Your search keyword '"Extended Access Control"' showing total 84 results

1. An Overview of Electronic Passport Security Features

Author

Říha, Zdeněk, Matyáš, Vashek, editor, Fischer-Hübner, Simone, editor, Cvrček, Daniel, editor, and Švenda, Petr, editor

Published

2009

2. An extended access control model for permissioned blockchain frameworks

Author

Turki Alghamdi, Megat F. Zuhairi, Muhammad Yasar Khan, Toqeer Ali, and Jose Antonio Marmolejo-Saucedo

Subjects

Blockchain, Computer Networks and Communications, Computer science, business.industry, 020302 automobile design & engineering, 020206 networking & telecommunications, Access control, 02 engineering and technology, Transparency (human–computer interaction), Permission, Computer security, computer.software_genre, Resource (project management), 0203 mechanical engineering, Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Electrical and Electronic Engineering, business, computer, Information Systems

Abstract

In distributed environment, a digital transaction or operation requires transparency and trust among multiple stakeholders. Several approches address such issues however, among these blockchain provides a viable solution which has received wide acceptance in the recent past. Permissioned blockchain solutions adopt more efficient consensus algorithms and smart contracts. There are many smart-contract solutions exists (such as, etherium, IBM blockchain, hyperledger fabric), however, much of them mainly follow traditional access control models. A role-based access control model provides controlled access of resources to members. This research work presents an extended usage control model known as DistU (Distributed Usage Control). DistU is proposed to capture all possible access control models required by a business for permissioned blockchain frameworks. DistU can monitor a resource continuously during the operation and update the attributes accordingly, performing different actions, such as denying or revoking permissions. We believe that the proposed DistU usage control model can provide a fine-grained control for blockchain resource management. The paper also contributes to provide a protoype implementation of fine-grained permission model on Hyperledger Fabric. The reason of selecting Fabric for this research is that, it is the first execute-order achitecture blockchain that provides a platform to develop general business applciations. Secondly, it is an opensource operating system of permissioned blockchain with huge industry support.

Published

2019

3. PREVENTING IDENTITY FRAUD BY USING BIOMETRIC CONTROL SYSTEM SECURITY MECHANISMS.

Author

HARIZAJ, Miranda and MARANGO, Petrika

Subjects

PASSPORTS, HUMAN fingerprints, FRAUD, BIOMETRIC identification, SECURITY management

Abstract

Machine-readable passports have been introduced since the 1980s and nowadays there are more than 120 countries with ePassport and eID system in place, with a high level of security and control mechanisms making harder for identity thieves to counterfeit the system and thereby reducing the risk of fraud. The aim of this paper is to introduce the latest control mechanisms of biometric access control and identification systems, which use the more common biometric technologies like fingerprint, iris, and palm print and facial recognition. In this paper we will present the most used control mechanisms for protecting security of the document and / or privacy of the passport holder data in the contactless chip in conformity to the ICAO 9303 specification with the LDS (Logical Data Structure) and functionalities such as Basic Authentication Control and Extended Access control. Furthermore we will introduce the advent of the third generation of ePassports system, the new security mechanism, Supplemental Access Control (SAC) toward the other used. [ABSTRACT FROM AUTHOR]

Published

2015

4. Towards a more secure and scalable verifying PKI of eMRTD.

Author

Buchmann, Nicolas and Baier, Harald

Subjects

*PUBLIC key cryptography, *COMPUTER security research, *INTERNET protocols, *BIOMETRIC identification, *PASSPORTS

Abstract

The new electronic passport stores biometric data on a contactless readable chip to uniquely link the travel document to its holder. This sensitive data is protected by a complex protocol called Extended Access Control (EAC) against unlawful readouts. EAC is manifold and thus needs a complex public key infrastructure (PKI). Additionally EAC is known to suffer from unsolved weaknesses, e.g., stolen (mobile) passport inspection systems due to its missing revocation mechanism. The article at hand seeks for potential approaches to solve these shortcomings. As a result we present an evaluation framework with special focus on security and scalability to assess the different candidates and to give a best recommendation. Instead of creating new protocols, we focus on solutions, which are based on well-known protocols from the Internet domain like the Network Time Protocol (NTP), the Online Certificate Status Protocol (OCSP), and the Server-based Certificate Validation Protocol (SCVP). These protocols are openly standardised, thoroughly tested, interoperable, and with the exception of SCVP all widely deployed. In addition to these Internet protocols we evaluate state-of-the-art security protocols proposed by the scientific community, e.g., the Hoepman protocol, the BioPACE V2 protocol and the On-line Secure E-Passport Protocol (OSEP). Our recommendation is that the EU EAC PKI would benefit most from introducing NTP and OCSP, or if fine-grained access control of EAC are considered dispensable by introducing the BioPACE V2 protocol. [ABSTRACT FROM AUTHOR]

