Abstract
In pervasive computing environments, information gateways derive specific information, such as a person’s location, from raw data provided by a service, such as a videostream offered by a camera. Here, access control to confidential raw data provided by a service becomes difficult when a client does not have access rights to this data. For example, a client might have access to a person’s location information, but not to the videostream from which a gateway derives this information. Simply granting access rights to a gateway will allow an intruder into the gateway to access any raw data that the gateway can access. We present the concept of derivation-constrained access control, which requires a gateway to prove to a service that the gateway needs requested raw data to answer a client’s authorized request for derived information. Therefore, an intruder into the gateway will be limited in its capabilities. We provide a formal framework for derivation-constrained access control based on Lampson et al.’s “speaks-for” relationship. We demonstrate feasibility of our design with a sample implementation and a performance evaluation.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Gasser, M., McDermott, E.: An Architecture for Practical Delegation in a Distributed System. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 20–30 (1990)
Kornievskaia, O., Honeyman, P., Doster, B., Coffman, K.: Kerberized Credential Translation: A Solution to Web Access Control. In: Proceedings of 10th Usenix Security Symposium (2001)
Howell, J., Kotz, D.: A Formal Semantics for SPKI. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 140–158. Springer, Heidelberg (2000)
Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in Distributed Systems: Theory and Practice. ACM Transactions on Computer Systems 10(4), 263–310 (1992)
Neuman, B.: Proxy-Based Authorization and Accounting for Distributed Systems. In: Proceedings of International Conference on Distributed Computing Systems, pp. 283–291 (1993)
Sollins, K.R.: Cascaded Authentication. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 156–163 (1988)
Abadi, M., Burrows, M., Lampson, B.: A Calculus for Access Control in Distributed Systems. ACM Transactions on Programming Languages and Systems 15(4), 706–734 (1993)
Howell, J., Kotz, D.: End-to-end authorization. In: Proceedings of 4th Symposium on Operating System Design & Implementation (OSDI 2000), pp. 151–164 (2000)
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: SPKI Certificate Theory. RFC 2693 (1999)
Garlan, D., Siewiorek, D., Smailagic, A., Steenkiste, P.: Project Aura: Towards Distraction-Free Pervasive Computing. IEEE Pervasive Computing 1(2), 22–31 (2002)
Hengartner, U.: Access Control to Information in Pervasive Computing Environments. PhD thesis, Computer Science Department, Carnegie Mellon University, Available as Technical Report CMU-CS-05-160 (2005)
Bertino, E., Bettini, C., Samarati, P.: A Temporal Authorization Model. In: Proceedings of 2nd ACM Conference on Computer and Communications Security (CCS 1994), pp. 126–135 (1994)
Cohen, E., Jefferson, D.: Protection in the Hydra Operating System. In: Proceedings of 5th ACM Symposium on Operating Systems Principles, pp. 141–160 (1975)
Jajodia, S., Samarati, P., Sapino, M.L., Subrahmaninan, V.S.: Flexible Support for Multiple Access Control Policies. ACM Transactions on Database Systems 26(2), 214–260 (2001)
Song, D., Wagner, D., Perrig, A.: Practical Techniques for Searches on Encrypted Data. In: Proceedings of 2000 IEEE Symposium on Security and Privacy (2000)
Appel, A.W., Felten, E.W.: Proof-Carrying Authentication. In: Proceedings of 6th ACM Conference on Computer and Communications Security (1999)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hengartner, U., Steenkiste, P. (2006). Securing Information Gateways with Derivation-Constrained Access Control. In: Clark, J.A., Paige, R.F., Polack, F.A.C., Brooke, P.J. (eds) Security in Pervasive Computing. SPC 2006. Lecture Notes in Computer Science, vol 3934. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11734666_14
Download citation
DOI: https://doi.org/10.1007/11734666_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-33376-0
Online ISBN: 978-3-540-33377-7
eBook Packages: Computer ScienceComputer Science (R0)