Abstract
This paper proposes a novel Context-Risk-Aware Access Control (CRAAC) model for Ubiquitous Computing (UbiComp) environments. Context-aware access control allows access permissions to be adjusted dynamically in adaptation to the changes in the surrounding context. Though current context-aware access control solutions can, to a certain extent, achieve such context adaptation, there are still limitations in these solutions. One of the limitations is that they make use of an architectural model by which the two major functional blocks, context infrastructure and access control system, are tightly coupled together. As a result, they are not flexible nor generic to accommodate various access control constraints and policy settings. The CRAAC model is designed to overcome this limitation. By introducing the concept of risk aware and authorisation levels of assurance (LoA) into the authorisation decision making, and by maximising the use of a component-based approach in the architectural design, the model has successfully decoupled context infrastructure and access control system making it more extensible in providing the required functionality, and more flexible in accommodating different contextual attributes and their mutual correlation. In addition, it interoperates and is backward compatible with traditional role-based access control solutions.
Similar content being viewed by others
References
Hulsebosch, R. J., Salden, A. H., Bargh, M. S., Ebben, P. W. G., & Reitsma, J. (2005). Context sensitive access control. In Proc. 10th ACM symposium on access control models and technologies (SACMAT ’05), New York (pp. 111–119) 2005.
Dey, A. (2001). Understanding and using context. Personal Ubiquitous Computing, 5(1), 4–7.
US Office of Management & Budge (2003). Memorandum M-04-04: E-Authentication Guidance for Federal Agencies, December.
Burr, W. E., Dodson, D. F., & Polk, W. T. (2006). Electronic authentication guideline. NIST special publication 800-63 version 1.0.2, April.
Sandhu, R., & Samarati, P. (1994). Access control: principles and practice. IEEE Communications Magazine, 32(9), 40–48.
Sandhu, R., Coyne, E., Feinstein, H., & Youman, C. (1996). Role-based access control models. IEEE Computer, 29(2), 38–47.
Chou, S. (2005). An RBAC-based access control model for object-oriented systems offering dynamic aspect features. IEICE Transactions on Information and Systems, 88(9), 2143–2147.
Park, S., Han, Y., & Chung, T. (2006). Context-role based access control for context-aware application. In Lecture notes in computer science : Vol. 4208. High performance computing and communications (pp. 572–580). Berlin/Heidelberg: Springer.
Moyer, M. J., & Ahamad, M. (2001). Generalized role-based access control. In Proc. 21st international conference on distributed computing systems (ICDCS ’01), Washington, DC, April 2001 (pp. 391–398). Los Alamitos: IEEE Computer Society.
Covington, M. J., Fogla, P., Zhan, Z., & Ahamad, M. (2002). A context-aware security architecture for emerging applications. In Proc. 18th annual computer security applications conference (ACSAC ’02), Washington, 2002 (p. 249). Los Alamitos: IEEE Computer Society.
Bertino, E., Bonatti, P. A., & Ferrari, E. (2001). TRBAC: a temporal role-based access control model. ACM Transactions on Information and System Security, 4(3), 191–233.
Chae, S., Kim, W., & Kim, D. (2006). Role-based access control model for ubiquitous computing environment. In Lecture notes in computer science : Vol. 3786. Information security applications, (pp. 354–363). Berlin/Heidelberg: Springer.
Joshi, J., Bertino, E., & Ghafoor, A. (2002). Hybrid role hierarchy for generalized temporal role based access control model. In Proc. 26th international computer software and applications conference on prolonging software life: development and redevelopment (COMPSAC ’02), Washington, DC (pp. 951–956). Los Alamitos: IEEE Computer Society.
Hansen, F., & Oleshchu, V. (2003). SRBAC: a spatial role-based access-control model for mobile systems. In Proc. 7th Nordic Workshop on Secure IT Systems (NORDSEC’03). Gj‘vik, Norway (pp. 129–141) 2003.
Zhang, H., He, Y., & Shi, Z. (2006). Spatial context in role-based access control. In Lecture notes in computer science : Vol. 4296. Information Security and Cryptology—ICISC 2006, November 2006 (pp. 166–178). Berlin/Heidelberg: Springer.
Guangsen, Z., & Manish, P. (2004). Context-aware dynamic access control for pervasive applications. In Proc. communication networks and distributed systems modeling and simulation conference, San Diego, California (pp. 219–225) January 2004.
Kim, Y., Mon, C., Jeong, D., Lee, J., Song, C., & Baik, D. (2005). Context-aware access control mechanism for ubiquitous applications. In Lecture notes in computer science : Vol. 3528. Advances in web intelligence (pp. 236–242). Berlin/Heidelberg: Springer.
Motta, G. H. M. B., & Furuie, S. S. (2003). A contextual role-based access control authorization model for electronic patient record. IEEE Transactions on Information Technology in Biomedicine, 7(3), 202–207.
Diep, N. N., Hung, L. X., Zhung, Y., Lee, S., Lee, Y., & Lee, H. (2007). Enforcing access control using risk assessment. In Proc. 4th European conference on universal multiservice networks (ECUMN ’07), Washington, DC (pp. 419–424). Los Alamitos: IEEE Computer Society.
Konrad, K. K., Konrad, T., David, D., Howard, S., & Trevor, D. (2006). Activity zones for context-aware computing. In Lecture notes in computer science : Vol. 2864. UbiComp 2003: ubiquitous computing, October 2006 (pp. 90–106). Berlin/Heidelberg: Springer.
Meneses, F., & Moreira, A. (2004). A flexible location-context representation. In Proc. 15th IEEE international symposium on personal, indoor and mobile radio communications (PIMRC 2004) (Vol. 2, pp. 1065–1069) September 2004.
Sundaram, A. (1996). An introduction to intrusion detection. ACM Crossroads, 2(4), 3–7.
Giles, S., & Bersinic, D. (2003). MCSA Windows server 2003 all-in-one exam guide (exams 70-270,70-290,70-291) (p. 614). New York: McGraw-Hill Osborne Media.
Barron, H., & Barrett, B. (1996). Decision quality using ranked attribute weights. Management Science, 42(11), 1515–1523.
Barron, H. (1992). Selecting a best multiattribute alternative with partial information about attribute weights. Acta Psychologica, 80, 91–103.
Ahn, B. S., & Park, K. S. (2008). Comparing methods for multiattribute decision making with ordinal weights. Computers & Operations Research, 35(5), 1660–1670. Part Special Issue: Algorithms and Computational Methods in Feasibility and Infeasibility.
Ranganathan, A., Al-Muhtadi, J., & Campbell, R. H. (2004). Reasoning about uncertain contexts in pervasive computing environments. IEEE Pervasive Computing, 3(2), 62–70.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ahmed, A., Zhang, N. Towards the realisation of context-risk-aware access control in pervasive computing. Telecommun Syst 45, 127–137 (2010). https://doi.org/10.1007/s11235-009-9240-3
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11235-009-9240-3