Published

2014

5. Implementation of security and privacy in ePassports and the extended access control infrastructure.

Author

Rana, Antonia and Sportiello, Luigi

Abstract

Several researchers have analyzed the security characteristics and weaknesses of electronic passports (machine readable travel documents) introduced by the International Civil Aviation Organization (ICAO) in its Document 9303. However, little, if any, work has focused on the public key infrastructures necessary to manage the certificates that underpin the security measures. This paper discusses the key aspects related to the management of keys and certificates to implement security and privacy measures for machine readable travel documents issued by European Union member states. In particular, the paper concentrates on extended access control and the associated Single Point of Contact (SPOC) protocol. [ABSTRACT FROM AUTHOR]

Published

2014

6. Security Fault Tolerance for Access Control

Author

Michael E. Shin, Don Pathirage, and Dongsoo Jang

Subjects

0209 industrial biotechnology, Authentication, Computer science, business.industry, 020208 electrical & electronic engineering, Authorization, Access control, Fault tolerance, 02 engineering and technology, Permission, Computer security, computer.software_genre, 020901 industrial engineering & automation, Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, business, computer, Healthcare system

Abstract

This paper describes an approach to the security fault tolerance of access control in which the security breaches of an access control are tolerated by means of a security fault tolerant (SFT) access control. Though an access control is securely designed and implemented, it can contain faults in development or be contaminated in operation. The threats to an access control are analyzed to identify possible security breaches. To tolerate the security breaches, an SFT access control is made to be semantically identical to an access control. Our approach is described using role-based access control (RBAC) and extended access control list (EACL). A healthcare system is used to demonstrate our approach.

Published

2020

7. Attribute-based Fine-grained Extended Access Control Mechanism for Online Social Networks

Author

Rongna Xie, Guozhen Shi, Lin Yuan, Yazhe Wang, and Chao Wang

Subjects

Social network, business.industry, Computer science, Extended Access Control, Authorization, business, Computer security, computer.software_genre, Dissemination, Private information retrieval, computer

Abstract

The development of online social networks allows users to communicate with each other and share their resources when and where. However, in the process of data dissemination, the user loses control of the private information if the user shares resources into the social network, which may lead to privacy leakage. In order to solve the above problems, the paper proposes an extended access control mechanism for online social networks. This mechanism not only controls the operation rights of direct users, but also controls the assignable rights of indirect users, achieving the purpose of extended authorization. In this paper, the attribute modeled as a five-tuple is defined in detail, and requirement of each attribute is described. Furthermore, we assign different weights to different operation types of resources, and judge whether the resource operation is satisfied by calculating the degree of trust and the weight, thus determine user’s permissions. Finally, through case analysis and scheme comparison, we prove that the extended authorization mechanism can effectively control the spread of information and protect user’s privacy.

Published

2019

8. An extended access control mechanism exploiting data dependencies

Author

Davide Alberto Albertini, Barbara Carminati, and Elena Ferrari

Subjects

Functional dependencies, Risk, Query rewriting, Computer Networks and Communications, Computer science, Distributed computing, Access control, Cryptography, 02 engineering and technology, computer.software_genre, Discretionary access control, Set (abstract data type), Data dependencies, Software, Information Systems, Safety, Risk, Reliability and Quality, 020204 information systems, Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Information system, Foreign key, Database, business.industry, Reliability and Quality, 020201 artificial intelligence & image processing, Safety, Functional dependency, business, computer

Abstract

In general, access control mechanisms in DBMSs ensure that users access only those portions of data for which they have authorizations, according to a predefined set of access control policies. However, it has been shown that access control mechanisms might be not enough. A clear example is the inference problem due to functional dependencies, which might allow a user to discover unauthorized data by exploiting authorized data. In this paper, we wish to investigate data dependencies (e.g., functional dependencies, foreign key constraints, and knowledge-based implications) from a different perspective. In particular, the aim was to investigate data dependencies as a mean for increasing the DBMS utility, that is, the number of queries that can be safely answered, rather than as channels for releasing sensitive data. We believe that, under given circumstances, this unauthorized release may give more benefits than issues. As such, we present a query rewriting technique capable of extending defined access control policies by exploiting data dependencies, in order to authorize unauthorized but inferable data.

