Your search keyword '"access-control"' showing total 15 results

1. Achieving resource-centric access control for web-app interactions on android

Author

Xin Zhang and Yifan Zhang

Subjects

Web-app interaction, Access-control, Android, Binder replacement, ART hooking, Electronic computers. Computer science, QA75.5-76.95

Abstract

The capability of interacting with web content has become increasingly common among mobile apps. While web-app interaction can facilitate many new functionalities and improve app user experience, they also cause various notable security attacks on mobile apps or web content. The root cause is lack of proper access control mechanisms for web-app interactions on mobile OSes. Existing solutions usually adopt either an origin-centric design or a code-centric deign, and suffer from one or several of the following limitations: coarse protection granularity, poor flexibility in terms of access control policy establishment, and incompatibility with existing apps/OSes due to the need of modifying the apps and/or the underlying OS. More importantly, none of the existing works can organically deal with all the five web-app interaction mechanisms. In this paper, we first identify and survey five mechanisms through which web content interacts with mobile apps. We then propose ReACt, a novel Resource-centric Access Control design that can coherently work with all the web-app interaction mechanisms while addressing the above-mentioned limitations. We have implemented a prototype system on Android, and performed extensive evaluation on it. The evaluation results show that our system works well with existing commercial off-the-shelf Android apps and different versions of Android OS, and it can achieve the design goals with small overhead.

Published

2022

2. Evaluation of a policy enforcement solution in telemedicine with offline use cases.

Author

Szabó, Zoltán

Subjects

ACCESS control, EDGE computing, INTERNET of things, TELEMEDICINE

Abstract

The emerging popularity of telemedicine solutions brought an alarming problem due to the lack of proper access control solutions. With the inclusion of multi-tiered, heterogeneous infrastructures containing Internet of things and edge computing elements, the severity and complexity of the problem became even more alarming, calling for an established access control framework and methodology. The goal of the research is to define a possible solution with a focus on native cloud integration, possible deployment at multiple points along the path of the healthcare data, and adaptation of the fast healthcare interoperability resources standard. In this paper, the importance of this issue in offline use cases is presented and the effectiveness of the proposed solution is evaluated. [ABSTRACT FROM AUTHOR]

Published

2022

3. Zero Trust Architecture (ZTA): A Comprehensive Survey

Author

Syed, Naeem, Shah, SW, Shaghaghi, A, Anwar, Adnan, Baig, Zubair, Ram Mohan Doss, Robin, Syed, Naeem, Shah, SW, Shaghaghi, A, Anwar, Adnan, Baig, Zubair, and Ram Mohan Doss, Robin

Published

2022

4. Attribute-based credentials with cryptographic collusion prevention.

Author

Hajny, Jan, Dzurenda, Petr, and Malina, Lukas

Subjects

COMPUTER access control, ANONYMITY, SMARTPHONES, MALWARE, SMART cards

Abstract

Cryptographic attribute-based credentials (ABCs) allow users to prove their personal attributes remotely and in a privacyfriendly way. While staying anonymous and untraceable, the users are able to prove their attributes, such as age, membership, or nationality, before using a network service. Unfortunately, there are very few practical cryptographic ABC schemes available today. Furthermore, some existing schemes rely on the hardware tamper-resistance of smart cards to avoid collusion attacks. The trust in hardware limits the usage of such schemes on poorly protected cards and on smart phones. In this paper, we present the full cryptographic specification of an ABC scheme, which makes the collusion attacks impossible even on insecure hardware like mobile phones. Furthermore, the scheme provides features, which are difficult to achieve using existing schemes, namely the practical revocation of users, the de-anonymization of malicious users, and the unlinkability of verification sessions. Besides the cryptographic architecture, we also present our practical implementation on a smart phone and embedded platforms. [ABSTRACT FROM AUTHOR]

Published

2015

5. Applications and Evaluations of Bio-Inspired Approaches in Cloud Security: A Review

Author

Ahsan, Md Manjurual, Gupta, Kishor Datta, Nag, Abhijit Kumar, Poudyal, Subash, Kouzani, Abbas Z., Mahmud, M. A. Parvez, Ahsan, Md Manjurual, Gupta, Kishor Datta, Nag, Abhijit Kumar, Poudyal, Subash, Kouzani, Abbas Z., and Mahmud, M. A. Parvez

