ITEA is the Eureka Cluster on software innovation
ITEA is the Eureka Cluster on software innovation
ITEA 4 page header azure circular

Software components for ad-hoc delegated access control

Project
18008 TIoCPS
Type
Enhancement
Description

Software components for ad-hoc delegated access control. This is an enhancement to the SafeMove Device and Security management system. It allows delegating fine-grained access to application programming interfaces (API) of different systems, made by different vendors and operated by different organizations. Access delegation can be handled out-of-band, without the privacy implications of user account databases with personal information.

Contact
Anton Gyllenberg, Bittium Wireless Oy
Email
anton.gyllenberg@bittium.com
Research area(s)
Cryptography access tokens
Technical features

QR code: Component allows importing target system access credentials and Rest API data points. Component allows creating access tokens in the form of QR codes [18]. QR codes includes serialized Google Macaroon token. Access tokens can be restricted (validity time, data points read and write). Upon scanning QR code mobile device web browser is directed to software component provided dynamic web UI. The dynamic web UI can be used to read and write target system values.

Google’s Macaroon Token:

Macaroons are authorization credentials that provide flexible support for controlled sharing in decentralized, distributed systems. Macaroons are widely applicable since they are a form of bearer credentials, much like commonly used cookies on the Web, and have an efficient construction based on keyed cryptographic message digests. Macaroons allow authority to be delegated between protection domains with both attenuation and contextual confinement. For this, each Macaroon contains caveats, i.e., restrictions, which are predicates that restrict the macaroon’s authority, as well as the context in which it may be successfully used. For example, such restrictions may attenuate a Macaroon by limiting what objects and what actions it permits, or contextually confine it by requiring additional evidence, such as third-party signatures, or by restricting when, from where, or in what other observable context it may be used. [19]

Open API Specification:

The OpenAPI Specification (OAS) defines a standard, programming language-agnostic interface description for HTTP APIs, which allows both humans and computers to discover and understand the capabilities of a service without requiring access to source code, additional documentation, or inspection of network traffic. When properly defined via OpenAPI, a consumer can understand and interact with the remote service with a minimal amount of implementation logic. Similar to what interface descriptions have done for lower-level programming, the OpenAPI Specification removes guesswork in calling a service. An OpenAPI document that conforms to the OpenAPI Specification is itself a JSON object, which may be represented either in JSON or YAML format. [20]

[18] https://en.wikipedia.org/wiki/QR_code [19] A. Birgisson, J. Gibbs Politz, U. Erlingsson, A. Taly, M. Vrable, M. Lentczner, “Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud”, Network and Distributed System Security Symposium, Internet Society, 2014 [20] Open Api Specification v.3.1.0, https://spec.openapis.org/oas/v3.1.0, 2021

Integration constraints

Server platform: Linux Operating System API: Integration of web based APIs and authentication to web platforms

Targeted customer(s)

IoT market, systems with personal information security, privacy, web service integration

Conditions for reuse

Subject to Software license required from Bittium Safemove Oy.

Confidentiality
Public
Publication date
11-10-2023
Involved partners
Bittium Safemove Oy (FIN)

Images