A technique for user-to-user delegation of capabilities with reduced access rights.
Publication Date: 2010-May-18
The IP.com Prior Art Database
In this report we present a capability-based access control model and architecture appropriate for cloud storage systems that is secure, flexible, and scalable. We introduce new functionalities such as a flexible and dynamic description of resources; advanced delegation mechanism and support for auditability, accountability and access confinement.
The challenge of access control is to selectively control who can access and manipulate information and allow only users with the proper privilege to carry out operations. Today's data storage and sharing systems, such as cloud storage, should provide their users with the ability to easily share resources on a very large scale. To allow such systems to scale arbitrarily, the role of system administrators and security managers needs to be minimal. In particular, it is desirable to enable users to autonomously delegate access rights to other users without requiring the intervention of a system administrator or a security manager. Moreover, it is desirable to allow users to delegate access rights (or a subset of them) for his resources (or a subset of them) to whomever they choose, including users from other administrative domains (e.g., users who are not registered to the cloud service provider). Furthermore, allow a user who is granted access rights from the administrator or from another user to further delegate the rights to other users; this is known as "transitive delegation".
A capability, in the context of this work, is a data structure that encodes certain access rights on certain identified resources. Capability-based access protocols involve three entities: (1) clients; (2) a security/policy manager, which authenticates and authorizes the clients and grants access credentials that are based on capabilities; and (3) storage servers that enforce access control by validating the credentials.
In the storage area, the notable capability-based access control protocols are the OSD protocol and the CbCS protocol (part of the standard SCSI protocol) [1, 2]. In these protocols, the access flow consists of two stages from the client's point of view: (1) The client authenticates with the security manager and receives a credential comprised of a capability and a signature that authenticates it. (2) The client sends his object access request together with the received capability and authentication information to the storage server. The storage server validates the request and then performs it. The authentication information the client receives with the credential is called "capability-key" - it authenticates the capability using a secret key shared between the security manager and the storage server. The client uses it as a key to authenticate his request including the capability and other request parameters, and potentially bind it to a session to prevent replay attacks.
In capability-based systems one client can delegate his access rights to another client simply by passing him his access credentials as-is. However, in the existing systems the user cannot generate new capabilities and thus cannot delegate only a subset of his access rights to another user. Although some systems do allow generation of reduced capabilities, they have administrative limitations such as assumption of an underlying Public Key Infrastructure (PKI)
 or man...