Abstract
As mobile computing continues to rise, users are increasingly able to connect to remote services from a wide range of settings. To provide this flexibility, security policies must be adaptive to the user’s environment when the request is made. In our work, we define context to include the spatiotemporal aspects of the user request, in addition to quantifiable environmental factors determined by the server hosting the resource. We identify a number of key open problems in this field and propose potential solutions to some of the problems.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Aich, S., Sural, S., Majumdar, A.K.: STARBAC: Spatiotemporal Role Based Access Control. In: OTM Conferences (2007)
Atallah, M.J., Bryant, E.D., Korb, J.T., Rice, J.R.: Binding Software to Specific Native Hardware in a VM Environment: The PUF Challenge and Opportunity. In: VMSEC 2008 (2008)
Atluri, V., Chun, S.: A Geotemporal Role-Based Authorisation System. International Journal of Information and Computer Security 1, 143–168 (2007)
Aziz, B., Foley, S.N., Herbert, J., Swart, G.: Reconfiguring Role Based Access Control Policies Using Risk Semantics. Journal of High Speed Networks, Special issue on Security Policy Management 15(3), 261–273 (2006)
Bertino, E., Bettini, C., Samarati, P.: A Temporal Authorization Model. In: ACM Conference on Computer and Communications Security, CCS 1994 (1994)
CellDB, http://www.celldb.org/
Chandran, S., Joshi, J.: LoT RBAC: A Location and Time-Based RBAC Model. In: Ngu, A.H.H., Kitsuregawa, M., Neuhold, E.J., Chung, J.-Y., Sheng, Q.Z. (eds.) WISE 2005. LNCS, vol. 3806, pp. 361–375. Springer, Heidelberg (2005)
Cheng, P.-C., Rohatgi, P., Keser, C.: Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control. In: DIMACS Workshop on Information Security Economics (2007)
Chinchani, R., Iyer, A., Ngo, H.Q., Upadhyaya, S.: Towards a Theory of Insider Threat Assessment. In: International Conference on Dependable Systems and Networks, DSN 2005 (2005)
Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing Context-Aware Applications Using Environment Roles. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 10–20 (2001)
CSO Magazine and CERT and United States Secret Service: 2004 E-Crime Watch Survey: Summary of Findings (2004), http://www.cert.org/archive/pdf/2004eCrimeWatchSummary_OnlinePDF.pdf
Damiani, M.L., Bertino, E.: Access Control and Privacy in Location-Aware Services for Mobile Organizations. In: 7th Internation Conference on Mobile Data Management (2006)
Damiani, M.L., Bertino, E., Catania, B., Perlasca, P.: GEO-RBAC: A Spatially Aware RBAC. ACM Transactions on Information Systems and Security 10(1) (2007)
Diep, N.N., Hung, L.X., Zhung, Y., Lee, S., Lee, Y.-K., Lee, H.: Enforcing Access Control Using Risk Assessment. In: Proceedings of the Fourth European Conference on Universal Multiservice Networks (ECUMN), pp. 419–424 (2007)
Dimmock, N., Belokosztolszki, A., Eyers, D., Bacon, J., Moody, K.: Using Trust and Risk in Role-Based Access Control Policies. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, SACMAT (2004)
Dyer, J.G., Lindemann, M., Perez, R., Sailer, R., van Doorn, L., Smith, S.W., Weingart, S.: Building the IBM 4758 Secure Coprocessor. IEEE Computer 34(10), 57–66 (2001)
Ferragut, E., Sheldon, F., Neergaard, M.: ITD (Insider Threat Detection) System. Oak Ridge National Laboratory (ORNL) Cyberspace Sciences & Information Intelligence Research (CSIIR) Group, http://www.ioc.ornl.gov/documents/factsheets/ITD%20Insider%20Threat%20Detection%20FactSheet_OnlinePDF.pdf
Gassend, B., Clarke, D., van Dijk, M., Devadas, S.: Controlled Physical Random Functions. In: Proceedings of the 18th Annual Computer Security Applications Conference, ACSAC (2002)
Google Latitude, http://www.google.com/latitude/
Greitzer, F.L., Moore, A.P., Cappelli, D.M., Andrews, D.H., Carroll, L.A., Hull, T.D.: Combating the Insider Cyber Threat. IEEE Security and Privacy 6(1), 61–64 (2008)
Guajardo, J., Kumar, S.S., Schrijen, G.-J., Tuyls, P.: FPGA Intrinsic PUFs and Their Use for IP Protection. In: Proceedings of the 9th Cryptographic Hardware and Embedded Systems Workshop (CHES), pp. 63–80 (2007)
Guajardo, J., Kumar, S.S., Schrijen, G.-J., Tuyls, P.: Physical Unclonable Functions and Public-Key Crypto for FPGA IP Protection. In: International Conference on Field Programmable Logic and Applications, pp. 189–195 (2007)
