JSON Fine Grained Access
draft-zhang-jose-json-fine-grained-access-00
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Jinling Zhang , cheng Jiang , lingling Ji | ||
| Last updated | 2024-03-17 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-zhang-jose-json-fine-grained-access-00
jose J. Zhang
Internet-Draft C. Jiang
Intended status: Informational L. Ji
Expires: 30 August 2024 China Unicom
27 February 2024
JSON Fine Grained Access
draft-zhang-jose-json-fine-grained-access-00
Abstract
This document defines a JSON-based fine-grained access (JSON-FA)
method, which aims to provide a flexible and easy-to-implement way to
achieve fine-grained access control in JSON data.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 30 August 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Zhang, et al. Expires 30 August 2024 [Page 1]
Internet-Draft Network Function Virtualization February 2024
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Background . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. JSON-FA Data Structure . . . . . . . . . . . . . . . . . . . 3
4.1. JSON-FA Data Elements . . . . . . . . . . . . . . . . . . 3
4.2. JSON-FA Data Structure Example . . . . . . . . . . . . . 4
5. JSON-FA process flow . . . . . . . . . . . . . . . . . . . . 4
5.1. CP-ABE algorithm . . . . . . . . . . . . . . . . . . . . 5
5.2. Access Control Process . . . . . . . . . . . . . . . . . 6
6. Security Consideration . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. Informative References . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction
With the rapid development of information technology, data has become
a core asset for enterprises and organizations. However, frequent
occurrences of data breaches and unauthorized accesses have made data
security an urgent issue.
Traditional access control methods, such as Role-Based Access Control
(RBAC) and Attribute-Based Access Control (ABAC), although protecting
data security to some extent, gradually show their limitations when
dealing with complex and dynamic data access requirements. To
address this issue, this paper proposes a JSON-based fine-grained
access control method that can be applied to various scenarios such
as web services, cloud computing, and the Internet of Things.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119][RFC8174].
JSON, A lightweight data exchange format.
RBAC, A popular access control strategy that associates access
privileges with specific roles rather than directly with users or
user groups.
ABAC, A more granular and flexible access control method. In ABAC,
access decisions are not only based on the identity or role of the
user, but also on various attributes related to the access request.
Zhang, et al. Expires 30 August 2024 [Page 2]
Internet-Draft Network Function Virtualization February 2024
Fine-Grained Access Control, A security mechanism used to precisely
control and manage access privileges to system resources.
3. Background
Fine-grained access control enables permission control for individual
data items or data attributes, providing more precise protection for
data. At the same time, the lightweight and easy-to-read/write
nature of JSON (JavaScript Object Notation), along with its
structured and nested characteristics, facilitates the simple
description of complex data structures. The conciseness,
readability, and structured nature of JSON make it an ideal choice
for describing data structures.
This document proposes a JSON-based fine-grained access (JSON-FA)
control method that fully utilizes the formatting characteristics of
JSON. It describes the attributes of the accessing subject in JSON
format,and utilizes the data structure of an access control tree to
represent fine-grained access control policies on the resource server
side.This approach makes the access control method more flexible,
manageable, and extensible. We hope to provide a more flexible,
precise, and efficient solution in the field of data security through
this method.
4. JSON-FA Data Structure
JSON-FA (JSON-based Fine-Grained Access Control) data format is a
standardized format used to initiate access requests to access
control systems. This format allows clients (such as users or
applications) to explicitly specify the resources they wish to
access, the operations they intend to perform, and fine-grained
access attributes (including identity, role, and other attribute
information).
4.1. JSON-FA Data Elements
The JSON-FA data structure mainly consists of a JSON object that
contains the requested access resources and their fine-grained access
conditions, including the following fields:
* requestId: The identifier of the request.
* subject: Identifiers representing the access subject.
* operation: indicates the action identifier of the request body,
such as "read", "write", "update", and so on.
