Access Control
Heingartner, U., & Steenkiste, P. (2005). Access Control to People Location Information. ACM Transactions on Information Security and System Security, 8, 424-456. Retrieved on September 13, 2006, from the ACM Digital Library database.
In this article, the authors Heingartner and Steenkiste recognized that information concerning a person’s location needs to be available in a ubiquitous computing environment, but acknowledged that the unauthorized release of such information is a problem. In response, the authors proposed a model for access control of location information utilizing certificates that are stored in a decentralized, distributed way.
There are two basic types of people location services within a system: those that have information on the location of a person (such as a calendar service that has a person’s schedule), and those that have information on the location of devices (such as cellular telephones and laptop computers). Location policies determine which entities or persons have permission to learn a person’s location information, and for security reasons, only services that utilize access control are granted such location information.
The authors then presented a formal model requiring services to react to a location request after going through a location policy check which verifies that the entity making the request had access. For forwarded requests, the services need to be certain that a requesting service is trusted. The formalism the authors proposed in their decentralized architecture for a trust management system utilizes SPKI/SKSI certificates. Requests are composed of these digital certificates with policy and/or trust statements, which can be forwarded or delegated to a second entity by chains of policy or trust statements. The authors identified that the components needed for access control are a client who submits a request on a person’s location, and a mediating information service who forwards or creates the request for a device’s location as per the location policy. That service must check to see if it received the request from a trusted source, and then leaf services give location information based on what technology is being used. A certificate repository consists of certificates for entities that are either policy or trust statements (both of which are locally stored in an Access Control List (ACL)) or membership statements.
The authors showed through the prototype they developed in RSA and DSA-based signature generation that, compared to the cost of setting up a secure connection, the costs of an ACL are small. Their findings with ACLs showed that DSA-based signatures were 41% less expensive than RSA-based signatures. For clients with limited resources, they suggested the use of DSA rather than RSA for signing operations (in conjunction with key caching). The costs of proving that a service is trusted is similar to the cost of verifying a person’s digital signature in experiments. This cost can be reduced by caching and further lowered when queries are made multiple times. With caching, DSA performance increased by 22%, and RSA performance increased by 43%.
In conclusion, the authors, by analyzing the access control needs of a people location system, have shown that their design has the following advantages: users or a central authority can create the policies, certificates do not need to be centrally housed thus avoiding bottlenecks, digital certificates and not the identity of the issued queries need to be given to the system, an entire group can be given access, and access control can be delegated.
In this article, the authors Heingartner and Steenkiste recognized that information concerning a person’s location needs to be available in a ubiquitous computing environment, but acknowledged that the unauthorized release of such information is a problem. In response, the authors proposed a model for access control of location information utilizing certificates that are stored in a decentralized, distributed way.
There are two basic types of people location services within a system: those that have information on the location of a person (such as a calendar service that has a person’s schedule), and those that have information on the location of devices (such as cellular telephones and laptop computers). Location policies determine which entities or persons have permission to learn a person’s location information, and for security reasons, only services that utilize access control are granted such location information.
The authors then presented a formal model requiring services to react to a location request after going through a location policy check which verifies that the entity making the request had access. For forwarded requests, the services need to be certain that a requesting service is trusted. The formalism the authors proposed in their decentralized architecture for a trust management system utilizes SPKI/SKSI certificates. Requests are composed of these digital certificates with policy and/or trust statements, which can be forwarded or delegated to a second entity by chains of policy or trust statements. The authors identified that the components needed for access control are a client who submits a request on a person’s location, and a mediating information service who forwards or creates the request for a device’s location as per the location policy. That service must check to see if it received the request from a trusted source, and then leaf services give location information based on what technology is being used. A certificate repository consists of certificates for entities that are either policy or trust statements (both of which are locally stored in an Access Control List (ACL)) or membership statements.
The authors showed through the prototype they developed in RSA and DSA-based signature generation that, compared to the cost of setting up a secure connection, the costs of an ACL are small. Their findings with ACLs showed that DSA-based signatures were 41% less expensive than RSA-based signatures. For clients with limited resources, they suggested the use of DSA rather than RSA for signing operations (in conjunction with key caching). The costs of proving that a service is trusted is similar to the cost of verifying a person’s digital signature in experiments. This cost can be reduced by caching and further lowered when queries are made multiple times. With caching, DSA performance increased by 22%, and RSA performance increased by 43%.
In conclusion, the authors, by analyzing the access control needs of a people location system, have shown that their design has the following advantages: users or a central authority can create the policies, certificates do not need to be centrally housed thus avoiding bottlenecks, digital certificates and not the identity of the issued queries need to be given to the system, an entire group can be given access, and access control can be delegated.
posted by Dr. Adam Norten at 4:59 PM
0 Comments:
Post a Comment
<< Home