Published

2016

9. In-depth Analysis of the Security Mechanism for Extended Access Control of Electronic Documents

Author

Sheng-guang Li, Wen-peng Xu, Jian Sun, Yong-ling Fu, and Lin Tan

Subjects

business.industry, Computer science, Extended Access Control, business, Mechanism (sociology), Computer network

Published

2018

10. Authorization Framework for Secure Cloud Assisted Connected Cars and Vehicular Internet of Things

Author

Ravi Sandhu and Maanak Gupta

Subjects

business.industry, Smart objects, Computer science, 020208 electrical & electronic engineering, Big data, 020206 networking & telecommunications, Access control, Cloud computing, 02 engineering and technology, Computer security, computer.software_genre, Extended Access Control, Smart city, 0202 electrical engineering, electronic engineering, information engineering, The Internet, business, Intelligent transportation system, computer

Abstract

Internet of Things has become a predominant phenomenon in every sphere of smart life. Connected Cars and Vehicular Internet of Things, which involves communication and data exchange between vehicles, traffic infrastructure or other entities are pivotal to realize the vision of smart city and intelligent transportation. Vehicular Cloud offers a promising architecture wherein storage and processing capabilities of smart objects are utilized to provide on-the-fly fog platform. Researchers have demonstrated vulnerabilities in this emerging vehicular IoT ecosystem, where data has been stolen from critical sensors and smart vehicles controlled remotely. Security and privacy is important in Internet of Vehicles (IoV) where access to electronic control units, applications and data in connected cars should only be authorized to legitimate users, sensors or vehicles. In this paper, we propose an authorization framework to secure this dynamic system where interactions among entities is not pre-defined. We provide an extended access control oriented (E-ACO) architecture relevant to IoV and discuss the need of vehicular clouds in this time and location sensitive environment. We outline approaches to different access control models which can be enforced at various layers of E-ACO architecture and in the authorization framework. Finally, we discuss use cases to illustrate access control requirements in our vision of cloud assisted connected cars and vehicular IoT, and discuss possible research directions.

Published

2018

11. Risk adaptive hybrid RFID access control system

Author

Ja'far Alqatawna, Malek Al-Zewairi, and Jalal Omer Atoum

Subjects

Computer access control, Computer Networks and Communications, Computer science, business.industry, Distributed computing, Logical access control, Access control, Extended Access Control, Physical access, Role-based access control, Systems architecture, Radio-frequency identification, business, Information Systems

Abstract

Dynamic environments pose a challenge for traditional access control models where permissions are granted or revoked merely based on predefined and static access policies making them incapable of dynamically adapting to changing conditions. Risk adaptive access control models have been gaining more attention in the research community as an alternative approach to overcome the limitations of traditional access control models. Radio Frequency Identification RFID is an emerging technology widely utilized in both physical and logical access control systems because of its contactless nature, low cost, high read/write speed and long distance operation. Serverless RFID system architecture offers better availability assurance and lower implementation cost, while access rights management is easier in server-based architecture. In this study, we continue to build on our previous research on the privacy and security of RFID access control systems without a backend database in order to overcome its limitations. We propose a hybrid design for a risk adaptive RFID access control system; that is, dynamically alternating between two access control modes, online server-based and offline serverless, to adapt to the level of risk depending on rule-based risk scenarios and current risk value. The proposed design combines features of both serverless and risk adaptive access control systems. Copyright © 2015 John Wiley & Sons, Ltd.

Published

2015

12. Implementation of security and privacy in ePassports and the extended access control infrastructure

Author

Antonia Rana and Luigi Sportiello

Subjects

Electronic passports, Engineering, Single point of contact protocol, Information Systems and Management, Internet privacy, Computer security, computer.software_genre, Public-key cryptography, Extended Access Control, Modelling and Simulation, media_common.cataloged_instance, European union, Safety, Risk, Reliability and Quality, Protocol (object-oriented programming), media_common, business.industry, Civil aviation, Extended access control, Computer Science Applications, Travel Documents, Work (electrical), Machine readable travel documents, Modeling and Simulation, Single point, business, computer

Abstract

Several researchers have analyzed the security characteristics and weaknesses of electronic passports (machine readable travel documents) introduced by the International Civil Aviation Organization (ICAO) in its Document 9303. However, little, if any, work has focused on the public key infrastructures necessary to manage the certificates that underpin the security measures. This paper discusses the key aspects related to the management of keys and certificates to implement security and privacy measures for machine readable travel documents issued by European Union member states. In particular, the paper concentrates on extended access control and the associated Single Point of Contact (SPOC) protocol.

