Multilevel Subgranting by Power of Attorney and OAuth Authorization Server in Cyber–Physical Systems

Abstract

Many Cyber-Physical Systems are today semiautonomous and powerful enough to perform advanced tasks on their own. This means they can also act as representatives of people or devices that have given them an order. However, traditional access control policies and delegation models do not meet industrial requirements such as support for letting autonomous CPS devices act on their own with certified credentials under the sub authorization by subcontractors, without the need for a separate account per device. In this paper, we analyze and compare power of attorney, proxy signature by warrant, and OAuth to identify the strengths and challenges of each. Based on the comparison, we propose an OAuth grant type based on the power of attorney and inspired by the concept of proxy signature by warrant. Power of Attorney is a generic and self-contained document that a principal signs and directs to an agent, thereby providing it the power to execute actions on behalf of the principal for a predefined time, even if it is offline. One key advantage of the power of attorney is that it can support effective sub-granting on several levels to support industrial scenarios where resource owners bring in authorized contractors that can in their turn authorize and bring in several devices without incurring management overhead to the resource owner. A proof-of-concept and performance evaluation of the proposed model is presented using an industrial use-case scenario with multi-level authorization.