Trust-Based Security in Pervasive Computing

Document Sample
Trust-Based Security in Pervasive Computing Powered By Docstoc

                                                                                                    spaces with a controller managing the ser-

    Trust-Based Security                                                                            vices in each space.
                                                                                                       Centaurus is a framework for Smart-
                                                                                                    Spaces that includes a message-based
                                                                                                    transport protocol designed to perform

    in Pervasive                                                                                    well in low-bandwidth networks and
                                                                                                    with resource-poor devices. We use this
                                                                                                    protocol in the Smart Office scenario, in
                                                                                                    which mobile users access computers, fax

    Computing                                                                                       machines, printers, the lights, and even
                                                                                                    such mundane appliances as the coffee
                                                                                                    maker via handheld devices connected
                                                                                                    over short-range Bluetooth wireless links.

    Environments                                                                                    SECURITY CHALLENGES
                                                                                                      Adding security to such open models
                                                                                                    presents challenges at many levels. How
    Lalana Kagal, Tim Finin, and Anupam Joshi                                                       do you decide whether a person who
    University of Maryland, Baltimore County                                                        does not work in an office but has access
                                                                                                    to it—for example, as a consultant or

               raditionally, stand-alone com-
               puters and small networks rely                                          Pervasive computing environ-
               on user authentication and                                              ments require a security archi-
               access control to provide secu-
               rity. These physical methods use                                        tecture based on trust rather
    system-based controls to verify the iden-
    tity of a person or process, explicitly                                            than just user authentication
    enabling or restricting the ability to use,                                        and access control.
    change, or view a computer resource.
       However, these strategies are inade-
    quate for the increased flexibility that dis-      ple—switching on the lights in a confer-      member of a partner firm—can use cer-
    tributed networks such as the Internet and        ence room, checking e-mail, and organiz-      tain services?
    pervasive computing environments re-              ing meetings—to the more complex—                We encountered several problems with
    quire because such systems lack central           such as booking airline tickets, buying and   providing security in environments using
    control and their users are not all prede-        selling stock, or managing bank accounts.     the Centaurus protocol. Having a central
    termined. Mobile users expect to access              Pervasive computing environments of        authority for a single building or even a
    locally hosted resources and services any-        the near future will involve the interac-     group of rooms is infeasible because
    time and anywhere, leading to serious             tion, coordination, and cooperation of        every possible access right will have to be
    security risks and access control problems.       numerous, casually accessible, and often      specified for every user. Authenticating
       We propose a solution based on trust           invisible computing devices. As Figure 1      the identity certificate of a previously
    management that involves developing a             shows, these devices—whether carried on       unknown user doesn’t provide any access
    security policy, assigning credentials to         our person or located in our homes, busi-     control information. Simple authentica-
    entities, verifying that the credentials fulfill   nesses, and classrooms—will connect via       tion and access control are only effective
    the policy, delegating trust to third parties,    wired and wireless links to one another       if the system knows in advance which
    and reasoning about users’ access rights.         as well as to the global networking infra-    users are going to access a Smart Room
    This architecture is generally applicable to      structure to provide more relevant infor-     and what their access rights are.
    distributed systems but geared toward per-        mation and integrated services.                  Portable handheld and embedded
    vasive computing environments.                       The eBiquity Research Group (http://       devices have severely limited processing
                                             at the University of   power, memory capacities, software sup-
    PERVASIVE COMPUTING                               Maryland, Baltimore County, is designing      port, and bandwidth characteristics.
      Pervasive computing strives to simplify         pervasive computing systems composed of       Also, hardware and software environ-
    day-to-day life by providing mobile users         autonomous, intelligent, self-describing,     ments are becoming increasingly hetero-
    with the means to carry out personal and          and interacting components. SmartSpaces       geneous, a trend which will continue in
    business tasks via portable and embedded          are instances of pervasive systems in which   the foreseeable future. Finally, security
    devices. These tasks range from the sim-          the domain is divided into a hierarchy of     information in different domains is sub-

2                 Computer
ject to inconsistent interpretations in such
an open, distributed environment.

   To satisfy the requirements of the per-
vasive computing model, we suggest
adding distributed trust to the security                        User 3

Dynamic rights
   We view trust management as estab-
lishing trust relationships instead of its
traditional meaning of quantifying trust.                                                                                  User 4
Our approach involves                                  User 2

  • articulating policies for user authen-
    tication, access control, and delega-
  • assigning security credentials to
    individuals;                                                                  User 1
  • allowing entities to modify access
                                                                   Accessing services
    rights of other entities by delegating
                                                                   Ad-hoc networking
    or deferring their access rights to
    third parties and revoking rights as
    well; and                                   Figure 1. Pervasive computing. In the near future, mobile users will be able to access
  • providing access control by check-          information and integrated services via hand-held devices.
    ing if the initiators’ credentials fulfill
    the policies.                               tion. In PGP, an entity is trusted when one       Distributed model
                                                or more trusted entities say that it can be          A security policy is a set of rules for
   Access rights are not static but change      trusted. Both of these schemes suffer from        authorization, access control, and trust
based on delegations and revocations.           key distribution problems and do not deal         in a certain domain; it can also contain
Users are assigned generic rights—based         with flexible or scalable access control.          information about some users’ roles and
on their credentials, the security policy,         Blaze, who coined the term distributed         the abilities associated with those roles.
and other users’ delegations—that can be        trust management, developed Policy-               Each domain has security agents that
used to request access to other services.       Maker, which binds public keys to access          enforce the policy.
Appropriate users with these access             control without authentication. Although             The domain’s services and users can
rights can in turn delegate the requested       PolicyMaker is a powerful analytical tool,        additionally impose a local policy.
right. Users can access a service only if       the nonprogrammers who are likely to              Services register with a security agent in
they have the right to do so or if an           develop policies may have difficulty               their space and rely on it to provide secu-
authorized user has delegated that right        expressing policies in this system. Also, it      rity.
to them; they can delegate all rights that      a query engine that answers questions                A user is generally associated with a
they have the permission to delegate.           about access rights to a given policy rather      certain role in the system and assigned
Rights can likewise be revoked.                 than a true security infrastructure.              role-based axiomatic rights. This role can
   Rights can be associated with devices           Notions similar to delegation such as          change based on the policy or user’s
and agents as well as users: A software         copy/copy propagation have been used              actions.
agent could have the right to use a cer-        even in operating systems, but they gen-             Centaurus uses a distributed model in
tain service, or a service could have the       erally deal with a user domain in which           which hierarchically arranged security
right to use another service.                   all users are known in advance; such an           agents manage security and trust, and
                                                assumption can’t be made in a pervasive           X.509 authentication certificates identify
Models                                          computing scenario.                               users and services. Authorized users can
  Well-known distributed trust models                                                             make delegations and revocations in the
include the simple public key infrastruc-       TRUST ARCHITECTURE FOR                            form of signed assertions. Security agents
ture, Pretty Good Privacy, and Matt             PERVASIVE SYSTEMS                                 reason about these signed assertions and
Blaze’s PolicyMaker. SPKI is used for             We have designed a policy-based frame-          the appropriate security policies to pro-
authentication and authorization but            work that extends SPKI and role-based             vide access control to services in their
only includes a simple notion of delega-        access control.                                   domain.

                                                                                                                     December 2001              3

                                                                                                      Security agent


                      Susan’s laptop                                                                      Security

                                        Interface to

           Request for                            Security agent
          permission +
          ID certificate      Request +
                            delegation +
                            ID certificate

                    John’s PDA
                                                                                                                     Request for service access/response
                                                                                                                     Delegate request/response
                                                                                                                     Service request/response

    Figure 2. Trust in pervasive computing environments. John requests Susan for access to various services. Susan sends back a delegation certifi-
    cate that John sends to the security agent. The security verifies the certificate and, because Susan is trusted, allows John to access the

    Delegation chain                                      When users make requests to the secu-          Ontologies
       Centaurus views delegation as a right           rity agent controlling the service, they             Our work is similar to role-based
    itself. Only users with the right to dele-         attach their credentials—an ID certificate         access control—an approach in which
    gate a certain action can actually dele-           or a delegation certificate—to the                access decisions are based on the roles
    gate that action, and the ability to               request. Security agents may generate             that individual users have as part of an
    delegate itself can be delegated. Users can        authorization certificates that users can          organization, such as doctor, nurse, man-
    constrain delegations by specifying                employ as tickets to access a certain             ager, or student—in that a user’s access
    whether delegated users can re-delegate            resource.                                         rights are computed from its properties.
    the right and to whom they can delegate.              As Figure 2 shows, one user, John, can            Our approach, however, uses ontolo-
    Once users are given certain rights, they          also ask another user, Susan, to delegate         gies that include not just role hierarchies
    are responsible for the actions of the             to him the right to access certain services.      but any properties and constraints
    users to whom they subsequently dele-              If Susan is satisfied with John’s creden-          expressed in an XML-based language,
    gate those rights and privileges.                  tials, she will send back a signed state-         including elements of both description
       This forms a delegation chain in which          ment containing the delegation, possibly          logics and declarative rules. For exam-
    users only delegate to other users that            with constraints attached—for example,            ple, a rule could specify that any user in
    they trust. If any user along this delega-         one that limits access to a certain period        a meeting room who is operating the pro-
    tion chain fails to meet the requirements          or persons to whom John can re-delegate           jector during a presentation is probably
    associated with a delegated right, the             the right. The security agent is responsi-        the presenter and should thus be allowed
    chain is broken. Following the failure, no         ble for honoring the delegation, based on         to use the computer as well. In this way,
    user can perform the action associated             the delegator’s and delegatee’s credentials       rights can be assigned dynamically to
    with the right.                                    and the policies.                                 users without creating a new role.

4                Computer
   Consider the following example. John       authority that do not include the bearer’s
is an employee of one of the office’s part-    identity, but only a role or designation.
ners, but the security agent in the office        In our past work on distributed trust,
doesn’t understand his role in the orga-      we encoded actions, privileges, delega-
nization, so it denies him access to the      tions, and security as horn clauses in
Smart Room services. John requests per-       Prolog. To develop an approach better
mission from Susan, one of the man-           suited to sharing information in an open
agers, to use the services. According to      environment, we are recasting this work
the office’s security policy, Susan can del-   in the DARPA Agent Markup Language.
egate access rights to anyone she trusts.     Built on XML and the Resource
Therefore, she delegates to John the right    Description Framework, DAML pro-
to use the lights, coffee maker, and          vides a description logic language for
printer—but not the fax machine—for a         defining and using ontologies on the Web
short period of time.                         in machine-readable form. In applying
   Susan’s laptop sends a short-lived         our framework, we are extending the ini-
signed delegation to John’s handheld          tial ontology (
device. When John enters the Smart            ontologies/trust-ont.daml) by defining
Room, the client on his handheld device       domain-specific classes for actions, roles,
sends his identity certificate and the del-    and privileges and creating appropriate
egation to the service manager. Because       instances. ✸
Susan is trusted and can delegate access
rights, the delegation conforms to the
policy and John now has access to the         Acknowledgments
lights, coffee maker, and printer. Once         This research was supported in part by
the delegation expires, John must ask         the IBM EECOMS program and by the
Susan for another delegation to access        DARPA DAML program under contract
services in the room.                         F30602-97-1-0215, NSF CCR0070802,
   This scenario demonstrates the impor-      1159875433.
tance of trust over traditional security
mechanisms in a pervasive computing           Lalana Kagal is a PhD student in the
environment. The system allows John, a        Computer Science and Electrical Engi-
foreign user, to access certain services      neering Department at the University of
without creating a new identity for him       Maryland, Baltimore County. Contact
or insecurely opening up the system in        her at
any way.
                                              Tim Finin is a professor in the Computer
                                              Science and Electrical Engineering
         e are working on integrating         Department at the University of Mary-

W        trust into the security infra-
         structure for Centaurus, which
currently only provides authentication
                                              land, Baltimore County, and director of
                                              the Institute for Global Electronic Com-
                                              merce. Contact him at finin@cs.umbc.
and access control for known users. We        edu.
believe that trust will add a new dimen-
sion to pervasive computing, allowing         Anupam Joshi is an associate professor
greater flexibility in designing policies     in the Computer Science and Electrical
and providing more control over access-       Engineering Department at the Univer-
ing services and information. We are also     sity of Maryland, Baltimore County.
improving our trust architecture by           Contact him at
extending Centaurus to include entitle-
ments, prohibitions, and obligations and
the ability to delegate them.                  Editor: Upkar Varshney, Department of CIS,
   To protect the privacy of users who do      Georgia State University, Atlanta, GA
not want the system to log their names         30002-4015; voice +1 404 463 9139; fax +1
and actions, we are replacing X.509 cer-       404 651 3842;
tificates with XML signatures (http://

                                                                                            December 2001   5