Published

2020

6. A Survey on Blockchain-based IoMT Systems: Towards Scalability

Author

Seyed Farhad Aghili, Amirhossein Adavoudi Jolfaei, and Dave Singelée

Subjects

blockchain, Technology, Blockchain, General Computer Science, Computer science, media_common.quotation_subject, Internet of Things, Wireless communication, Wearable computer, Cloud computing, THINGS, Internet of Medical Things (IoMT), security, DATA-SECURITY, Domain (software engineering), Engineering, cloud, General Materials Science, Quality (business), INTERNET, SCALABLE BLOCKCHAIN, scalability, media_common, IOT, Science & Technology, Computer Science, Information Systems, CHALLENGES, business.industry, General Engineering, healthcare, Engineering, Electrical & Electronic, Benchmarking, ENABLING TECHNOLOGIES, Blockchains, FRAMEWORK, ELECTRONIC HEALTH RECORDS, TK1-9971, Risk analysis (engineering), Scalability, Computer Science, Medical services, Telecommunications, The Internet, Electrical engineering. Electronics. Nuclear engineering, ACCESS-CONTROL, business

Abstract

Recently, blockchain-based Internet of Medical Things (IoMT) has started to receive more attention in the healthcare domain as it not only improves the care quality using real-time and continuous monitoring but also minimizes the cost of care. However, there is a clear trend to include many entities in IoMT systems, such as IoMT sensor nodes, IoT wearable medical devices, patients, healthcare centers, and insurance companies. This makes it challenging to design a blockchain framework for these systems where scalability is a most critical factor in blockchain technology. Motivated by this observation, in this survey we review the state-of-the-art in blockchain-IoMT systems. Comparison and analysis of such systems prove that there is a substantial gap, which is the negligence of scalability. In this survey, we discuss several approaches proposed in the literature to improve the scalability of blockchain technology, and thus overcoming the above mentioned research gap. These approaches include on-chain and off-chain techniques, based on which we give recommendations and directions to facilitate designing a scalable blockchain-based IoMT system. We also recommended that a designer considers the well-known trilemma along with the various dimensions of a scalable blockchain system to prevent sacrificing security and decentralization as well. Moreover, we raise several research questions regarding benchmarking; addressing these questions could help designers determining the existing bottlenecks, leading to a scalable blockchain.

Published

2021

7. Privacy Models in Wireless Sensor Networks: A Survey

Author

J. M. de Fuentes, Lorena González-Manzano, and Omid Mirzaei

Subjects

Source-location privacy, Engineering, Privacy by Design, 02 engineering and technology, Computer security, computer.software_genre, Scheme, Research community, lcsh:Technology (General), Protocol, 0202 electrical engineering, electronic engineering, information engineering, Suitability analysis, Preserving data aggregation, Electrical and Electronic Engineering, Set (psychology), Instrumentation, Access-control, Informática, business.industry, Query, Comparability, Privacy protection, 020206 networking & telecommunications, Work (electrical), Control and Systems Engineering, lcsh:T1-995, 020201 artificial intelligence & image processing, business, Wireless sensor network, computer

Abstract

Wireless Sensor Networks (WSNs) are attracting attention from the research community. One of the key issues is to provide them with privacy protection. In recent years, a huge amount of contributions has been focused on this area. Surveys and literature reviews have also been produced to give a systematic view of the different approaches taken. However, no previous work has focused on privacy models, that is, the set of assumptions made to build the approach. In particular, this paper focuses on this matter by studying 41 papers of the last 5 years. We highlight the great differences appearing among related papers that could make them incompatible to be applied simultaneously. We propose a set of guidelines to build comprehensive privacy models so as to foster their comparability and suitability analysis for different scenarios. This work was supported by the MINECO Grant TIN2013-46469-R (Security and Privacy in the Internet of You (SPINY)) and the CAM Grant S2013/ICE-3095 (Cybersecurity,Data, and Risks (CIBERDINE)), which is cofunded by EuropeanFunds (FEDER). Furthermore, J.M. de Fuentes and L. González-Manzano were also partially supported by the Programa de Ayudas a la Movilidad of Carlos III University of Madrid.

