Abstract
Web services often determine whether to provide access on their resources to a service requesting entity based on the latter’s credentials, which may not always be available with a single authority. More commonly, there is a need for getting them verified from multiple external sources in a decentralized manner. This kind of architecture is also more robust against security and privacy attacks as compared to a centralized system. However, it is imperative that authorization by the independent sources be done in a transparent and verifiable manner. In this paper, we propose a method for decentralized authorization using the Ethereum blockchain. We consider the underlying authorization model to be Attribute-based Access Control (ABAC) and hence, the credentials to be verified are the attributes of the users making access requests to the web service. In ABAC, a user is granted or denied access to an object based on her attributes as well as those of the requested object using a set of rules (called the ABAC policy). We use a public blockchain, namely Ethereum, for transparent authorization of attributes by multiple sources to allow the web service to take an access decision. It ensures that the authorization data is immutable and helps in building trust between the users, web service providers and attribute certifying authorities. We have made a prototype implementation of our proposed architecture on the Rinkeby Ethereum test network. Extensive experiments show its scalability in realistic scenarios.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Hu, V.C., et al.: Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800, 1–37 (2014)
Meshram, A., et al.: ABACaaS: attribute-based access control as a service. In: Ninth ACM Conference on Data and Application Security and Privacy, pp. 153–155 (2019)
Liu, Q., et al.: An access control model for resource sharing based on the role-based access control intended for multi-domain manufacturing internet of things. IEEE Access 5(2), 7001–7011 (2017)
Yavari, A., et al.: Scalable role-based data disclosure control for the internet of things. In: 37th IEEE International Conference on Distributed Computing Systems, pp. 2226–2233 (2017)
Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: IEEE International Conference on Web Services, pp. 561–569 (2005)
Buterin, V., et al.: Ethereum white paper: a next generation smart contract and decentralized application platform. Etherum 1–36 (2014). https://ethereum.org/en/whitepaper/
Dorri, A., et al.: Blockchain for IoT security and privacy: the case study of a smart home. In: IEEE PerCom Workshops, pp. 618–623 (2017)
Zhang, Y., et al.: Smart contract-based access control for the internet of things. IEEE Internet Things J. 6(2), 1594–1605 (2018)
Dukkipati, C., Zhang, Y., Cheng, L.C.: Decentralized, blockchain based access control framework for the heterogeneous internet of things. In: 3rd Workshop on Attribute Based Access Control, pp. 61–69 (2018)
Markus, I., et al.: DAcc: decentralized ledger based access control for enterprise applications. In: IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 345–351 (2019)
Putra, G.D., et al.: Trust management in decentralized IoT access control system. In: IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 1–9 (2020)
Di Francesco Maesa, D., et al.: Blockchain based access control services. In: IEEE International Conference on Internet of Things (iThings), pp. 1379–1386 (2018)
Hao, G., Meamari, E., Shen, C.C.: Multi-authority attribute-based access control with smart contract. In: International Conference on Blockchain Technology, pp. 6–11 (2019)
Almakhour, M., Sliman, L., Samhat, A.E., Mellouk, A.: On the verification of smart contracts: a systematic review. In: Chen, Z., Cui, L., Palanisamy, B., Zhang, L.-J. (eds.) ICBC 2020. LNCS, vol. 12404, pp. 94–107. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59638-5_7
Hwang, G.-H., Chen, P.-H., Lu, C.-H., Chiu, C., Lin, H.-C., Jheng, A.-J.: InfiniteChain: a multi-chain architecture with distributed auditing of sidechains for public blockchains. In: Chen, S., Wang, H., Zhang, L.-J. (eds.) ICBC 2018. LNCS, vol. 10974, pp. 47–60. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94478-4_4
Parizi, R.M., Amritraj, A.D.: Smart contract programming languages on blockchains: an empirical evaluation of usability and security. In: Chen, S., Wang, H., Zhang, L.J. (eds.) Blockchain - ICBC 2018. Lecture Notes in Computer Science, vol. 10974, pp. 75–91. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94478-4_6
Bai, Q., Zheng, Y.: Study on the access control model. In: Cross Strait Quad-Regional Radio Science and Wireless Technology Conference, pp. 830–834 (2011)
Solworth, J.A., Sloan, R.H.: A layered design of discretionary access controls with decidable safety properties. In: IEEE Symposium on Security and Privacy, pp. 56–67 (2004)
Chatterjee, A., Pitroda, Y., Parmar, M.: Dynamic role-based access control for decentralized applications. In: Chen, Z., Cui, L., Palanisamy, B., Zhang, L.-J. (eds.) ICBC 2020. LNCS, vol. 12404, pp. 185–197. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-59638-5_13
Sandhu, R.S., et al.: Role-based access control models. Computer 29(2), 38–47 (1996)
Wonohoesodo, R., Tari, Z.: A role based access control for web services. In: IEEE International Conference on Services Computing, pp. 49–56 (2004)
Remix IDE for Ethereum Smart Contract Programming. https://remix.ethereum.org/
Rinkeby: Ethereum Test Network. https://www.rinkeby.io/#stats
Solidity - Solidity 0.8.0 Documentation. https://docs.soliditylang.org/en/v0.8.0/
Web3 - Web3 Documentation. https://web3py.readthedocs.io/en/stable/
Bitcoin - Open Source P2P Money. https://bitcoin.org/en/
Infura: Ethereum and IPFS API. https://infura.io/
Acknowledgments
The work of Shamik Sural is supported by CISCO University Research Program Fund, Silicon Valley Community Foundation under award number 2020–220329 (3696).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Varun, M., Vasishta, M.V.A., Palanisamy, B., Sural, S. (2022). Decentralized Authorization in Web Services Using Public Blockchain. In: Lee, K., Zhang, LJ. (eds) Blockchain – ICBC 2021. ICBC 2021. Lecture Notes in Computer Science(), vol 12991. Springer, Cham. https://doi.org/10.1007/978-3-030-96527-3_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-96527-3_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-96526-6
Online ISBN: 978-3-030-96527-3
eBook Packages: Computer ScienceComputer Science (R0)