Jump to content

Macaroons (computer science)

From Wikipedia, the free encyclopedia

In computer security, macaroons are authorization credentials that support decentralized delegation between principals.[1]

Macaroons are used in a variety of systems, including the Ubuntu Snappy package manager,[2] the HyperDex data store,[3][4] the Matrix communication protocol, and the Python Package Index.[5]

Claims

[edit]

A macaroon is composed of series of "caveats", for example:

  • may upload files to /user/A/ (issued by server)
  • only to /user/A/album/123 (derived by A)
  • only GIFs, up to 1MB (derived by B)
  • until noon today (derived by C)

The macaroon model doesn't specify the language for these caveats; The original paper proposes a model of subjects and rights, but the details are left to individual implementations.

[edit]

Macaroons are similar to some other technologies.

Compared to JSON Web Token (JWT):

  • Holder of macaroon can issue a sub-macaroon with smaller power, while JWT is fixed
  • Macaroon is notably longer than JWT
  • Macaroon is equivalent to signed JWT, but does not offer equivalent to encrypted JWT

Compared to Certificates

  • Macaroons are based on a symmetric model, while certificates on asymmetric
  • Macaroons are computationally cheaper and require simpler cryptographic primitives
  • Using a macaroon (sent to a server) can disclose some private information held by the macaroon holder, meaning that server must be trusted; Using a certificate means signing a payload using a private key, which is not sent to the server, thus communication with untrusted servers is less risky.

Invalidation

[edit]

Implementations need to decide whether the entire macaroon tree is invalidated at once from its root, the server secret key; or if intermediate macaroons are to be blacklisted, comparable to time-bound JWT's.

See also

[edit]

References

[edit]
  1. ^ Birgisson, Arnar; Politz, Joe Gibbs; Erlingsson, Úlfar; Taly, Ankur; Vrable, Michael; Lentczner, Mark (2014). "Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud". Proceedings 2014 Network and Distributed System Security Symposium. San Diego, CA: Internet Society. doi:10.14722/ndss.2014.23212. ISBN 9781891562358.
  2. ^ Nestor, Marius (16 April 2016). "Canonical Announces Snappy 2.0 Ahead of the Ubuntu Core 16.04 LTS Release". softpedia. Retrieved 2016-05-11.
  3. ^ "Time for Better Security for NoSQL". Hacking Distributed. Retrieved 2016-05-12.
  4. ^ "My First Macaroon: A New Way to do Authorization". Hacking Distributed. Retrieved 2019-11-22.
  5. ^ "A new package index for Python [LWN.net]". lwn.net. Retrieved 2019-11-22.