JSON Fine Grained Access

Internet-Draft	Network Function Virtualization	February 2024
Zhang, et al.	Expires 30 August 2024	[Page]

Abstract

This document defines a JSON-based fine-grained access (JSON-FA) method, which aims to provide a flexible and easy-to-implement way to achieve fine-grained access control in JSON data.¶

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶

This Internet-Draft will expire on 30 August 2024.¶

Copyright Notice

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶

1. Introduction

With the rapid development of information technology, data has become a core asset for enterprises and organizations. However, frequent occurrences of data breaches and unauthorized accesses have made data security an urgent issue.¶

Traditional access control methods, such as Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC), although protecting data security to some extent, gradually show their limitations when dealing with complex and dynamic data access requirements. To address this issue, this paper proposes a JSON-based fine-grained access control method that can be applied to various scenarios such as web services, cloud computing, and the Internet of Things.¶

2. Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119][RFC8174].¶

JSON, A lightweight data exchange format.¶

RBAC, A popular access control strategy that associates access privileges with specific roles rather than directly with users or user groups.¶

ABAC, A more granular and flexible access control method. In ABAC, access decisions are not only based on the identity or role of the user, but also on various attributes related to the access request.¶

Fine-Grained Access Control, A security mechanism used to precisely control and manage access privileges to system resources.¶

3. Background

Fine-grained access control enables permission control for individual data items or data attributes, providing more precise protection for data. At the same time, the lightweight and easy-to-read/write nature of JSON (JavaScript Object Notation), along with its structured and nested characteristics, facilitates the simple description of complex data structures. The conciseness, readability, and structured nature of JSON make it an ideal choice for describing data structures.¶

This document proposes a JSON-based fine-grained access (JSON-FA) control method that fully utilizes the formatting characteristics of JSON. It describes the attributes of the accessing subject in JSON format,and utilizes the data structure of an access control tree to represent fine-grained access control policies on the resource server side.This approach makes the access control method more flexible, manageable, and extensible. We hope to provide a more flexible, precise, and efficient solution in the field of data security through this method.¶

4. JSON-FA Data Structure

JSON-FA (JSON-based Fine-Grained Access Control) data format is a standardized format used to initiate access requests to access control systems. This format allows clients (such as users or applications) to explicitly specify the resources they wish to access, the operations they intend to perform, and fine-grained access attributes (including identity, role, and other attribute information).¶

4.1. JSON-FA Data Elements

The JSON-FA data structure mainly consists of a JSON object that contains the requested access resources and their fine-grained access conditions, including the following fields:¶

requestId: The identifier of the request.¶
subject: Identifiers representing the access subject.¶
operation: indicates the action identifier of the request body, such as "read", "write", "update", and so on.¶
resource: Indicates the identifier of the accessed resource. Contains a list of information about accessing the resource. The accessed resource object includes the following fields:¶
- resourceType: Describes the type of the resource, such as files, databases, and so on.¶
- attributes: is an object that contains the static attributes of the resource, such as file name, file type, creation date, and so on.¶
condition: Refers to the fine-grained attributes of the access subject, and is an optional field.¶

4.2. JSON-FA Data Structure Example

This example describes the request where User123 submits a request named request123 through an access control server. The request is for read-only access to a specific file named "document.txt". Additionally, when submitting the request, User123 provides fine-grained attributes related to the request, including his role and department.¶

  {
    "requestId": "request23",
    "subject": "user123",
    "operation": "read",
    "resource": {
      "resourceType": "file",
      "attributes": {
        "fileName": "document.txt",
        "fileType": "text/plain"
      }
    }
    "condition": {
      "role": "manager",
      "department": "finance"
    }
  }

5. JSON-FA process flow

In this article, CP-ABE (Ciphertext-Policy Attribute-Based Encryption) is chosen as the encryption algorithm to achieve fine-grained access control. While role-based access control and attribute-based access control can control whether users have access permissions to view data, they do not guarantee the security of the data itself. CP-ABE encrypts the data based on access control policies, meaning that even if an attacker intercepts the ciphertext, they cannot decrypt the file without the corresponding permissions and keys. This ensures the security of the data and makes fine-grained access control more effective.¶

5.1. CP-ABE algorithm

Ciphertext-policy Attribute-Based Encryption (CP-ABE) algorithm allows data owners to define access policies based on the attributes of data receivers. These policies are encrypted within the ciphertext, while the receivers' attributes are encoded in their private keys.?Only receivers with attributes that meet the access policies encrypted in the ciphertext can decrypt and access the original data. This encryption method provides fine-grained access control, providing a balance between data security and flexibility.¶