Zhang, et al. Expires 30 August 2024 [Page 3]
Internet-Draft Network Function Virtualization February 2024
* resource: Indicates the identifier of the accessed resource.
Contains a list of information about accessing the resource. The
accessed resource object includes the following fields:
- resourceType: Describes the type of the resource, such as
files, databases, and so on.
- attributes: is an object that contains the static attributes of
the resource, such as file name, file type, creation date, and
so on.
* condition: Refers to the fine-grained attributes of the access
subject, and is an optional field.
4.2. JSON-FA Data Structure Example
This example describes the request where User123 submits a request
named request123 through an access control server. The request is
for read-only access to a specific file named "document.txt".
Additionally, when submitting the request, User123 provides fine-
grained attributes related to the request, including his role and
department.
{
"requestId": "request23",
"subject": "user123",
"operation": "read",
"resource": {
"resourceType": "file",
"attributes": {
"fileName": "document.txt",
"fileType": "text/plain"
}
}
"condition": {
"role": "manager",
"department": "finance"
}
}
5. JSON-FA process flow
In this article, CP-ABE (Ciphertext-Policy Attribute-Based
Encryption) is chosen as the encryption algorithm to achieve fine-
grained access control. While role-based access control and
attribute-based access control can control whether users have access
permissions to view data, they do not guarantee the security of the
data itself. CP-ABE encrypts the data based on access control
Zhang, et al. Expires 30 August 2024 [Page 4]
Internet-Draft Network Function Virtualization February 2024
policies, meaning that even if an attacker intercepts the ciphertext,
they cannot decrypt the file without the corresponding permissions
and keys. This ensures the security of the data and makes fine-
grained access control more effective.
5.1. CP-ABE algorithm
Ciphertext-policy Attribute-Based Encryption (CP-ABE) algorithm
allows data owners to define access policies based on the attributes
of data receivers. These policies are encrypted within the
ciphertext, while the receivers' attributes are encoded in their
private keys.?Only receivers with attributes that meet the access
policies encrypted in the ciphertext can decrypt and access the
original data. This encryption method provides fine-grained access
control, providing a balance between data security and flexibility.
The CP-ABE algorithm works as follows:
1. Setup: This step takes an implicit security parameter ? as input.
It outputs public parameters PK and master key MK.?The public
parameters are made available to all, while the master key is
kept secret.
2. Encrypt(PK, M, A): Inputs the public parameters PK, a message M,
and an access structure A. It encrypts the message M to generate
a ciphertext CT. Only data receivers with attributes that meet
the access structure can decrypt the message. The access
structure A is implicitly contained in the ciphertext.
3. Key Generation(MK, S): Inputs the master key MK and a set of
attributes S for the data receiver. It outputs a private key SK.
The SK is determined by the attribute set S.
4. Decrypt(PK, CT, SK): Inputs the public parameters PK, the
ciphertext CT containing the access structure A, and the private
key SK. If the attribute set S meets the access structure A, it
decrypts the ciphertext CT and returns the message M.
Algorithm Parameters:
1. Security Parameter (?): An input parameter that determines the
security level of the algorithm. Typically, a larger value of
the security parameter provides higher security, but also
increases computational complexity and key length.
Zhang, et al. Expires 30 August 2024 [Page 5]
Internet-Draft Network Function Virtualization February 2024
2. Public parameters (PK) and Master Key (MK): These two crucial
parameters are generated during the initialization phase (Setup).
The public parameters PK is public and used for encryption
operations, while the master key MK is secret and used to
generate private keys for data receivers.
3. Attribute Set (S): Set by the data owner, defining the attributes
of the data receiver, which can be their identity, role,
permissions, etc.
4. Access Structure (A): Set by the data owner, defining the access
control policy that describes the attribute sets which can access
the encrypted data. The access structure A is typically
represented using an access tree structure, where each node
represents an attribute or a set of attributes.
