Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Digital Power of Attorney for Authorization in Industrial Cyber-Physical Systems
Luleå University of Technology, Department of Computer Science, Electrical and Space Engineering, Embedded Internet Systems Lab.ORCID iD: 0000-0002-8873-9226
2023 (English)Doctoral thesis, comprehensive summary (Other academic)
Abstract [en]

Since ancient times, there has been a practice to authorize individuals that we trust. Today, we grant credentials and privileges digitally, making authorization a crucial part of security control and extending its use cases beyond people and web applications. Authorization plays an important role in emerging technologies such as the Internet of Things (IoT) and Cyber-Physical Systems (CPS), and there is a trend toward intelligent devices such as autonomous vehicles that are capable of executing tasks on our behalf. 

However, there are challenges in facilitating this evolution. Industrial use cases with many devices, contractors, subcontractors, and other parties need to maintain trust by sub-granting in one or many steps to define a trust chain. Ultimately Industrial CPS and semi-autonomous devices should be authorized to work as agents with defined credentials on behalf of their contractor. This would enable them to function self-sufficiently at a target site or network for a set amount of time.

The scope of this thesis is a new way of authorization known as the Digital Power of Attorneys. Traditionally, Power of Attorney is a legal document that is used for granting a person's authority to a trusted individual to act/work (e.g., running a business) on behalf of the first person. The objective of this thesis is to develop digital Power of Attorney based authorization for Cyber-Physical Systems and the Internet of Things. This technique enables devices (agents) such as autonomous or semi-autonomous devices to work/act on behalf of human beings (principals), even if he/she is not available online. 

The literature study includes both academic concepts and industrial authorization solutions, protocols, and standards such as  OAuth, UMA, GNAP, and ACE. PoA based authorization is inspired by the concept of proxy signatures by warrants and developed for industrial use, both as stand-alone libs and as extensions to existing standard protocols. The major standards that we propose to be extended with the PoA based authorization are IETF standards OAuth and ACE. In this way, the work in this thesis is highly correlated with the IETF. In addition to the academic papers on PoA based authorization and its applications, this thesis includes IETF Internet-Drafts as part of the standardization process of the PoA based authorization technique. 

The development of PoA based authorization technique begins with designing a Proof-of-Concept based on the gaps identified in existing authorization techniques. For implementation in current networks, different ways of providing PoA-based authorization are explored. First, by extending the OAuth protocol as a new OAuth grant type to add the principal entity to the OAuth protocol that can delegate the client. Second, by extension of the ACE framework, which adds a notion of PoA based delegation to ACE.  Third, by implementing an open-source library that can be downloaded and used independently by each entity to interpret the PoA. These approaches address the PoA interpretation challenges and enable every entity being part of the process to use and verify PoAs.

This thesis defines the architecture, protocol flow, and PoA structure of the proposed authorization technique and demonstrates its implementation in several use cases such as zero touch-device onboarding and delegation of smart devices in a mining station. Furthermore, possible security threats and vulnerabilities of the proposed system are thoroughly analyzed using different approaches such as threat modeling, risk assessment, and exploiting the system in the context of different attack scenarios.  

Place, publisher, year, edition, pages
Luleå: Luleå University of Technology, 2023.
Series
Doctoral thesis / Luleå University of Technology 1 jan 1997 → …, ISSN 1402-1544
National Category
Computer Systems
Research subject
Cyber-Physical Systems
Identifiers
URN: urn:nbn:se:ltu:diva-101647ISBN: 978-91-8048-403-9 (print)ISBN: 978-91-8048-404-6 (electronic)OAI: oai:DiVA.org:ltu-101647DiVA, id: diva2:1804593
Public defence
2023-12-07, A 109, Luleå tekniska universitet, Luleå, 09:00 (English)
Opponent
Supervisors
Available from: 2023-10-13 Created: 2023-10-13 Last updated: 2023-11-16Bibliographically approved
List of papers
1. Survey on delegated and self-contained authorization techniques in CPS and IoT
Open this publication in new window or tab >>Survey on delegated and self-contained authorization techniques in CPS and IoT
2021 (English)In: IEEE Access, E-ISSN 2169-3536, Vol. 9, p. 98169-98184Article in journal (Refereed) Published
Abstract [en]