Published

2016

8. BOUNCER: Privacy-aware Query Processing Over Federations of RDF Datasets

Author

Endris, Kemele M, Almhithawi, Zuhair, Lytra, Ioanna, Vidal, Maria-Esther, Auer, Sören, Endris, Kemele M, Almhithawi, Zuhair, Lytra, Ioanna, Vidal, Maria-Esther, and Auer, Sören

Abstract

Data provides the basis for emerging scientific and interdisciplinary data-centric applications with the potential of improving the quality of life for the citizens. However, effective data-centric applications demand data management techniques able to process a large volume of data which may include sensitive data, e.g., financial transactions, medical procedures, or personal data. Managing sensitive data requires the enforcement of privacy and access control regulations, particularly, during the execution of queries against datasets that include sensitive and nonsensitive data. In this paper, we tackle the problem of enforcing privacy regulations during query processing, and propose BOUNCER, a privacy-aware query engine over federations of RDF datasets. BOUNCER allows for the description of RDF datasets in terms of RDF molecule templates, i.e., abstract descriptions of the properties of the entities in an RDF dataset and their privacy regulations. Furthermore, BOUNCER implements query decomposition and optimization techniques able to identify query plans over RDF datasets that not only contain the relevant entities to answer a query, but that are also regulated by policies that allow for accessing these relevant entities. We empirically evaluate the effectiveness of the BOUNCER privacy-aware techniques over state-of-the-art benchmarks of RDF datasets. The observed results suggest that BOUNCER can effectively enforce access control regulations at different granularity without impacting the performance of query processing.

Published

2018

9. BOUNCER: Privacy-aware Query Processing Over Federations of RDF Datasets

Author

Zuhair Almhithawi, Sören Auer, Maria-Esther Vidal, Kemele M. Endris, and Ioanna Lytra

Subjects

Information retrieval, business.industry, Process (engineering), Computer science, Data management, Federated Engine, Access control, 02 engineering and technology, Linked data, computer.file_format, Query plan, Dewey Decimal Classification::000 | Allgemeines, Wissenschaft::000 | Informatik, Wissen, Systeme::004 | Informatik, 020204 information systems, Linked Data, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Privacy law, RDF, ddc:004, business, Semantic Web, computer, Access-control

Abstract

Data provides the basis for emerging scientific and interdisciplinary data-centric applications with the potential of improving the quality of life for the citizens. However, effective data-centric applications demand data management techniques able to process a large volume of data which may include sensitive data, e.g., financial transactions, medical procedures, or personal data. Managing sensitive data requires the enforcement of privacy and access control regulations, particularly, during the execution of queries against datasets that include sensitive and non-sensitive data. In this paper, we tackle the problem of enforcing privacy regulations during query processing, and propose BOUNCER, a privacy-aware query engine over federations of RDF datasets. BOUNCER allows for the description of RDF datasets in terms of RDF molecule templates, i.e., abstract descriptions of the properties of the entities in an RDF dataset and their privacy regulations. Furthermore, BOUNCER implements query decomposition and optimization techniques able to identify query plans over RDF datasets that not only contain the relevant entities to answer a query, but that are also regulated by policies that allow for accessing these relevant entities. We empirically evaluate the effectiveness of the BOUNCER privacy-aware techniques over state-of-the-art benchmarks of RDF datasets. The observed results suggest that BOUNCER can effectively enforce access control regulations at different granularity without impacting the performance of query processing.

Published

2018

10. The Survey on Near Field Communication

Author

Vedat Coskun, Busra Ozdenizci, Kerem Ok, Işık Üniversitesi, Fen Edebiyat Fakültesi, Enformasyon Teknolojileri Bölümü, Işık University, Faculty of Arts and Sciences, Department of Information Technologies, Coşkun, Vedat, Ok, Kerem, and Özdenizci Köse, Büşra

Subjects

Technology, Engineering, Ubiquitous computing, Internet of Things, Access-Control, NFC, Near Field Communication, NFC ecosystem, Review, lcsh:Chemical technology, Biochemistry, Analytical Chemistry, Near field communication, Protocol, lcsh:TP1-1185, NFC Applications, Payment, Secure element, Instrumentation, Protocol (object-oriented programming), NFC Ecosystem, media_common, Authentication, Atomic and Molecular Physics, and Optics, Management, NFC Usability, The Internet, Internet of things, media_common.quotation_subject, secure element, Access control, World Wide Web, Wireless Body Sensors, Electrical and Electronic Engineering, Internet, business.industry, NFC usability, ubiquitous computing, NFC Survey, Usability, NFC security, Data science, NFC applications, NFC Security, Acceptance, NFC survey, Antenna, business

