Since ancient times, there has been a practice to authorize individuals that we trust. Today, we grant credentials and privileges digitally, making authorization a crucial part of security control and extending its use cases beyond people and web applications. Authorization plays an important role in emerging technologies such as the Internet of Things (IoT) and Cyber-Physical Systems (CPS), and there is a trend toward intelligent devices such as autonomous vehicles that are capable of executing tasks on our behalf.
However, there are challenges in facilitating this evolution. Industrial use cases with many devices, contractors, subcontractors, and other parties need to maintain trust by sub-granting in one or many steps to define a trust chain. Ultimately Industrial CPS and semi-autonomous devices should be authorized to work as agents with defined credentials on behalf of their contractor. This would enable them to function self-sufficiently at a target site or network for a set amount of time.
The scope of this thesis is a new way of authorization known as the Digital Power of Attorneys. Traditionally, Power of Attorney is a legal document that is used for granting a person's authority to a trusted individual to act/work (e.g., running a business) on behalf of the first person. The objective of this thesis is to develop digital Power of Attorney based authorization for Cyber-Physical Systems and the Internet of Things. This technique enables devices (agents) such as autonomous or semi-autonomous devices to work/act on behalf of human beings (principals), even if he/she is not available online.
The literature study includes both academic concepts and industrial authorization solutions, protocols, and standards such as OAuth, UMA, GNAP, and ACE. PoA based authorization is inspired by the concept of proxy signatures by warrants and developed for industrial use, both as stand-alone libs and as extensions to existing standard protocols. The major standards that we propose to be extended with the PoA based authorization are IETF standards OAuth and ACE. In this way, the work in this thesis is highly correlated with the IETF. In addition to the academic papers on PoA based authorization and its applications, this thesis includes IETF Internet-Drafts as part of the standardization process of the PoA based authorization technique.
The development of PoA based authorization technique begins with designing a Proof-of-Concept based on the gaps identified in existing authorization techniques. For implementation in current networks, different ways of providing PoA-based authorization are explored. First, by extending the OAuth protocol as a new OAuth grant type to add the principal entity to the OAuth protocol that can delegate the client. Second, by extension of the ACE framework, which adds a notion of PoA based delegation to ACE. Third, by implementing an open-source library that can be downloaded and used independently by each entity to interpret the PoA. These approaches address the PoA interpretation challenges and enable every entity being part of the process to use and verify PoAs.
This thesis defines the architecture, protocol flow, and PoA structure of the proposed authorization technique and demonstrates its implementation in several use cases such as zero touch-device onboarding and delegation of smart devices in a mining station. Furthermore, possible security threats and vulnerabilities of the proposed system are thoroughly analyzed using different approaches such as threat modeling, risk assessment, and exploiting the system in the context of different attack scenarios.