Recursive Augmented Fernet (RAF) Token: Alleviating the Pain of Stolen Tokens
CoRR(2023)
摘要
A robust authentication and authorization mechanism is imperative in modular
system development, where modularity and modular thinking are pivotal.
Traditional systems often employ identity modules responsible for
authentication and token issuance. Tokens, representing user credentials, offer
advantages such as reduced reliance on passwords, limited lifespan, and scoped
access. Despite these benefits, the "bearer token" problem persists, leaving
systems vulnerable to abuse if tokens are compromised. We propose a token-based
authentication mechanism addressing modular systems' critical bearer token
problem. The proposed mechanism includes a novel RAF (Recursive Augmented
Fernet) token, a blacklist component, and a policy enforcer component. RAF
tokens are one-time-use tokens, like tickets. They carry commands, and the
receiver of an RAF token can issue new tokens using the received RAF token. The
blacklist component guarantees an RAF token can not be approved more than once,
and the policy enforcer checks the compatibility of commands carried by an RAF
token. We introduce two variations of RAF tokens: User-tied RAF, offering
simplicity and compatibility, and Fully-tied RAF, providing enhanced security
through service-specific secret keys. We thoroughly discuss the security
guarantees, technical definitions, and construction of RAF tokens backed by
game-based proofs. We demonstrate a proof of concept in the context of
OpenStack, involving modifications to Keystone and creating an RAFT library.
The experimental results reveal minimal overhead in typical scenarios,
establishing the practicality and effectiveness of RAF. Our experiments show
that the RAF mechanism beats the idea of using short-life Fernet tokens while
providing much better security.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要