Abstract

PubMed ID: 26057043 Near Field Communication (NFC) is an emerging short-range wireless communication technology that offers great and varied promise in services such as payment, ticketing, gaming, crowd sourcing, voting, navigation, and many others. NFC technology enables the integration of services from a wide range of applications into one single smartphone. NFC technology has emerged recently, and consequently not much academic data are available yet, although the number of academic research studies carried out in the past two years has already surpassed the total number of the prior works combined. This paper presents the concept of NFC technology in a holistic approach from different perspectives, including hardware improvement and optimization, communication essentials and standards, applications, secure elements, privacy and security, usability analysis, and ecosystem and business issues. Further research opportunities in terms of the academic and business points of view are also explored and discussed at the end of each section. This comprehensive survey will be a valuable guide for researchers and academicians, as well as for business in the NFC technology and ecosystem. Publisher's Version

Published

2015

11. ase-PoW: a proof of ownership mechanism for cloud deduplication in hierarchical environments

Author

Lorena González-Manzano, Kim-Kwang Raymond Choo, and José María de Fuentes

Subjects

Informática, business.industry, Computer science, 020206 networking & telecommunications, Access control, Cloud computing, Hardware_PERFORMANCEANDRELIABILITY, 02 engineering and technology, Privilege (computing), Computer security, computer.software_genre, Proof of ownership, Symmetric Encryption, Upload, Symmetric-key algorithm, Server, 0202 electrical engineering, electronic engineering, information engineering, Data deduplication, 020201 artificial intelligence & image processing, business, computer, Cloud storage, Deduplication technique, Access-control, Computer network

Abstract

Proof-of-Ownership (PoW) can be an efective deduplication technique to reduce storage requirements, by providing cloud storage servers the capability to guarantee that clients only upload and download files that they are in possession of. In this paper, we propose an attribute symmetric encryption PoW scheme (ase-PoW) for hierarchical environments such as corporations, in which (1) the external cloud service provider is honest-but-curious and (2) there is a exible access control in place to ensure only users with the right privilege can access sensitive files. This is, to the best of our knowledge, the first such scheme and it is built upon the ce-PoW scheme of Gonzalez-Manzano and Orfila (2015). Ase-PoW outperforms ce-PoW in that it does not suffer from content-guessing attacks, it reduces client storage needs and computational workload. This work was partially supported by the MINECO grant TIN2013-46469-R (SPINY: Security and Privacy in the Internet of You) and the CAM grant S2013/ICE-3095 CIBERDINE-CM (CIBERDINE: Cybersecurity, Data, and Risks) funded by Madrid Autonomous Community and co-funded by European funds. L. Gonzalez and J. M. de Fuentes were also supported by the Programa de Ayudas para la Movilidad of Carlos III University of Madrid, Spain.

Published

2016

12. Model-based Analysis of Java EE Web Security Configurations

Author

Salvador Martínez, Valerio Cosentino, Jordi Cabot, IMT Atlantique (IMT Atlantique), Institut Mines-Télécom [Paris] (IMT), Laboratoire d'Informatique de Nantes Atlantique (LINA), Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Centre National de la Recherche Scientifique (CNRS), Modeling Technologies for Software Production, Operation, and Evolution (ATLANMOD), Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Centre National de la Recherche Scientifique (CNRS)-Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Centre National de la Recherche Scientifique (CNRS)-Département informatique - EMN, Mines Nantes (Mines Nantes)-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), IMT Atlantique Bretagne-Pays de la Loire (IMT Atlantique), Centre National de la Recherche Scientifique (CNRS)-Mines Nantes (Mines Nantes)-Université de Nantes (UN), and Centre National de la Recherche Scientifique (CNRS)-Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Centre National de la Recherche Scientifique (CNRS)-Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Département informatique - EMN

Subjects

Cloud computing security, Computer science, business.industry, 020207 software engineering, 02 engineering and technology, Reverse-engineering, [INFO.INFO-SE]Computer Science [cs]/Software Engineering [cs.SE], Computer security model, Computer security, computer.software_genre, Web application security, Security testing, Security information and event management, Security service, 020204 information systems, 0202 electrical engineering, electronic engineering, information engineering, Security through obscurity, Security, Network security policy, business, computer, Access-control

Abstract

International audience; The widespread use of Java EE web applications as a means to provide distributed services to remote clients imposes strong security requirements, so that the resources managed by these applications remain protected from unauthorized disclosures and manipulations. For this purpose, the Java EE framework provides developers with mechanisms to define access-control policies. Unfortunately , the variety and complexity of the provided security configuration mechanisms cause the definition and manipulation of a security policy to be complex and error prone. As security requirements are not static, and thus, implemented policies must be changed and reviewed often, discovering and representing the policy at an appropriate abstraction level to enable their understanding and reenginering appears as a critical requirement. To tackle this problem, this paper presents a (model-based) approach aimed to help security experts to visualize, (automatically) analyse and manipulate web security policies.

Published

2016

13. Model-Driven Integration and Analysis of Access-control Policies in Multi-layer Information Systems

Author

Jordi Cabot, Nora Cuppens-Boulahia, Salvador Martínez, Frédéric Cuppens, Joaquin Garcia-Alfaro, Modeling Technologies for Software Production, Operation, and Evolution (ATLANMOD), Laboratoire d'Informatique de Nantes Atlantique (LINA), Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Centre National de la Recherche Scientifique (CNRS)-Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Centre National de la Recherche Scientifique (CNRS)-Département informatique - EMN, Mines Nantes (Mines Nantes)-Inria Rennes – Bretagne Atlantique, Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria), Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Centre National de la Recherche Scientifique (CNRS), Mines Nantes (Mines Nantes), Département Réseaux et Services de Télécommunications (TSP - RST), Institut Mines-Télécom [Paris] (IMT)-Télécom SudParis (TSP), Département Logique des Usages, Sciences sociales et Sciences de l'Information (LUSSI), Université européenne de Bretagne - European University of Brittany (UEB)-Télécom Bretagne-Institut Mines-Télécom [Paris] (IMT), Laboratoire des sciences et techniques de l'information, de la communication et de la connaissance (Lab-STICC), Université européenne de Bretagne - European University of Brittany (UEB)-École Nationale d'Ingénieurs de Brest (ENIB)-Université de Bretagne Sud (UBS)-Université de Brest (UBO)-Télécom Bretagne-Institut Brestois du Numérique et des Mathématiques (IBNM), Université de Brest (UBO)-École Nationale Supérieure de Techniques Avancées Bretagne (ENSTA Bretagne)-Institut Mines-Télécom [Paris] (IMT)-Centre National de la Recherche Scientifique (CNRS), Lab-STICC_TB_CID_SFIIS, Université de Brest (UBO)-École Nationale Supérieure de Techniques Avancées Bretagne (ENSTA Bretagne)-Institut Mines-Télécom [Paris] (IMT)-Centre National de la Recherche Scientifique (CNRS)-Université européenne de Bretagne - European University of Brittany (UEB)-École Nationale d'Ingénieurs de Brest (ENIB)-Université de Bretagne Sud (UBS)-Université de Brest (UBO)-Télécom Bretagne-Institut Brestois du Numérique et des Mathématiques (IBNM), Hannes Federrath, Dieter Gollmann, TC 11, Centre National de la Recherche Scientifique (CNRS)-Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Centre National de la Recherche Scientifique (CNRS)-Mines Nantes (Mines Nantes)-Université de Nantes (UN)-Département informatique - EMN, Centre National de la Recherche Scientifique (CNRS)-Mines Nantes (Mines Nantes)-Université de Nantes (UN), Département Réseaux et Services de Télécommunications (RST), École Nationale d'Ingénieurs de Brest (ENIB)-Université de Bretagne Sud (UBS)-Université de Brest (UBO)-Télécom Bretagne-Institut Brestois du Numérique et des Mathématiques (IBNM), Université de Brest (UBO)-Université européenne de Bretagne - European University of Brittany (UEB)-École Nationale Supérieure de Techniques Avancées Bretagne (ENSTA Bretagne)-Institut Mines-Télécom [Paris] (IMT)-Centre National de la Recherche Scientifique (CNRS), and Université de Brest (UBO)-Université européenne de Bretagne - European University of Brittany (UEB)-École Nationale Supérieure de Techniques Avancées Bretagne (ENSTA Bretagne)-Institut Mines-Télécom [Paris] (IMT)-Centre National de la Recherche Scientifique (CNRS)-École Nationale d'Ingénieurs de Brest (ENIB)-Université de Bretagne Sud (UBS)-Université de Brest (UBO)-Télécom Bretagne-Institut Brestois du Numérique et des Mathématiques (IBNM)