Han, K., Kim, K.: Enhancing Privacy and Authentication for Location Based Service using Trusted Authority. In: 2nd Joint Workshop on Information Security (2007)
Hansen, F., Oleschuk, V.: SRBAC: A Spatial Role-Based Access Control Model for Mobile Systems. In: Proceedings of the 8th Nordic Workshop on Secure IT Systems (NORDSEC 2003), pp. 129–141 (2003)
Hoang, L.N., Laitinen, P., Asokan, N.: Secure Roaming with Identity Metasystems. In: IDtrust 2008 (2008)
Hulsebosch, R.J., Salden, A.H., Bargh, M.S., Ebben, P.W.G., Reitsma, J.: Context Sensitive Access Control. In: Proceedings of the 10th Symposium on Access Control Models and Technologies (SACMAT), pp. 111–119 (2005)
INFOSEC Research Council (IRC): “Hard Problem List.” Department of Homeland Security Cyber Security Research & Development Center (2005)
Kirkpatrick, M., Bertino, E.: Physically Restricted Authentication with Trusted Hardware. In: The 4th Annual Workshop on Scalable Trusted Computing (2009)
Kirkpatrick, M., Bertino, E.: An Architecture for Spatially-Aware RBAC with Continuity of Usage (Under submission) (2009)
Kulkarni, D., Tripathi, A.: Context-Aware Role-based Access Control in Pervasive Computing Systems. In: Proceedings of the 13th Symposium on Access Control Models and Technologies, SACMAT (2008)
NFC Forum Tag Type Technical Specifications, http://www.nfc-forum.org/
Nokia 6131 NFC SDK Programmer’s Guide
Organization for the Advancement of Structured Information Standards (OASIS): eXtensible Access Control Markup Language (XACML), http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml/
Park, J., Sandhu, R.: The UCONABC Usage Control Model. ACM Transactions on Information and System Security 7(1), 128–174 (2004)
Predd, J., Pfleeger, S.L., Hunker, J., Bulford, C.: Insiders Behaving Badly. IEEE Security and Privacy 6(4), 66–70 (2008)
Ray, I., Kumar, M., Yu, L.: LRBAC: A Location-Aware Role-Based Access Control Model. In: Proceedings of Internation Conference on Information Systems Security (ICISS), vol. 147, pp. 147–161 (2006)
Sailer, R., Jaeger, T., Zhang, X., van Doorn, L.: Attestation-based Policy Enforcement for Remote Access. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 308–317 (2004)
Sandhu, R., Ranganathan, K., Zhang, X.: Secure Information Sharing Enabled by Trusted Computing and PEI Models. In: ASIACCS 2006: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, pp. 2–12 (2006)
Schellekens, D., Wyseur, B., Preneel, B.: Remote Attestation on Legacy Operating Systems With Trusted Platform Modules. Science of Computer Programming, 13–22 (2008)
Sentz, K., Ferson, S.: Combination of Evidence in Dempster-Shafer Theory. Technical Report, Sandia National Laboratories, SAND 2002-0835 (2002)
Squicciarini, A., Bhargav-Spantzel, A., Bertino, E., Czeksis, A.B.: Auth-SL – A System for the Specification and Enforcement of Quality-Based Authentication Policies. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 386–397. Springer, Heidelberg (2007)
Trusted Computing Group: Trusted Platform Module Main Specification (2003), http://www.trustedcomputinggroup.org/
United States Secret Service and CERT Coordination Center: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector (2004), http://www.secretservice.gov/ntac/its_report_040820_OnlinePDF.pdf
Wei, Q., Crampton, J., Beznosov, K., Ripeanu, M.: Authorization Recycling in RBAC Systems. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, SACMAT (2008)
Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.: A Usage-based Authorization Framework for Collaborative Computing Systems. In: Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 180–189 (2006)
Zhang, X., Park, J., Parisi-Presicce, F., Sandhu, R.: A Logical Specification for Usage Control. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, SACMAT (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Kirkpatrick, M., Bertino, E. (2009). Context-Dependent Authentication and Access Control. In: Camenisch, J., Kesdogan, D. (eds) iNetSec 2009 – Open Research Problems in Network Security. 2009. IFIP Advances in Information and Communication Technology, vol 309. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05437-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-05437-2_6
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05436-5
Online ISBN: 978-3-642-05437-2
eBook Packages: Computer ScienceComputer Science (R0)