Published

2014

13. RFID Based Security and Access Control System

Author

Muhammad Amar, Umar Farooq, Mahmood ul Hasan, Muhammad Usman Asad, and Athar Hanif

Subjects

Cloud computing security, Security service, Distributed System Security Architecture, business.industry, Computer science, Extended Access Control, Network Access Control, Access control, business, Computer security, computer.software_genre, Logical security, computer

Published

2014

14. Zero Round-Trip Time for the Extended Access Control Protocol

Author

Jacqueline Brendel and Marc Fischlin

Subjects

0301 basic medicine, Computer science, business.industry, 020206 networking & telecommunications, Context (language use), Cryptography, Access control, 02 engineering and technology, Computer security model, 03 medical and health sciences, 030104 developmental biology, Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Smart card, business, Protocol (object-oriented programming), Computer network

Abstract

The Extended Access Control (EAC) protocol allows to create a shared cryptographic key between a client and a server. While originally used in the context of identity card systems and machine readable travel documents, the EAC protocol is increasingly adopted as a universal solution to secure transactions or for attribute-based access control with smart cards. Here we discuss how to enhance the EAC protocol by a so-called zero-round trip time (0RTT) mode. Through this mode the client can, without further interaction, immediately derive a new key from cryptographic material exchanged in previous executions. This makes the 0RTT mode attractive from an efficiency viewpoint such that the upcoming TLS 1.3 standard, for instance, will include its own 0RTT mode. Here we show that also the EAC protocol can be augmented to support a 0RTT mode. Our proposed EAC+0RTT protocol is compliant with the basic EAC protocol and adds the 0RTT mode smoothly on top. We also prove the security of our proposal according to the common security model of Bellare and Rogaway in the multi-stage setting.

Published

2017

15. PRF-ODH: Relations, Instantiations, and Impossibility Results

Author

Felix Günther, Christian Janson, Jacqueline Brendel, and Marc Fischlin

Subjects

0301 basic medicine, Theoretical computer science, Hierarchy (mathematics), business.industry, Computer science, Cryptography, 0102 computer and information sciences, 01 natural sciences, Random oracle, 03 medical and health sciences, 030104 developmental biology, 010201 computation theory & mathematics, Extended Access Control, Impossibility, Variety (universal algebra), business, Key exchange, Standard model (cryptography)

Abstract

The pseudorandom-function oracle-Diffie–Hellman (PRF-ODH) assumption has been introduced recently to analyze a variety of DH-based key exchange protocols, including TLS 1.2 and the TLS 1.3 candidates, as well as the extended access control (EAC) protocol. Remarkably, the assumption comes in different flavors in these settings and none of them has been scrutinized comprehensively yet. In this paper here we therefore present a systematic study of the different PRF-ODH variants in the literature. In particular, we analyze their strengths relative to each other, carving out that the variants form a hierarchy. We further investigate the boundaries between instantiating the assumptions in the standard model and the random oracle model. While we show that even the strongest variant is achievable in the random oracle model under the strong Diffie–Hellman assumption, we provide a negative result showing that it is implausible to instantiate even the weaker variants in the standard model via algebraic black-box reductions to common cryptographic problems.

Published

2017

16. Risk assessment based access control with text and behavior analysis for document management

Author

Zhuo Lu and Yalin E. Sagduyu

Subjects

Engineering, Computer access control, business.industry, Document classification, Access control, 02 engineering and technology, Document management system, 010501 environmental sciences, computer.software_genre, Computer security, 01 natural sciences, Discretionary access control, Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, Physical access, 020201 artificial intelligence & image processing, business, computer, 0105 earth and related environmental sciences