Authentication, authorization and digital identity management are core features required by secure digital systems. Therein, authorization is the key component for regulating the detailed access credentials to required service resources. Authorization, therefore, plays a significant role in the trust management of autonomous devices and services. Due to the heterogeneous nature of Cyber-Physical Systems and the Internet of Things, several authorization techniques using different access control models, accounts, groups, tokens, and delegations have both strengths and weaknesses. There exists many literature studies on other main security requirements such as authentication, identity management and confidentiality. However, there is a need for a comprehensive review on different authorization techniques in Cyber Physical systems and Internet of Things. A specific target of this paper is authorization in the Cyber Physical system and Internet of Things networks with non-constrained devices in industrial context with mobility, subcontractors, and autonomous machines that are able to carry out advanced tasks on behalf of others. We study the different authorization techniques using our three-dimensional classification including access control models, sub-granting models and authorization governance.We focus on the state of the art on authorization sub-granting, including delegation techniques by access control/authorization server and self-contained authorization using a new concept of Power of Attorney. Comparison is performed on several parameters such as type of communication, method of authorization, control of expiration, and use of techniques such as public-key certificate, encryption techniques, and tokens. The results show the differences and similarities of server-based and Power of Attorney based authorization sub-granting. The most common standards are also analyzed in light of those classifications.

Place, publisher, year, edition, pages
IEEE, 2021
Keywords
Authorization, access control models, Cyber Physical Systems (CPS), Internet of Things (IoT), sub-granting, delegation, Power of Attorney (PoA), OAuth
National Category
Computer Systems
Research subject
Cyber-Physical Systems
Identifiers
urn:nbn:se:ltu:diva-85604 (URN)10.1109/ACCESS.2021.3093327 (DOI)000673336300001 ()2-s2.0-85110710517 (Scopus ID)
Note

Validerad;2021;Nivå 2;2021-07-28 (beamah);

Finansiär: ECSEL JU (826452)

Available from: 2021-06-17 Created: 2021-06-17 Last updated: 2023-10-16Bibliographically approved
2. Multilevel Subgranting by Power of Attorney and OAuth Authorization Server in Cyber–Physical Systems
Open this publication in new window or tab >>Multilevel Subgranting by Power of Attorney and OAuth Authorization Server in Cyber–Physical Systems
2023 (English)In: IEEE Internet of Things Journal, ISSN 2327-4662, Vol. 10, no 17, p. 15266-15282Article in journal (Refereed) Published
Abstract [en]

Many Cyber-Physical Systems are today semiautonomous and powerful enough to perform advanced tasks on their own. This means they can also act as representatives of people or devices that have given them an order. However, traditional access control policies and delegation models do not meet industrial requirements such as support for letting autonomous CPS devices act on their own with certified credentials under the sub authorization by subcontractors, without the need for a separate account per device. In this paper, we analyze and compare power of attorney, proxy signature by warrant, and OAuth to identify the strengths and challenges of each. Based on the comparison, we propose an OAuth grant type based on the power of attorney and inspired by the concept of proxy signature by warrant. Power of Attorney is a generic and self-contained document that a principal signs and directs to an agent, thereby providing it the power to execute actions on behalf of the principal for a predefined time, even if it is offline. One key advantage of the power of attorney is that it can support effective sub-granting on several levels to support industrial scenarios where resource owners bring in authorized contractors that can in their turn authorize and bring in several devices without incurring management overhead to the resource owner. A proof-of-concept and performance evaluation of the proposed model is presented using an industrial use-case scenario with multi-level authorization.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2023
Keywords
authorization, cyber–physical systems (CPS), grant negotiation and authorization protocol (GNAP), OAuth, Power of Attorney (PoA), proxy signature, user managed access (UMA)
National Category
Computer Systems
Research subject
Cyber-Physical Systems
Identifiers
urn:nbn:se:ltu:diva-97006 (URN)10.1109/jiot.2023.3265407 (DOI)001075378800023 ()2-s2.0-85153408957 (Scopus ID)
Projects
Arrowhead Tools Project
Note

Validerad;2023;Nivå 2;2023-11-07 (hanlid);

Funder: ECSEL JU (826452);

Full text license: CC BY

Available from: 2023-05-04 Created: 2023-05-04 Last updated: 2024-11-20Bibliographically approved
3. Token Interpretation and Security Evaluation of Power of Attorney based Authorization Technique
Open this publication in new window or tab >>Token Interpretation and Security Evaluation of Power of Attorney based Authorization Technique
(English)Manuscript (preprint) (Other academic)
National Category
Electrical Engineering, Electronic Engineering, Information Engineering
Identifiers
urn:nbn:se:ltu:diva-101661 (URN)
Available from: 2023-10-16 Created: 2023-10-16 Last updated: 2023-10-16
4. A Model for Signatories in Cyber-Physical Systems
Open this publication in new window or tab >>A Model for Signatories in Cyber-Physical Systems
2020 (English)In: Proceedings: 2020 25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), IEEE, 2020, p. 15-21Conference paper, Published paper (Refereed)
Abstract [en]