5. Plaintext Message (M): The original data that needs to be
encrypted. During the encryption phase, the algorithm uses the
Public parameters PK, plaintext message M, and access structure A
to generate the ciphertext CT.
6. Ciphertext (CT): The encrypted data.
7. Private Key (SK): Generated based on the data receiver's
attributes set S and the master key MK. The private key SK
contains the data receiver's attributes and the decryption
capabilities associated with those attributes. During the
decryption phase, the data receiver uses their own private key to
decrypt the ciphertext.
5.2. Access Control Process
1. The client sends authentication information to the server to
apply for registration and authorization. The server verifies
these information and returns a JWT token.
2. The request sent by the client includes a JWT token, and the
payload of the token contains information about the accessing
subject, accessed resources, and attributes. This is represented
by the data structure mentioned in 5.2.
Zhang, et al. Expires 30 August 2024 [Page 6]
Internet-Draft Network Function Virtualization February 2024
3. Resource servers set fine-grained access control policies for
different resources, which are represented by an Access Control
Tree (Access Tree). Each leaf node in the access control tree
represents an attribute, while non-leaf nodes are threshold
gates/nodes. The data format inside a threshold node is (n, t),
indicating that the node has a total of n child nodes, and the
node is considered satisfied if at least t child nodes meet the
conditions.
4. The access control tree provides a precise and convenient way to
control access permissions for different accessing subjects to
specific resources based on attributes and access rules. It
satisfies complex and changing data access requirements while
offering a descriptive format for access control.
5. The resource server validates the authenticity of the token
carried in the request. Once the token is validated, the server
parses the payload information to extract the accessing subject,
accessed resource, access action, and attribute information.
6. Based on the extracted information and the predefined access
control policies, the resource server determines whether there is
a matching fine-grained access control policy. If a matching
policy is found, the server checks if the access conditions are
met. If the conditions are satisfied, access is granted;
otherwise, access is denied.
7. The resource server encrypts the requested resource using the CP-
ABE (Ciphertext-Policy Attribute-Based Encryption) algorithm.
The encryption process incorporates the access control policy
corresponding to the accessed resource. The encrypted ciphertext
is then sent back to the client.
8. The client generates a decryption private key based on the set of
attributes included in the request using the CP-ABE (Ciphertext-
Policy Attribute-Based Encryption) algorithm. After receiving
the encrypted ciphertext, the client verifies that the attributes
in the attribute set can satisfy the access control policy. Only
if the attributes meet the policy can the client decrypt and
access the resource.
6. Security Consideration
To ensure the security of JSON-FA, the following points need to be
considered:
Data encryption: Encrypt the transmitted JSON data to prevent data
tampering.
Zhang, et al. Expires 30 August 2024 [Page 7]
Internet-Draft Network Function Virtualization February 2024
Access Control Rule Management: Regularly manage and maintain access
control rules to prevent their leakage and tampering.
Logging and Auditing: Record all successful and failed authentication
attempts, regularly audit and perform security analysis on access
control logs to promptly detect and address abnormal access
behaviors.
7. IANA Considerations
This document has no IANA actions.
8. Informative References
[CP-ABE] Bethencourt, J., Sahai, A., and B. Waters, "Ciphertext-
Policy Attribute-Based Encryption", May 2007.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", March 1997.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", May 2015,
<https://www.rfc-editor.org/info/rfc7519>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", May 2017,
<https://www.rfc-editor.org/info/rfc8174>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
Authors' Addresses
jinling Zhang
China Unicom
Beijing
100176
China
Email: 904631019@qq.com
cheng Jiang
China Unicom
Beijing
100176
China
Email: jiangc12@chinaunicom.cn
Zhang, et al. Expires 30 August 2024 [Page 8]
Internet-Draft Network Function Virtualization February 2024
lingling Ji
China Unicom
Beijing
100176
China
Email: jill32@chinaunicom.cn
Zhang, et al. Expires 30 August 2024 [Page 9]