s identity using the ID and

secret that the client obtained during registration with the

authorization server.Client Impersonation To get an access token from the authorization server, the client

requires an auth grant from the resource owner in addition to the

client’s ID and secret.Even if a legitimate client fails to protect the client ID and secret, an

impersonating user will not be able to obtain an access token from the

authorization server without an auth grant from the resource owner.


Consideration


Client Impersonation To grant access to the resources, the resource server

requires both an access token and the resource owner’s

permission. In our case, the system announces information

such as the desired resources and access time, and requests

voice authorization from the resource owner.

Access Tokens Only the authorization server, client application, and

resource server share access tokens.

The authorization server tags an access token to a client ID

so that only the user to whom the token was issued can use

the token.


Consideration


Access Tokens An access token is tagged with information about resources

it can be used to request, such as the resource server’s ID. A

client cannot use the access token for any other purpose.The resource owner can revoke access tokens at any time.

Access tokens can be transmitted over TLS to prevent man-

in-the-middle attacks.


Consideration


Refresh Tokens Refresh tokens are tagged with the access token and the

client ID.

The points about how our architecture addresses the

security considerations of access tokens also apply to

refresh tokens.

Authorization Codes Authorization codes cannot be used for multiple requests.

The authorization server can revoke access tokens when an

attack using an authorization grant is detected.


Consideration


Authorization Codes The authorization server validates the client’s identity using the

client’s ID and secret (received after initially registering with the

authorization server) before providing an access token.Request

Confidentiality

Use TLS

Endpoint

Authenticity

Use TLS

Credentials-Guessing

Attacks

The authorization server generates random numbers, and then

puts these numbers through the SHA-512 hash algorithm to

generate keys.

an oauth-based authorization remote collaboration systems

Documents