Distributed Internet of Things and cyber-physical systems can potentially be used as agents to automatically sign events and transactions on behalf of users. To accomplish this, there is a need for a model that can represent the relationships, credentials and organizational hierarchies of people and devices, facilitating agents acting as signatories in a controlled way. This paper proposes such a model, where people in different positions are entitled to sign on behalf of organizations or departments therein and extend that to representing machines. Central in this model is the Power of Attorney (PoA), which is a self-contained and signed digital document that for a limited time and in a defined context, authorizes a particular agent (whether a person or device) to sign on behalf of a principal. Although such self-contained PoAs can be stored anywhere, we propose a conceptual architecture based on PoAs and include a signatory registry that keeps track of organizational hierarchies in terms of people and devices according to the defined model and stored PoAs in that context.

Place, publisher, year, edition, pages
IEEE, 2020
Series
IEEE International Conference on Emerging Technologies and Factory Automation (ETFA), ISSN 1946-0740, E-ISSN 1946-0759
Keywords
Signatory, Power of Attorney (PoA), Cyber-Physical System (CPS), Certifying Authority (CA), Public Key Infrastructure (PKI), Internet of Things (IoT)
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering Computer Systems
Research subject
Cyber-Physical Systems
Identifiers
urn:nbn:se:ltu:diva-80443 (URN)10.1109/ETFA46521.2020.9212081 (DOI)000627406500001 ()2-s2.0-85093364699 (Scopus ID)
Conference
25th IEEE International Conference on Emerging Technologies and Factory Automation (ETFA 2020), 8-11 September, 2020, Vienna, Austria - Hybrid
Note

ISBN för värdpublikation: 978-1-7281-8956-7, 978-1-7281-8957-4

Available from: 2020-08-18 Created: 2020-08-18 Last updated: 2023-10-16Bibliographically approved
5. Device Onboarding in Eclipse Arrowhead Framework using Power of Attorney based authorization
Open this publication in new window or tab >>Device Onboarding in Eclipse Arrowhead Framework using Power of Attorney based authorization
2022 (English)In: 2022 IEEE 27th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), Institute of Electrical and Electronics Engineers (IEEE), 2022, p. 26-32Conference paper, Published paper (Refereed)
Abstract [en]

Large-scale onboarding of industrial cyber-physical systems requires efficiency and security. In situations with the dynamic addition of devices, e.g., from subcontractors entering the workplace, automation of the onboarding process is needed. The Eclipse Arrowhead framework, which provides a platform for industrial automation, requires reliable, flexible, and secure device onboarding to local clouds. In this paper, we propose a device onboarding method in the Arrowhead framework using the power of Attorney based authorization. It is an authorization technique that allows users to transfer or subgrant their power to trusted autonomous or semi-autonomous devices to act on their behalf. We present the concepts, implementation of the proposed system, and some performance evaluation results using real-world use cases.

Place, publisher, year, edition, pages
Institute of Electrical and Electronics Engineers (IEEE), 2022
Keywords
Cyber-Physical System (CPS), Internet of Things (IoT), Device onboarding, Power of Attorney (PoA), Arrowhead framework, Public Key Infrastructure (PKI)
National Category
Other Electrical Engineering, Electronic Engineering, Information Engineering
Research subject
Cyber-Physical Systems
Identifiers
urn:nbn:se:ltu:diva-93502 (URN)10.1109/CAMAD55695.2022.9966899 (DOI)000946508900024 ()2-s2.0-85144016480 (Scopus ID)
Conference
27th IEEE International Workshop on Computer-Aided Modeling and Design of Communication Links and Networks (CAMAD), Paris, France, November 2-3, 2022
Note

ISBN för värdpublikation: 978-1-6654-6129-0

Available from: 2022-10-07 Created: 2022-10-07 Last updated: 2024-11-20Bibliographically approved

Open Access in DiVA

fulltext(910 kB)121 downloads
File information
File name FULLTEXT01.pdfFile size 910 kBChecksum SHA-512
098f4c9fe7b4842d51e6dc9b5ffcaa461dcdf09a087fa3549aa165733794b20321161b8c10a47f5e4ce441f3b903ad8064bdc955293b82aa52e8ffab6770120a
Type fulltextMimetype application/pdf

Authority records

Vattaparambil Sudarsan, Sreelakshmi

Search in DiVA

By author/editor
Vattaparambil Sudarsan, Sreelakshmi
By organisation
Embedded Internet Systems Lab
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar
Total: 121 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 1220 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf