2 levels Access control for HTTP binding Group
2 -levels Access control for HTTP binding Group Name: WG 4 (& WG 2/WG 3 for information) Source: Shingo Fujimoto, FUJITSU, shingo_fujimoto@jp. fujitsu. com Meeting Date: 2014 -03 -05 Agenda Item: Access Control in protocol
Introduction • That is not clear yet how to implement 2 levels access control which is introduced in Arch. TS • This contribution proposed how we can implement 2 level of access control on HTTP considering best practices found in real world. © 2014 one. M 2 M Partners SEC-2014 -0222 -2 -Levels_Access_Control 2
2 -levels Access Control Model IN-CSE Check if AE is registered Local CSE Mca AE Mcc Hosting CSE Check if AE is authorized to access resource © 2014 one. M 2 M Partners SEC-2014 -0222 -2 -Levels_Access_Control 3
(High Level) Proposal • Introduce token-based access control mechanism for HTTP Protocol binding as well as traditional password-based access control • OAuth 2 specification should be considered as the solution for HTTP protocol binding for access control mechanism © 2014 one. M 2 M Partners SEC-2014 -0222 -2 -Levels_Access_Control 4
![[FYI] Access Control for HTTP • Basic Authentication – Widely used to authenticate identity](http://slidetodoc.com/presentation_image_h2/508c7990a59e4bcfafd2f332f36bec71/image-5.jpg "[FYI] Access Control for HTTP • Basic Authentication – Widely used to authenticate identity")
[FYI] Access Control for HTTP • Basic Authentication – Widely used to authenticate identity with preshared secret (=password) • Bearer Authorization [RFC 6750] – Widely used to carry the access token data which can work with OAuth 2 based systems © 2014 one. M 2 M Partners SEC-2014 -0222 -2 -Levels_Access_Control 5
Proposal on implementation • Local CSE will behave as proxy-server • AE will connect to Local CSE, and request to establish TLS connection to targeted Host by issuing CONNECT method. • Targeted CSE may forward the request to 1 hop further CSE. • The credential to pass the check if AE is registered to be carried by “Proxy. Authorization” header © 2014 one. M 2 M Partners SEC-2014 -0222 -2 -Levels_Access_Control 6
![[FYI] Communication Flow IN-CSE Local CSE AE hosting-CSE CONNECT m 2 m. example. com:](http://slidetodoc.com/presentation_image_h2/508c7990a59e4bcfafd2f332f36bec71/image-7.jpg "[FYI] Communication Flow IN-CSE Local CSE AE hosting-CSE CONNECT m 2 m. example. com:")
[FYI] Communication Flow IN-CSE Local CSE AE hosting-CSE CONNECT m 2 m. example. com: 443 HTTP/1. 1 Host: lcse. example. com Proxy-Authorization: <access_key> CONNECT incse. example. com: 443 HTTP/1. 1 CONNECT hcse. example. com: 443 HTTP/1. 1 Establish TLS session Reqs over TLS connction GET /cse 3/foo/bar HTTP/1. 1 Host: m 2 m. example. com Authorization: Bearer <access_token> © 2014 one. M 2 M Partners SEC-2014 -0222 -2 -Levels_Access_Control 7
Proposal • WG 4 member should consider on feasibility of proposed solution to implement 2 -levels access control • WG 4 member should consider on required APIs to accommodate proposed solution. © 2014 one. M 2 M Partners SEC-2014 -0222 -2 -Levels_Access_Control 8
- Slides: 8