recentpopularlog in

jabley : authentication   20

Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud
Controlled sharing is fundamental to distributed
systems; yet, on the Web, and in the Cloud, sharing is still
based on rudimentary mechanisms. More flexible, decentralized
cryptographic authorization credentials have not been adopted,
largely because their mechanisms have not been incrementally
deployable, simple enough, or efficient enough to implement
across the relevant systems and devices.
This paper introduces macaroons: flexible authorization credentials for Cloud services that support decentralized delegation
between principals. Macaroons are based on a construction that
uses nested, chained MACs (e.g., HMACs [43]) in a manner that
is highly efficient, easy to deploy, and widely applicable.
Although macaroons are bearer credentials, like Web cookies,
macaroons embed caveats that attenuate and contextually confine
when, where, by who, and for what purpose a target service
should authorize requests. This paper describes macaroons and
motivates their design, compares them to other credential systems,
such as cookies and SPKI/SDSI [14], evaluates and measures a
prototype implementation, and discusses practical security and
application considerations. In particular, it is considered how
macaroons can enable more fine-grained authorization in the
Cloud, e.g., by strengthening mechanisms like OAuth2 [17], and
a formalization of macaroons is given in authorization logic.
web  security  paper  filetype:pdf  authentication  authorisation 
january 2019 by jabley

Copy this bookmark:





to read