Subjects

access-control, Cloud computing security, Computer science, [INFO.INFO-SE]Computer Science [cs]/Software Engineering [cs.SE], Computer security model, Asset (computer security), Computer security, computer.software_genre, Security testing, Security information and event management, Security service, Information security standards, Security, Security convergence, Model-driven engineering, computer

Abstract

Part 2: Web Security; International audience; Security is a critical concern for any information system. Security properties such as confidentiality, integrity and availability need to be enforced in order to make systems safe. In complex environments, where information systems are composed of a number of heterogeneous subsystems, each must participate in their achievement. Therefore, security integration mechanisms are needed in order to 1) achieve the global security goal and 2) facilitate the analysis of the security status of the whole system. For the specific case of access-control, access-control policies may be found in several components (databases, networks and applications) all, supposedly, working together in order to meet the high level security property. In this work we propose an integration mechanism for access-control policies to enable the analysis of the system security. We rely on model-driven technologies and the XACML standard to achieve this goal.

Published

2015

14. Formal Modeling and Verification of Access-Control Policies

Author

FUNDP - INF_Pôle sémantique, logique et calcul, FUNDP - Ecole doctorale en information et communication, Schobbens, Pierre-Yves, Jacquet, Jean-Marie, Colin, Jean-Noël, Morisset, Charles, Le Traon, Yves, Toussaint, Hubert, FUNDP - INF_Pôle sémantique, logique et calcul, FUNDP - Ecole doctorale en information et communication, Schobbens, Pierre-Yves, Jacquet, Jean-Marie, Colin, Jean-Noël, Morisset, Charles, Le Traon, Yves, and Toussaint, Hubert

Abstract

The construction of secure software is a notoriously difficult task. The abstract security requirements have to be turned into functional requirements and then implemented. However, only few techniques allow to verify that the implemented elements fulfill the originally expressed requirements. The potential gap between the specification and the implementation gets even wider with iterative development schemes where code (and sometimes specification) is updated numerous times. In this document we propose a methodology aimed at facilitating the co-evolution of the security requirements and the implemented code. Focusing on the access-control perspective, we provide models and algorithms to specify the expected requirements and to extract the implemented access-control rules directly from the executable source code. Then we verify the conformance of the implemented features towards the specified requirements and, if inconsistencies are found, we provide potential corrective measures that can be applied directly into the source code., (DOCSC06) -- FUNDP, 2011

Published

2011

15. Re-authentication of Critical Operations

Author

Yachouh, Marwan and Yachouh, Marwan

Abstract

This is a study on the development of a re-authentication prototype. Re- authentication serves as a receipt for e.g. system administrators that authorise them to carry out a critical operation in a system that already is protected by a security architecture. A critical operation is a kind of operation that can cause serious damage to a network node or a set of network nodes, if it is done without one giving it a second thought. The purpose is to prevent mistakes and secure the users’ audit trail. The main task is to propose and implement a re-authentication prototype, that is to enable the incorporation of the re-authentication prototype to an already complete security architecture and yet preserve the security and performance level of the architecture. This thesis deals with this problem by using digitally signed certificates to provide the necessary security issues. The certificates used are called re- authentication certificates and follows the X.509 attribute certificate standard. The re-authentication certificate is optimised so that it only holds authorisation information regarding one critical operation. An access control decision function is used to decide if the re-authentication certificate and its owner are authentic. On basis of that decision the user can get the authority to execute critical operations. The finished prototype confirms that a re-authentication can be incorporated with the security architecture. The report also shows that the security status of the architecture is preserved. The performance of the prototype is rather difficult to prove since the prototype implementation only initialises the objects that are required to prove the security issues. A performance test can therefore never prove how the prototype will perform in an authentic environment. The performance is assumed to be adequate since it uses the same authentication function that is used by the security architecture.

Published

2002