spaces with a controller managing the ser-
Trust-Based Security vices in each space.
Centaurus is a framework for Smart-
Spaces that includes a message-based
transport protocol designed to perform
in Pervasive well in low-bandwidth networks and
with resource-poor devices. We use this
protocol in the Smart Ofﬁce scenario, in
which mobile users access computers, fax
Computing machines, printers, the lights, and even
such mundane appliances as the coffee
maker via handheld devices connected
over short-range Bluetooth wireless links.
Environments SECURITY CHALLENGES
Adding security to such open models
presents challenges at many levels. How
Lalana Kagal, Tim Finin, and Anupam Joshi do you decide whether a person who
University of Maryland, Baltimore County does not work in an ofﬁce but has access
to it—for example, as a consultant or
raditionally, stand-alone com-
puters and small networks rely Pervasive computing environ-
on user authentication and ments require a security archi-
access control to provide secu-
rity. These physical methods use tecture based on trust rather
system-based controls to verify the iden-
tity of a person or process, explicitly than just user authentication
enabling or restricting the ability to use, and access control.
change, or view a computer resource.
However, these strategies are inade-
quate for the increased ﬂexibility that dis- ple—switching on the lights in a confer- member of a partner ﬁrm—can use cer-
tributed networks such as the Internet and ence room, checking e-mail, and organiz- tain services?
pervasive computing environments re- ing meetings—to the more complex— We encountered several problems with
quire because such systems lack central such as booking airline tickets, buying and providing security in environments using
control and their users are not all prede- selling stock, or managing bank accounts. the Centaurus protocol. Having a central
termined. Mobile users expect to access Pervasive computing environments of authority for a single building or even a
locally hosted resources and services any- the near future will involve the interac- group of rooms is infeasible because
time and anywhere, leading to serious tion, coordination, and cooperation of every possible access right will have to be
security risks and access control problems. numerous, casually accessible, and often speciﬁed for every user. Authenticating
We propose a solution based on trust invisible computing devices. As Figure 1 the identity certificate of a previously
management that involves developing a shows, these devices—whether carried on unknown user doesn’t provide any access
security policy, assigning credentials to our person or located in our homes, busi- control information. Simple authentica-
entities, verifying that the credentials fulﬁll nesses, and classrooms—will connect via tion and access control are only effective
the policy, delegating trust to third parties, wired and wireless links to one another if the system knows in advance which
and reasoning about users’ access rights. as well as to the global networking infra- users are going to access a Smart Room
This architecture is generally applicable to structure to provide more relevant infor- and what their access rights are.
distributed systems but geared toward per- mation and integrated services. Portable handheld and embedded
vasive computing environments. The eBiquity Research Group (http:// devices have severely limited processing
research.ebiquity.org) at the University of power, memory capacities, software sup-
PERVASIVE COMPUTING Maryland, Baltimore County, is designing port, and bandwidth characteristics.
Pervasive computing strives to simplify pervasive computing systems composed of Also, hardware and software environ-
day-to-day life by providing mobile users autonomous, intelligent, self-describing, ments are becoming increasingly hetero-
with the means to carry out personal and and interacting components. SmartSpaces geneous, a trend which will continue in
business tasks via portable and embedded are instances of pervasive systems in which the foreseeable future. Finally, security
devices. These tasks range from the sim- the domain is divided into a hierarchy of information in different domains is sub-
ject to inconsistent interpretations in such
an open, distributed environment.
To satisfy the requirements of the per-
vasive computing model, we suggest
adding distributed trust to the security User 3
We view trust management as estab-
lishing trust relationships instead of its
traditional meaning of quantifying trust. User 4
Our approach involves User 2
• articulating policies for user authen-
tication, access control, and delega-
• assigning security credentials to
individuals; User 1
• allowing entities to modify access
rights of other entities by delegating
or deferring their access rights to
third parties and revoking rights as
well; and Figure 1. Pervasive computing. In the near future, mobile users will be able to access
• providing access control by check- information and integrated services via hand-held devices.
ing if the initiators’ credentials fulﬁll
the policies. tion. In PGP, an entity is trusted when one Distributed model
or more trusted entities say that it can be A security policy is a set of rules for
Access rights are not static but change trusted. Both of these schemes suffer from authorization, access control, and trust
based on delegations and revocations. key distribution problems and do not deal in a certain domain; it can also contain
Users are assigned generic rights—based with ﬂexible or scalable access control. information about some users’ roles and
on their credentials, the security policy, Blaze, who coined the term distributed the abilities associated with those roles.
and other users’ delegations—that can be trust management, developed Policy- Each domain has security agents that
used to request access to other services. Maker, which binds public keys to access enforce the policy.
Appropriate users with these access control without authentication. Although The domain’s services and users can
rights can in turn delegate the requested PolicyMaker is a powerful analytical tool, additionally impose a local policy.
right. Users can access a service only if the nonprogrammers who are likely to Services register with a security agent in
they have the right to do so or if an develop policies may have difﬁculty their space and rely on it to provide secu-
authorized user has delegated that right expressing policies in this system. Also, it rity.
to them; they can delegate all rights that a query engine that answers questions A user is generally associated with a
they have the permission to delegate. about access rights to a given policy rather certain role in the system and assigned
Rights can likewise be revoked. than a true security infrastructure. role-based axiomatic rights. This role can
Rights can be associated with devices Notions similar to delegation such as change based on the policy or user’s
and agents as well as users: A software copy/copy propagation have been used actions.
agent could have the right to use a cer- even in operating systems, but they gen- Centaurus uses a distributed model in
tain service, or a service could have the erally deal with a user domain in which which hierarchically arranged security
right to use another service. all users are known in advance; such an agents manage security and trust, and
assumption can’t be made in a pervasive X.509 authentication certiﬁcates identify
Models computing scenario. users and services. Authorized users can
Well-known distributed trust models make delegations and revocations in the
include the simple public key infrastruc- TRUST ARCHITECTURE FOR form of signed assertions. Security agents
ture, Pretty Good Privacy, and Matt PERVASIVE SYSTEMS reason about these signed assertions and
Blaze’s PolicyMaker. SPKI is used for We have designed a policy-based frame- the appropriate security policies to pro-
authentication and authorization but work that extends SPKI and role-based vide access control to services in their
only includes a simple notion of delega- access control. domain.
December 2001 3
Susan’s laptop Security
Request for Security agent
ID certificate Request +
Request for service access/response
Figure 2. Trust in pervasive computing environments. John requests Susan for access to various services. Susan sends back a delegation certiﬁ-
cate that John sends to the security agent. The security veriﬁes the certiﬁcate and, because Susan is trusted, allows John to access the
Delegation chain When users make requests to the secu- Ontologies
Centaurus views delegation as a right rity agent controlling the service, they Our work is similar to role-based
itself. Only users with the right to dele- attach their credentials—an ID certiﬁcate access control—an approach in which
gate a certain action can actually dele- or a delegation certificate—to the access decisions are based on the roles
gate that action, and the ability to request. Security agents may generate that individual users have as part of an
delegate itself can be delegated. Users can authorization certiﬁcates that users can organization, such as doctor, nurse, man-
constrain delegations by specifying employ as tickets to access a certain ager, or student—in that a user’s access
whether delegated users can re-delegate resource. rights are computed from its properties.
the right and to whom they can delegate. As Figure 2 shows, one user, John, can Our approach, however, uses ontolo-
Once users are given certain rights, they also ask another user, Susan, to delegate gies that include not just role hierarchies
are responsible for the actions of the to him the right to access certain services. but any properties and constraints
users to whom they subsequently dele- If Susan is satisﬁed with John’s creden- expressed in an XML-based language,
gate those rights and privileges. tials, she will send back a signed state- including elements of both description
This forms a delegation chain in which ment containing the delegation, possibly logics and declarative rules. For exam-
users only delegate to other users that with constraints attached—for example, ple, a rule could specify that any user in
they trust. If any user along this delega- one that limits access to a certain period a meeting room who is operating the pro-
tion chain fails to meet the requirements or persons to whom John can re-delegate jector during a presentation is probably
associated with a delegated right, the the right. The security agent is responsi- the presenter and should thus be allowed
chain is broken. Following the failure, no ble for honoring the delegation, based on to use the computer as well. In this way,
user can perform the action associated the delegator’s and delegatee’s credentials rights can be assigned dynamically to
with the right. and the policies. users without creating a new role.
PERVASIVE COMPUTING SCENARIO www.w3.org/signature) from a trusted
Consider the following example. John authority that do not include the bearer’s
is an employee of one of the ofﬁce’s part- identity, but only a role or designation.
ners, but the security agent in the ofﬁce In our past work on distributed trust,
doesn’t understand his role in the orga- we encoded actions, privileges, delega-
nization, so it denies him access to the tions, and security as horn clauses in
Smart Room services. John requests per- Prolog. To develop an approach better
mission from Susan, one of the man- suited to sharing information in an open
agers, to use the services. According to environment, we are recasting this work
the ofﬁce’s security policy, Susan can del- in the DARPA Agent Markup Language.
egate access rights to anyone she trusts. Built on XML and the Resource
Therefore, she delegates to John the right Description Framework, DAML pro-
to use the lights, coffee maker, and vides a description logic language for
printer—but not the fax machine—for a deﬁning and using ontologies on the Web
short period of time. in machine-readable form. In applying
Susan’s laptop sends a short-lived our framework, we are extending the ini-
signed delegation to John’s handheld tial ontology (http://daml.umbc.edu/
device. When John enters the Smart ontologies/trust-ont.daml) by defining
Room, the client on his handheld device domain-speciﬁc classes for actions, roles,
sends his identity certiﬁcate and the del- and privileges and creating appropriate
egation to the service manager. Because instances. ✸
Susan is trusted and can delegate access
rights, the delegation conforms to the
policy and John now has access to the Acknowledgments
lights, coffee maker, and printer. Once This research was supported in part by
the delegation expires, John must ask the IBM EECOMS program and by the
Susan for another delegation to access DARPA DAML program under contract
services in the room. F30602-97-1-0215, NSF CCR0070802,
This scenario demonstrates the impor- 1159875433.
tance of trust over traditional security
mechanisms in a pervasive computing Lalana Kagal is a PhD student in the
environment. The system allows John, a Computer Science and Electrical Engi-
foreign user, to access certain services neering Department at the University of
without creating a new identity for him Maryland, Baltimore County. Contact
or insecurely opening up the system in her at email@example.com.
Tim Finin is a professor in the Computer
Science and Electrical Engineering
e are working on integrating Department at the University of Mary-
W trust into the security infra-
structure for Centaurus, which
currently only provides authentication
land, Baltimore County, and director of
the Institute for Global Electronic Com-
merce. Contact him at firstname.lastname@example.org.
and access control for known users. We edu.
believe that trust will add a new dimen-
sion to pervasive computing, allowing Anupam Joshi is an associate professor
greater flexibility in designing policies in the Computer Science and Electrical
and providing more control over access- Engineering Department at the Univer-
ing services and information. We are also sity of Maryland, Baltimore County.
improving our trust architecture by Contact him at email@example.com.
extending Centaurus to include entitle-
ments, prohibitions, and obligations and
the ability to delegate them. Editor: Upkar Varshney, Department of CIS,
To protect the privacy of users who do Georgia State University, Atlanta, GA
not want the system to log their names 30002-4015; voice +1 404 463 9139; fax +1
and actions, we are replacing X.509 cer- 404 651 3842; firstname.lastname@example.org
tiﬁcates with XML signatures (http://
December 2001 5