Decentralized authorization framework for untrusted heterogeneous client devices

Abstract

These days, network-connected computing devices such as various smart/IoT devices, laptops, and smartphones are becoming more popular due to the rapid evolution of mobile computing technologies. Also, as the number of devices around a single user increases, one device usually does not exclusively belong to a single user anymore. However, this multi-device paradigm makes the access delegation toward such devices much more difficult. If permission is delegated to other devices, they typically cannot be managed adequately and precisely as the user's original intention. This is mainly because 1) the original design of access delegation protocol tends to be coarse-grained, 2) every device has a unique hardware/software stack which is hard to validate its security status in detail precisely, and 3) device owners can even share their devices among other multiple users so the original device owner cannot fully trust its behavior when shared with other people. This thesis introduces DAuth, an OAuth 2.0 extension suitable for access delegation in the multi-device environment. It specifies and enforces the security policy for OAuth 2.0 bearer tokens so that any token in the multi-device environment cannot be utilized by malicious misuses. DAuth extends the current OAuth 2.0 device grant by separating a single OAuth request-response structure into two subparts. Our evaluation shows that adopting DAuth to existing OAuth 2.0 implementation requires little engineering effort, and it adds only an affordable overhead in end-to-end latency.