The CP-ABE algorithm works as follows:¶

Setup: This step takes an implicit security parameter ? as input. It outputs public parameters PK and master key MK.?The public parameters are made available to all, while the master key is kept secret.¶
Encrypt(PK, M, A): Inputs the public parameters PK, a message M, and an access structure A. It encrypts the message M to generate a ciphertext CT. Only data receivers with attributes that meet the access structure can decrypt the message. The access structure A is implicitly contained in the ciphertext.¶
Key Generation(MK, S): Inputs the master key MK and a set of attributes S for the data receiver. It outputs a private key SK. The SK is determined by the attribute set S.¶
Decrypt(PK, CT, SK): Inputs the public parameters PK, the ciphertext CT containing the access structure A, and the private key SK. If the attribute set S meets the access structure A, it decrypts the ciphertext CT and returns the message M.¶

Algorithm Parameters:¶

Security Parameter (?): An input parameter that determines the security level of the algorithm. Typically, a larger value of the security parameter provides higher security, but also increases computational complexity and key length.¶
Public parameters (PK) and Master Key (MK): These two crucial parameters are generated during the initialization phase (Setup). The public parameters PK is public and used for encryption operations, while the master key MK is secret and used to generate private keys for data receivers.¶
Attribute Set (S): Set by the data owner, defining the attributes of the data receiver, which can be their identity, role, permissions, etc.¶
Access Structure (A): Set by the data owner, defining the access control policy that describes the attribute sets which can access the encrypted data. The access structure A is typically represented using an access tree structure, where each node represents an attribute or a set of attributes.¶
Plaintext Message (M): The original data that needs to be encrypted. During the encryption phase, the algorithm uses the Public parameters PK, plaintext message M, and access structure A to generate the ciphertext CT.¶
Ciphertext (CT): The encrypted data.¶
Private Key (SK): Generated based on the data receiver's attributes set S and the master key MK. The private key SK contains the data receiver's attributes and the decryption capabilities associated with those attributes. During the decryption phase, the data receiver uses their own private key to decrypt the ciphertext.¶

5.2. Access Control Process

The client sends authentication information to the server to apply for registration and authorization. The server verifies these information and returns a JWT token.¶
The request sent by the client includes a JWT token, and the payload of the token contains information about the accessing subject, accessed resources, and attributes. This is represented by the data structure mentioned in 5.2.¶
Resource servers set fine-grained access control policies for different resources, which are represented by an Access Control Tree (Access Tree). Each leaf node in the access control tree represents an attribute, while non-leaf nodes are threshold gates/nodes. The data format inside a threshold node is (n, t), indicating that the node has a total of n child nodes, and the node is considered satisfied if at least t child nodes meet the conditions.¶
The access control tree provides a precise and convenient way to control access permissions for different accessing subjects to specific resources based on attributes and access rules. It satisfies complex and changing data access requirements while offering a descriptive format for access control.¶
The resource server validates the authenticity of the token carried in the request. Once the token is validated, the server parses the payload information to extract the accessing subject, accessed resource, access action, and attribute information.¶
Based on the extracted information and the predefined access control policies, the resource server determines whether there is a matching fine-grained access control policy. If a matching policy is found, the server checks if the access conditions are met. If the conditions are satisfied, access is granted; otherwise, access is denied.¶
The resource server encrypts the requested resource using the CP-ABE (Ciphertext-Policy Attribute-Based Encryption) algorithm. The encryption process incorporates the access control policy corresponding to the accessed resource. The encrypted ciphertext is then sent back to the client.¶
The client generates a decryption private key based on the set of attributes included in the request using the CP-ABE (Ciphertext-Policy Attribute-Based Encryption) algorithm. After receiving the encrypted ciphertext, the client verifies that the attributes in the attribute set can satisfy the access control policy. Only if the attributes meet the policy can the client decrypt and access the resource.¶

6. Security Consideration

To ensure the security of JSON-FA, the following points need to be considered:¶

Data encryption: Encrypt the transmitted JSON data to prevent data tampering.¶

Access Control Rule Management: Regularly manage and maintain access control rules to prevent their leakage and tampering.¶

Logging and Auditing: Record all successful and failed authentication attempts, regularly audit and perform security analysis on access control logs to promptly detect and address abnormal access behaviors.¶

7. IANA Considerations

This document has no IANA actions.¶

8. Informative References

[CP-ABE]: Bethencourt, J., Sahai, A., and B. Waters, "Ciphertext-Policy Attribute-Based Encryption", May 2007.
[RFC2119]: Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", March 1997.
[RFC7519]: Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", May 2015, <https://www.rfc-editor.org/info/rfc7519>.
[RFC8174]: Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8259]: Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", December 2017, <https://www.rfc-editor.org/info/rfc8259>.