Abstract
One of the challenges of cloud computing is ensuring secure access to data and resources. Identity Management Systems (IMS), which enable organizations to handle user identities, authentication, and authorization, are commonly employed for tackling this issue. Whilst OAuth 2.0, SAML, and OpenID Connect are typically used in web applications, the Secure Production Identity Framework for Everyone (SPIFFE) is today among one of the many open source IMS for cloud environments. The reason is that SPIFFE provides a secure and standardized attestation framework for authenticating cloud workloads from the moment they are instantiated. Our work extends SPIFFE’s capabilities, allowing the identification not only of the workload making a request, but also of the user behind that request. For this purpose, we design a new credential called Delegated Assertion SVID (DVID), describe a proof-of-concept implementation, and benchmark some baseline scenarios.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Campbell, B., Mortimore, C., Jones, M.: RFC 7522: Security assertion markup language (SAML) 2.0 profile for OAuth 2.0 client authentication and authorization grants. Technical report, Internet Engineering Task Force (IETF) (2015)
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: RFC 5280: Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile. Technical report, IETF (2008)
Feldman, D., et al.: Solving the bottom turtle: a SPIFFE way to establish trust in your infrastructure via universal identity (2020). ISBN 978-0-578-77737-5
Goldreich, O., Krawczyk, H.: On the composition of zero-knowledge proof systems. SIAM J. Comput. 25(1), 169–192 (1996)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)
Google: Google golang IAM package (2024). https://pkg.go.dev/google.golang.org/api-/iam/v1
Google: Service accounts overview. https://cloud.google.com/iam/docs/service-account-overview (2024)
Hardt, D.: RFC 6749: The OAuth 2.0 authorization framework. Technical report, Internet Engineering Task Force (IETF) (2012)
Hu, V., Iorga, M., Bao, W., Li, A., Li, Q., Gouglidis, A.: NIST SP 800–210: General access control guidance for cloud systems. Technical report, NIST (2020)
Jones, M., Bradley, J., Sakimura, N.: RFC 7515: JSON Web Signature (JWS). Technical report, Internet Engineering Task Force (IETF) (2015)
Jones, M., Bradley, J., Sakimura, N.: RFC 7519: JSON web token (JWT). Technical report, IETF (2015)
Li, H., Dai, Y., Tian, L., Yang, H.: Identity-based authentication for cloud computing. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) CloudCom 2009. LNCS, vol. 5931, pp. 157–166. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10665-1_14
Microsoft: Access tokens (2024). https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens
Microsoft: Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow. https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-on-behalf-of-flow (2024)
OASIS: WS-Trust 1.4. OASIS standard incorporating approved errata 01. Technical report, Org. for the Advancement of Structured Information Standards (2022)
OpenID: Openid specifications (2022). https://openid.net/developers/specs
Rose, S., Borchert, O., Mitchell, S., Connelly, S.: Zero trust architecture. Technical report, National Institute of Standards and Technology (NIST) (2020)
Shafi, G.: Lecture notes on cryptography (2008). http://www-cse.ucsd.edu/users/mihir
Tracy, K.: Identity management systems. IEEE Potentials 27(6), 34–37 (2008)
Acknowledgements
This work was supported by Hewlett Packard Enterprise (HPE), and in part by the Brazilian CNPq (grant PQ 304643/2020-3 and 311245/2021-8), FAPESP (grant 2020/09850-0), and CAPES (Finance Code 001). Special thanks for the discussions and contributions to the work: Adriane Cardozo (HPE), Andrew Harding (VMware), Caio Milfont (HPE), Eugene Weiss (Sentima), Evan Gilman (SPIRL), João Ambrosi (HPE), and Yogi Porla (Stealth Startup). This work was funding by FAPESC, UDESC, USP and developed at LabP2D/LARC.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Jessup, A. et al. (2024). DVID: Adding Delegated Authentication to SPIFFE Trusted Domains. In: Barolli, L. (eds) Advanced Information Networking and Applications. AINA 2024. Lecture Notes on Data Engineering and Communications Technologies, vol 202. Springer, Cham. https://doi.org/10.1007/978-3-031-57916-5_25
Download citation
DOI: https://doi.org/10.1007/978-3-031-57916-5_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57915-8
Online ISBN: 978-3-031-57916-5
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)