Skip to main content

Securing Information Gateways with Derivation-Constrained Access Control

  • Conference paper
Security in Pervasive Computing (SPC 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3934))

Included in the following conference series:

  • 662 Accesses

Abstract

In pervasive computing environments, information gateways derive specific information, such as a person’s location, from raw data provided by a service, such as a videostream offered by a camera. Here, access control to confidential raw data provided by a service becomes difficult when a client does not have access rights to this data. For example, a client might have access to a person’s location information, but not to the videostream from which a gateway derives this information. Simply granting access rights to a gateway will allow an intruder into the gateway to access any raw data that the gateway can access. We present the concept of derivation-constrained access control, which requires a gateway to prove to a service that the gateway needs requested raw data to answer a client’s authorized request for derived information. Therefore, an intruder into the gateway will be limited in its capabilities. We provide a formal framework for derivation-constrained access control based on Lampson et al.’s “speaks-for” relationship. We demonstrate feasibility of our design with a sample implementation and a performance evaluation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Gasser, M., McDermott, E.: An Architecture for Practical Delegation in a Distributed System. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 20–30 (1990)

    Google Scholar 

  2. Kornievskaia, O., Honeyman, P., Doster, B., Coffman, K.: Kerberized Credential Translation: A Solution to Web Access Control. In: Proceedings of 10th Usenix Security Symposium (2001)

    Google Scholar 

  3. Howell, J., Kotz, D.: A Formal Semantics for SPKI. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 140–158. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  4. Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in Distributed Systems: Theory and Practice. ACM Transactions on Computer Systems 10(4), 263–310 (1992)

    Article  Google Scholar 

  5. Neuman, B.: Proxy-Based Authorization and Accounting for Distributed Systems. In: Proceedings of International Conference on Distributed Computing Systems, pp. 283–291 (1993)

    Google Scholar 

  6. Sollins, K.R.: Cascaded Authentication. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 156–163 (1988)

    Google Scholar 

  7. Abadi, M., Burrows, M., Lampson, B.: A Calculus for Access Control in Distributed Systems. ACM Transactions on Programming Languages and Systems 15(4), 706–734 (1993)

    Article  Google Scholar 

  8. Howell, J., Kotz, D.: End-to-end authorization. In: Proceedings of 4th Symposium on Operating System Design & Implementation (OSDI 2000), pp. 151–164 (2000)

    Google Scholar 

  9. Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI Certificate Theory. RFC 2693 (1999)

    Google Scholar 

  10. Garlan, D., Siewiorek, D., Smailagic, A., Steenkiste, P.: Project Aura: Towards Distraction-Free Pervasive Computing. IEEE Pervasive Computing 1(2), 22–31 (2002)

    Article  Google Scholar 

  11. Hengartner, U.: Access Control to Information in Pervasive Computing Environments. PhD thesis, Computer Science Department, Carnegie Mellon University, Available as Technical Report CMU-CS-05-160 (2005)

    Google Scholar 

  12. Bertino, E., Bettini, C., Samarati, P.: A Temporal Authorization Model. In: Proceedings of 2nd ACM Conference on Computer and Communications Security (CCS 1994), pp. 126–135 (1994)

    Google Scholar 

  13. Cohen, E., Jefferson, D.: Protection in the Hydra Operating System. In: Proceedings of 5th ACM Symposium on Operating Systems Principles, pp. 141–160 (1975)

    Google Scholar 

  14. Jajodia, S., Samarati, P., Sapino, M.L., Subrahmaninan, V.S.: Flexible Support for Multiple Access Control Policies. ACM Transactions on Database Systems 26(2), 214–260 (2001)

    Article  MATH  Google Scholar 

  15. Song, D., Wagner, D., Perrig, A.: Practical Techniques for Searches on Encrypted Data. In: Proceedings of 2000 IEEE Symposium on Security and Privacy (2000)

    Google Scholar 

  16. Appel, A.W., Felten, E.W.: Proof-Carrying Authentication. In: Proceedings of 6th ACM Conference on Computer and Communications Security (1999)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hengartner, U., Steenkiste, P. (2006). Securing Information Gateways with Derivation-Constrained Access Control. In: Clark, J.A., Paige, R.F., Polack, F.A.C., Brooke, P.J. (eds) Security in Pervasive Computing. SPC 2006. Lecture Notes in Computer Science, vol 3934. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11734666_14

Download citation

  • DOI: https://doi.org/10.1007/11734666_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-33376-0

  • Online ISBN: 978-3-540-33377-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics