1.02k likes | 1.03k Vues
Access Control to Information in Pervasive Computing Environments Thesis Oral Urs Hengartner Committee: Peter Steenkiste (Chair) Adrian Perrig Michael K. Reiter Edward W. Felten, Princeton. Pervasive Computing requires Access Control to Information. Pervasive computing:
E N D
Access Control to Information in Pervasive Computing EnvironmentsThesis OralUrs HengartnerCommittee:Peter Steenkiste (Chair) Adrian Perrig Michael K. Reiter Edward W. Felten, Princeton
Pervasive Computing requires Access Control to Information • Pervasive computing: • Hundreds of computing devices for everyone • Embedded, networked sensors • Gather and make available vast amounts of personal information (location, activity, health,…) • Privacy is a big concern in pervasive computing • Access control for pervasive computing information raises challenges Access Control to Information in Pervasive Computing Environments
Alice Pervasive Computing Scenario • Carol schedules a meeting with Bob in her calendar • Carol grants Alice access to her calendar provided that • Carol is not busy • Carol is in her office Carol Carol is meeting with Bob in WeH 8220 Access Control to Information in Pervasive Computing Environments
Challenge #1 – Diversity in Service Administration Nextel People Locator GPS Cell Phone Calendar Activity Service People Locator Activity Service Body Sensor People Locator Camera Access Point Access Point Carol’s company Laptop Carol Access Control to Information in Pervasive Computing Environments
Traditional Solutions assume Trusted Environment for Services • AFS file servers trust each other • Database hosts trust each other Access control needs to be able to deal with services run by different entities, while making it easy for individuals to manage access to their personal information provided by these services Access Control to Information in Pervasive Computing Environments
Related Work and Diversity in Service Administration • Pervasive computing projects with access control: CoBra, Cerberus, Semantic Wallet,… • Typical approaches: • Centralized entity controlling access on behalf of individual services • Individual maintains services providing her information Access Control to Information in Pervasive Computing Environments
Alice Carol’s calendar entry? Carol is meeting with Bob in WeH 8220 Bob’s location Bob’s activity Challenge #2 – Complex Information Carol Calendar Service Carol’s activity Carol’s location Information leak? Access Control to Information in Pervasive Computing Environments
Traditional Solutions for Complex Information do not work here • Keep complex information secret • Pervasive computing needs access in order to serve people • Carefully establish access rights • Tedious • Consistency problems Access control itself needs to be aware of the contents of complex information and treat this content as a first-class citizen when making an access decision Access Control to Information in Pervasive Computing Environments
Related Work and Complex Information • Other pervasive computing projects have noticed problem • CoBra • Not addressed in deployed architecture Access Control to Information in Pervasive Computing Environments
Alice Meeting with… Access if Carol’s location == office Challenge #3 –Confidential Context-Sensitive Constraints Calendar Service Carol’scalendar? Carol is in her office! Information leak? Access Control to Information in Pervasive Computing Environments
Traditional Solutions • Simple constraints • Group/role membership in filesystems/databases • Some context-sensitive constraints • Time • Limited availability of confidential context-sensitive information (currently) Access control needs to support context-sensitive constraints, but without leaking confidential information listed in a constraint Access Control to Information in Pervasive Computing Environments
Related Work and Context-Sensitive Constraints • Many pervasive computing projects support context-sensitive constraints • Location-based services • No systematic study of information leaks caused by confidential context-sensitive constraints Access Control to Information in Pervasive Computing Environments
Thesis Goal Is it possible to run access control to information in pervasive computing, where this information can be complex and where access decisions might be constrained based on confidential information, without relying on a centralized entity? Access Control to Information in Pervasive Computing Environments
Key Components • Client-based access-control architecture • Access rights expressed as digital certificates • Client submits proof of access to service • Extended to deal with challenges • Naïve application results in information leaks • Flexible information representation scheme • Service- and environment-independent access rights • Semantics of information • Captured in formal model to deal with complex information Access Control to Information in Pervasive Computing Environments
Research Contributions • Distributed access-control architecture for pervasive computing [HotOS 2003] • Information relationships [PerCom 2005] • Derivation-constrained access control • Confidential context-sensitive constraints • Obscured proof-of-access descriptions [SecureComm 2005] • Alternative: Encryption-based access-control architecture [SecureComm 2005] Access Control to Information in Pervasive Computing Environments
Outline • Thesis Goal • Confidential Context-Sensitive Constraints • Approach • Related Work • Access-Rights Graphs • Hidden Constraints • Performance Evaluation • Obscured Proof-of-Access Descriptions • Future Work Access Control to Information in Pervasive Computing Environments
Approach • Systematic study of how context-sensitive constraints can cause information leaks in different access-control approaches • Centralized • Service-based • Client-based • Hybrid • Access-rights graphs for constraint resolution • Hidden constraints to avoid information leaks Access Control to Information in Pervasive Computing Environments
Comparison with Related Work • Ubicomp projects with context-sensitive constraints • Cerberus, CoBrA, Semantic Wallet • Centralized, no discussion of information leaks • [Minami and Kotz, PerCom 2005] • Service-based, limited scenario • Context awareness for RBAC • E.g., Environment Roles • No discussion of information leaks • New access-control models supporting constraints • UCONABC, GAA API • No discussion of information leaks Access Control to Information in Pervasive Computing Environments
Alice Carol’s location == her office? Yes Carol’s calendar? Client-Based Access Control with Confidential Constraints • Alice has access right to Carol’s calendar constrained to Carol’s location • Alice has unconstrained access to Carol’s location information Location Service Calendar Service Access Control to Information in Pervasive Computing Environments
Threat Model • Single attacker or multiple collaborating attackers learn value of information used in a constraint, where the single attacker or all of the collaborating attackers do not have an access right to this information • Actions of attackers: • Issue requests and observe their fate • Issue (constrained) access rights • Run services providing information Access Control to Information in Pervasive Computing Environments
Can Information in Constraint leak to (Colluding) Entities? • Alice must ensure that calendar service has access to information in constraint • Collusion not an issue here (but will be later) • Alice can access Carol’s calendar if Carol is in her office • Client-based access control Access Control to Information in Pervasive Computing Environments
Public Access Rights can cause Subtle Information Leaks • Alice needs to ensure that calendar service has access to Carol’s location information • Alice resolves constraints in service’s access right to Carol’s location information • Alice retrieves information in these constraints using her own access rights • Upon receiving proof from Alice, calendar service learns that constraints in Alice’s access rights must have been satisfied • Information leak if service knows access rights • Keep access rights confidential Access Control to Information in Pervasive Computing Environments
Access Rights to Information in Constraint can be Constrained • Access-rights graph for showing a principal’s access rights and constraints on them • When can principal access information A.x? Constraint on access right Information in access right (owner.type) A.x {t} {s} Required constraint value(s) B.y C.z {u} {r, t} D.w * Access Control to Information in Pervasive Computing Environments
Access-Control Algorithm • Build access-rights graph • Each node needs outgoing edge • No conflict among node’s incoming edges • Start constraint resolution at nodes with no outgoing edges to other nodes • Work toward root node • For each node, verify that current value is in all incoming edges Access Control to Information in Pervasive Computing Environments
Constraint Resolution Example 7. Get current value of A.x 4. B.x = s ? A.x 6. C.z = t? {s} {t} 3. Get current value of B.y 5. Get current value of C.z B.y C.z 2. D.w = u ? {u} {r, t} D.w 1. Get current value of D.w * Access Control to Information in Pervasive Computing Environments
Client-Based Access Control with Access-Rights Graphs • Alice builds access-rights graphs for requested information based on her access rights • During constraint resolution, Alice assembles proof of access for each node • Proof contains access right and confirmation showing satisfaction of its constraints • Information in constraint can leak to service receiving proof • Alice ensures that service can access information • Requires additional access-rights graphs Access Control to Information in Pervasive Computing Environments
Hidden Constraints • Principal knowing constraint specification could infer current value of information in constraint • Idea: Hide specification from principal • From client • Client still needs to be able to resolve constraint • From service • Service cares only about satisfaction of a constraint • Additional benefit: supports constraints with information to which service does not have access • Need to ensure that issuer has access (Collusion) Access Control to Information in Pervasive Computing Environments
Implementation • Built client-based access-control framework based on Web framework [Howell and Kotz, OSDI 2000] • SPKI/SDSI certificates for expressing access rights • Added support for constraints • Incorporated into Project Aura • Constraints can be hidden from service • Constraint specification is separate from access right • Access right includes only reference • Public key (signature for guaranteeing satisfaction) • End of one-way chain (chain value) Access Control to Information in Pervasive Computing Environments
Constraint Resolution Responsible for 25% of Cost • Carol grants Bob access to her calendar if Bob is in his office • Use hidden, signature-based constraint (Pentium IV/2.5GHz, Linux 2.4.20, Java 1.4.2, 100 runs, 1024 bit RSA) Overall response time: 463 ms Urs Hengartner Access Control to Information in Pervasive Computing Environments Access Control to Information in Pervasive Computing Environments
Other Issues (see Thesis) • Centralized and service-based access control • Formal model • Access-rights graphs with loops • Enforceability • Certificate discovery • Forwarded access rights • Multiple services offering information in constraint Access Control to Information in Pervasive Computing Environments
Summary of Confidential Context-Sensitive Constraints • Access rights with confidential context-sensitive constraints can leak information in constraint • Ensure that principals observing request have access to this information • Access-rights graphs to detect conflicting constraints and to simplify constraint resolution • Hidden constraints can avert information leaks Access Control to Information in Pervasive Computing Environments
Outline • Thesis Goal • Confidential Context-Sensitive Constraints • Obscured Proof-of-Access Descriptions • Approach • Related Work • Requirements • Solution based on Identity-Based Encryption • Performance Evaluation • Future Work Access Control to Information in Pervasive Computing Environments
Carol’s calendar entry? Alice • Prove that you can access • Carol’s location and activity • Bob’s location and activity Information leak due toProof Description Carol is meeting with Bob! Calendar Service Carol is meeting with Bob in WeH 8220 Information leak? Access Control to Information in Pervasive Computing Environments
Approach • Service obscures description of required proof of access such that Alice understands it only if she has access to information listed in description • Based on cryptography • Service generates ciphertext • Alice needs to find matching decryption key • Hierarchical cryptographic scheme to support • Constraints (e.g., time-based) on access right • Granularity-aware access rights Access Control to Information in Pervasive Computing Environments
Comparison with Related Work • Automated trust negotiation • E.g., [Yu and Winslett, S&P 2003] • Deadlocks possible • Hidden Credentials [Holt et al., WPES 2003] • No constraints and granularity awareness • Secret Handshakes [Balfanz et al., S&P 2003], Brands’ self-blinding certificates, Chaum’s pseudonyms, Oblivious Signature-Based Envelopes [Li et al., PODC 2003] • Both parties agree on centralized authority • No constraints and granularity awareness Access Control to Information in Pervasive Computing Environments
Requirements • Asymmetry • Service can generate obscured proof description, but not interpret obscured descriptions generated by other services • Personalization • Leaking of secret knowledge by a client does not affect other clients • Granularity–aware and constrained access rights Access Control to Information in Pervasive Computing Environments
Exploit Hierarchical Identity-based Encryption (HIBE) • Asymmetric encryption scheme • Simple key management makes personalization easy • Use hierarchies to support granularity awareness and constraints • My contributions: • New application of HIBE • Extend HIBE to support multiple hierarchies • First implementation of HIBE Access Control to Information in Pervasive Computing Environments
Bob’s Access Right Bob Alice [Bob’s location, ] Carol’s calendar entry? • Prove that you can access • Carol’s location Carol is meeting with Bob in WeH 8220 Bob’s Access Right Carol’s Access Right Asymmetry – Exploit asymmetric encryption scheme Calendar Service Access Control to Information in Pervasive Computing Environments
Personalization – Exploit Identity-Based Encryption • Proposed >20 years ago [Shamir, Crypto 1984]Practical approaches have appeared only recently (e.g., [Boneh and Franklin, Crypto 2001]) • Public key of an individual is her ID (e.g., email) • No need to acquire separate public key based on “traditional” asymmetric cryptosystem (e.g., RSA) • Simplifies key management and personalization • Individual receives private key from Private Key Generator (PKG) Access Control to Information in Pervasive Computing Environments
Dave’s private key: numerical value associated with his node Dave’s public key: “EDU, Princeton, Dave” Granularities – Exploit Hierarchical Identity-Based Encryption • Distribute private key generation in hierarchy • Root PKG issues private keys to sub PKGs • Sub PKGs issues private keys to individuals in their domains EDU CMU Princeton Fred Dave Ed Access Control to Information in Pervasive Computing Environments
Alice_ Alice_ Alice_ Sample public key Sample public key Personalization Corresponding private key Setup – Bob gives public keys (i.e., hierarchies) to service • Bob defines set of hierarchies resembling • granularity properties of his information and • constraints on access rights to his information • Public key = one path per hierarchy location_fine location_2005 location_always spare time office hours medium January February … … coarse 1 Access Control to Information in Pervasive Computing Environments
Setup – Bob gives private key (and access right) to Alice • Bob grants access right to Alice for his location of medium granularity, in January, during office hours • Bob becomes his own PKG, picks matching node in each hierarchy, and computes private key Alice_location_fine Alice_location_2005 Alice_location_always spare time office hours medium January February … … coarse 1 Access Control to Information in Pervasive Computing Environments
Obscured Proof Description - Service creates ciphertext • Service chooses relevant path in each hierarchy • Uses this public key to encrypt random string • Gives random string and ciphertext to Alice Alice_location_fine Alice_location_2005 Alice_location_always spare time office hours medium January February … … coarse 1 Access Control to Information in Pervasive Computing Environments
Obscured Proof Description – Alice tries to decrypt ciphertext For each private key received from Bob and others: • Alice derives current private key (if possible) • Decrypts received ciphertext and looks for match Alice_location_fine Alice_location_2005 Alice_location_always spare time office hours medium January February … … coarse 1 Access Control to Information in Pervasive Computing Environments
Implementation • Implemented HIBE scheme, extended for multiple hierarchies, in Java • [Gentry and Silverberg, Asiacrypt 2002] • Exploits Bilinear Diffie-Hellman problem • CCA2 security in the ROM model • Incorporated scheme into Project Aura • If no proof, service returns error message with ciphertext/random string pair • Built calendar service that generates obscured proof descriptions Access Control to Information in Pervasive Computing Environments
Encryption/Decryption Cost depends on Number of Hierarchies (Pentium IV/2.5GHz, Linux 2.4.20, Java 1.4.2, 100 runs) • First hierarchy: three levels • Other hierarchies: two levels • Preliminary results: Decryption is expensive Access Control to Information in Pervasive Computing Environments
Summary of Obscured Proof Descriptions • Service obscures description of required proof of access in order to avoid information leaks • Hierarchical Identity-Based Encryption for easy key management, constraints, and granularity awareness • Decryption performance is currently slow, but there is potential for improvements Access Control to Information in Pervasive Computing Environments
Future Work • Remote credential retrieval in distributed systems • Credentials can be confidential • Semantic model • E.g., based on PCA [Bauer et al., USENIX Security 2002] • Access control and uncertainty • Context-sensitive information (e.g., location) can be uncertain • Effect on context-sensitive access control Access Control to Information in Pervasive Computing Environments
Conclusions • Pervasive computing makes distributed access control to confidential information challenging • Main contributions: • Incorporate semantics of information as a first-class citizen into distributed access control • Obscured proof-of-access descriptions • Information relationships • Derivation of information • Access control with confidential constraints • Access-rights graphs and hidden constraints Access Control to Information in Pervasive Computing Environments