Authorisation (aka Access Management) using Bloomfilters

While zooming along the highway on the way home the other day, I had an idea for making an authorisation service using Bloomfilters.

Let us assume you have a company website content management service, called ‘CMS’. Users can log in to the CMS and make changes to webpages or upload new content. The actual login (aka authentication) is handled by a separate system called A-Select which we do not have to concern ourselves with in this discussion.

The Access Management details needs to be maintained in a central place. So we have a service called A11n that runs on one machine, and the CMS service has to query the A11n service to find out if a user can perform some action.

The core of the idea is that the A11n service maintains the userids and roles which a userid is allowed to fullfill for various applications, and then makes the complete set of these available as an openly downloadable (via HTTP) Bloomfilter.

The CMS service (or any other application) periodically downloads the Bloomfilter file. When a user logs into the CMS, the CMS service does not need to contact the A11n server, it just has to check the userid+application+role entry in the Bloomfilter. If you get a definitive NO answer, you know that the user is not allowed to have a role. If there are multiple possible roles for a userid, the application server can check the existence of the userid+role for each role, and so the end result is a list of allowed roles.

What I like about this idea is that there is minimal crypto involved, no SSL necessary and the application servers can operate in a ‘disconnected’ mode from the centralised A11n server.

We have kicked the idea around a bit here internally at the TU Delft Library and have discussed the various tradeoffs with regards to choosing filter size and whether or not to include a shared secret between each application server and the A11n server to make it just slightly more difficult to guess the existence of roles for a given userid for privacy reasons.

A cursory Google on this idea did not reveal any immediate hits to others doing the same thing. I would appreciate hearing from others that are either doing the same thing, or can point out the glaring holes on why this might be a terribly bad idea.