Design and Implementation of an Authentication and Authorization Framework for OpenC2

The Open Command and Control (OpenC2) framework is emerging as a crucial standard for orchestrating and automating defensive cyber operations, enabling interoperability between heterogeneous security tools. However, the core specifications deliberately do not mandate specific security mechanisms, creating a critical gap that could expose the command and control infrastructure to unauthorized access and malicious manipulation. This thesis addresses this gap by designing, implementing, and evaluating a comprehensive authentication and authorization framework to secure the OpenC2 ecosystem. The proposed solution leverages industry-standard protocols to ensure robust and scalable security. For authentication and delegated access, we integrate the OAuth 2.0 framework, utilizing the Authorization Code grant flow to guarantee that only legitimate entities (Producers) can issue commands. The implementation is developed in Python, using the Authlib library to build a dedicated Authorization Server responsible for token issuance and management. For fine-grained access control, the framework incorporates Casbin, a versatile and powerful authorization library. By enforcing policies based on the PERM (Policy, Effect, Request, Matchers) metamodel, Casbin allows the OpenC2 command recipient (Consumer) to verify whether an authenticated Producer is permitted to perform a specific action on a given target, implementing a Role-Based Access Control (RBAC) model. The entire proof-of-concept is built upon the otupy/openc2lib library, demonstrating a practical and seamless integration of these security layers into the OpenC2 message flow. Finally, the implemented solution is validated through functional testing, which confirms the correct enforcement of access control policies, and a performance analysis, which quantifies the latency overhead introduced by the security mechanisms. The results demonstrate that the integration of OAuth 2.0 and Casbin provides a robust and viable solution for enhancing the security, trustworthiness, and operational readiness of the OpenC2 framework in real-world deployments.