Macaroons (computer science)

In computer security, a macaroon is an authorization credential that supports decentralized delegation between principals.[1]

Macaroons are used in a variety of systems, including the Ubuntu Snappy package manager,[2] the HyperDex data store,[3][4] the Matrix communication protocol, and the Python Package Index.[5]

Claims

A macaroon is composed of series of "caveats", for example:

  • may upload files to /user/A/ (issued by server)
  • only to /user/A/album/123 (derived by A)
  • only GIFs, up to 1MB (derived by B)
  • until noon today (derived by C)

The macaroon model doesn't specify the language for these caveats; The original paper proposes a model of subjects and rights, but the details are left to individual implementations.

Macaroons are similar to some other technologies.

Compared to JSON Web Token (JWT):

  • Holder of macaroon can issue a sub-macaroon with smaller power, while JWT is fixed
  • Macaroon is notably longer than JWT
  • Macaroon is equivalent to signed JWT, but does not offer equivalent to encrypted JWT

Compared to Certificates

  • Macaroons are based on a symmetric model, while certificates on asymmetric
  • Macaroons are computationally cheaper and require simpler cryptographic primitives
  • Using a macaroon (sent to a server) can disclose some private information held by the macaroon holder, meaning that server must be trusted; Using a certificate means signing a payload using a private key, which is not sent to the server, thus communication with untrusted servers is less risky.

Invalidation

Implementations need to decide whether the entire macaroon tree is invalidated at once from its root, the server secret key; or if intermediate macaroons are to be blacklisted, comparable to time-bound JWT's.

See also

References

  1. ^ Birgisson, Arnar; Politz, Joe Gibbs; Erlingsson, Úlfar; Taly, Ankur; Vrable, Michael; Lentczner, Mark (2014). "Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud". Proceedings 2014 Network and Distributed System Security Symposium. San Diego, CA: Internet Society. doi:10.14722/ndss.2014.23212. ISBN 9781891562358.
  2. ^ Nestor, Marius (16 April 2016). "Canonical Announces Snappy 2.0 Ahead of the Ubuntu Core 16.04 LTS Release". softpedia. Retrieved 2016-05-11.
  3. ^ "Time for Better Security for NoSQL". Hacking Distributed. Retrieved 2016-05-12.
  4. ^ "My First Macaroon: A New Way to do Authorization". Hacking Distributed. Retrieved 2019-11-22.
  5. ^ "A new package index for Python [LWN.net]". lwn.net. Retrieved 2019-11-22.
Stub icon

This computer security article is a stub. You can help Wikipedia by adding missing information.

Content Disclaimer

Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.

  1. The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
  2. There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
  3. It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
  4. Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
  5. Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.