Sponsored by
Sponsored by
Aranya is an open-source access governance and secure data exchange platform that is suited for embedded devices in a decentralized network. It enables organizations to control their critical data and services through a policy-driven approach even in the most contested environments.
For Aranya, a policy is the set of rules and procedures which describe the operations that are possible in a system and the requirements that must be met to allow execution of those operations, including authentication and authorization requirements, system check requirements of internal or external components, etc. To put it simply, the policy is the brain of Aranya which serves as the main building block for all the capabilities it provides.
Two familiar networking concepts are used analogously by Aranya to separate its core functionality between relevant components of the system:
Control Plane: The Aranya control plane is the logical element of the system that handles administrative functionality needed to govern access control operations defined in the policy. It is used to manage and enforce the authority model by carrying out only operations that conform to the defined policy and validating them according to cryptographic credentials. For example, it will be the mechanism used to perform commands such as adding devices or setting up a secure data exchange channel.
Data Plane: Similarly, Aranya defines the data plane as what provides the primary function for the data to securely exchange and encrypt that data end-to-end between two connected peer nodes. The data plane is also subject to the permission system specified by the underlying policy; messages can only be sent/received by peers that have been given the appropriate credentials (e.g., cryptographic keys), which can typically require some set of permissions be explicitly granted first. For example, the Aranya Quic Channels (AQC) feature enables an endpoint to send encrypted data to another endpoint as long as both endpoints are assigned to the same attribute, called “label”, which is managed by the policy.
The following terms will be used throughout the documentation to describe Aranya deployments on endpoints. These deployments, or instances, are further defined as specific devices, once the instance is assigned a specific set of cryptographic keys used for identity and authentication and are governed by written policy.
Endpoint: A piece of hardware (e.g. IoT device, computer, cellular phone, etc.) or software (e.g. application) on which Aranya is integrated.
Instance: A single deployment of the Aranya software. To note, each endpoint can have one or many instances deployed on it.
Device: The identity of an instance, given by assigning it a set of cryptographic keys used for identity and authentication.
Policy: Defines specific behaviors, or accepted actions with corresponding commands, that will be generated and executed on the endpoint. Aranya is built on the default policy which is used in the Getting Started Guide and other example applications.
Definitions of important terms used throughout the documentation are provided in the glossary.
The next two sections will lay out the foundational knowledge of the control plane and data plane which will be helpful to better understand how they interact within the system and the capabilities that each of them provides.
The Aranya control plane is the heart of its access governance solution. It is where the defined policy is stored and executed to provide the functionality needed to enforce the set of roles, permissions, and requirements it outlines. Policy is written using a domain specific language which is fully customizable to allow integrators to define the exact authority model that best fits their needs, with as much granularity as appropriate. Each Aranya instance contains a copy of the policy to ensure consistent and reliable enforcement across all endpoints.
The policy outlines the full set of operations that devices can perform throughout the system and specifies the permission requirements for each. These operations are represented as structured data, called “Commands”, and the set of requirements needed to execute a command is embedded in its definition in the policy file. Hence, execution of any command will involve evaluation of its underlying policy and successfully meeting all the requirements will allow for its described operation to be carried out, while the command itself is stored in an immutable audit log of control operations.
As with the policy, the full state of the system is also replicated locally at every endpoint in order to conform to the fully decentralized architecture of Aranya. This state, given by Aranya’s storage module, consists of a Directed Acyclic Graph (DAG) that represents the data structure used to store policy commands in an immutable and authenticated format, as well as a Fact Database (FactDB) that keeps key-value pairs of information regarding the executed operations. For example, a policy command that assigns a new role to a device would be stored on the DAG, while a key-value pair that matches between the device’s ID and the new role would be a fact added to the FactDB.
To ensure that participating devices are acting over a common authoritative state, the control plane also utilizes the component of the system that performs graph synchronization of operational state, which is supplied through the sync transport API.
The control plane provides the full functionality to implement and enforce the authority model used to govern resource accesses, which includes the transmission of data representing the operations that devices perform by utilizing the sync protocol. Since the sync protocol is designed to work with the DAG to keep a decentralized record of every command, it can have some overhead that increases the latency and may not be the most optimal choice for communicating data real time.
As an alternative, Aranya’s data plane may be selected to transmit data securely using end-to-end encryption that is bound to the specific devices as defined by the authority model of the policy in the control plane. An API is provided for this low latency, high throughput data exchange (compared to on-graph) by exposing lightweight channels to applications on the endpoints.
Channels are governed by the authority model defined by the policy. Devices can be incorporated in as many channels as desired. Aranya manages cryptographic keys, leveraging the configured cipher suite for encrypting and decrypting messages on a per-channel basis. Aranya uses the crypto engine to negotiate keys while data is transmitted efficiently off-graph, i.e., without being stored in a command that is added to the DAG. Because the commands are not stored in the DAG, these channels are useful where large messages, network streams, or other high-throughput data must be sent to peers.
Aranya will still leverage the DAG for managing the keys used for authentication. Data segmentation of channels is achieved using topic labels. Encryption is scoped to each channel, which supports one-to-one communication in either a unidirectional or bidirectional manner. The encryption/ decryption algorithms provided by the crypto engine are symmetric and facilitate fast communication that is compatible with low resource environments such as embedded systems.