Abstract

In computerized systems, documents with sensitive information are generated, stored and accessed every day in large volumes. These documents are classified and disseminated only to appropriate personnel. Unintentional disclosure of sensitive information should be ultimately avoided. How to effectively provide access control of document disclosure is a key for secure business, government and military operations. Traditional access control is based on a simple rule, i.e., to test whether a user account that requests the access to information has been granted such an access. However, this design has been shown to provide no security guarantee due to emerging incidents including insider threats, account hacking, and human classification errors. In this paper, we propose a new access control mechanism based on a flexible decision design, which will not simply guarantee access to a document when a user account has been granted such an access, but comprehensively use text analysis and behavior analysis in a complementary way to quantify the risk of information disclosure and grant the access only if the risk is assessed low. Our evaluation based on notional documents demonstrates the effectiveness of this new access control design against erroneous document classification and malicious user behavior. The proposed access control mechanism shows potential to enhance the overall security in today's access control systems for document management.

Published

2016

17. Identification system testing and optimisation

Author

Radek Holy, Jan Krcal, Milan Koukol, Jana Kalikova, and Marek Kalika

Subjects

Engineering, Computer access control, business.industry, Access control, Computer security, computer.software_genre, Logical security, Discretionary access control, Distributed System Security Architecture, Extended Access Control, Network Access Control, Role-based access control, business, computer

Abstract

The project deals with the implementation of new security elements to an access system designated for sites and premises that have to be protected against unauthorised entry or where access to certain parts of the site should be restricted. The electronic access system can substitute single key systems. The system offers a wide range of applications (registration and signalling of non-standard entries, forced entries, failure to close) and combination with external security systems. The access control system can be deployed separately or as a part of an attendance control system registering arrivals or adherence to prescribed working hours.

Published

2016

18. A survey of system security in contactless electronic passports

Author

Anshuman Sinha

Subjects

FOS: Computer and information sciences, Engineering, Computer Science - Cryptography and Security, Information Systems and Management, Computer Networks and Communications, Computer science, Access control, Computer security, computer.software_genre, Extended Access Control, Font, Safety, Risk, Reliability and Quality, Authentication, business.industry, Public key infrastructure, Optical character recognition, Cryptographic protocol, Computer Science Applications, Hardware and Architecture, Modeling and Simulation, Identity (object-oriented programming), ComputingMilieux_COMPUTERSANDSOCIETY, business, Cryptography and Security (cs.CR), computer, Software

Abstract

A traditional paper-based passport contains a Machine- Readable Zone (MRZ) and a Visual Inspection Zone (VIZ). The MRZ has two lines of the holder's personal data, some document data, and verification characters encoded using the Optical Character Recognition font B (OCRB). The encoded data includes the holder's name, date of birth, and other identifying information for the holder or the document. The VIZ contains the holder's photo and signature, usually on the data page. However, the MRZ and VIZ can be easily duplicated with normal document reproduction technology to produce a fake passport which can pass traditional verification. Neither of these features actively verify the holder's identity; nor do they bind the holder's identity to the document. A passport also contains pages for stamps of visas and of country entry and exit dates, which can be easily altered to produce fake permissions and travel records. The electronic passport, supporting authentication using secure credentials on a tamper-resistant chip, is an attempt to improve on the security of the paper-based passport at minimum cost. This paper surveys the security mechanisms built into the firstgeneration of authentication mechanisms and compares them with second-generation passports. It analyzes and describes the cryptographic protocols used in Basic Access Control (BAC) and Extended Access Control (EAC)., Comment: 11 pages, 5 figures, 7 tables

Published

2011

19. E-passport EAC scheme based on Identity-Based Cryptography

Author

Hai Jin, Chenghua Li, Xiang Wen, and Xuyun Zhang

Subjects

Authentication, Computer science, business.industry, Public key infrastructure, Access control, Cryptography, Computer security, computer.software_genre, Certificate, Computer Science Applications, Theoretical Computer Science, Authentication protocol, Extended Access Control, Signal Processing, media_common.cataloged_instance, European union, business, computer, Information Systems, media_common

Abstract

Extended Access Control (EAC) is a security mechanism specified to allow only authorized Inspection System (IS) to read sensitive biometric data such as fingerprints from e-passports. Although European Union EAC scheme offers more flexibility than Singapore scheme, there is clearly room for improvement. By adopting Identity-Based Cryptography (IBC) technology, a simple and secure EAC implementation scheme (IBC-EAC) is proposed. The authorization mechanism based on IBC is more trustable because the access right to sensitive data is granted directly to the IS through Authorized Smartcard. A new authentication protocol based on IBC is performed between the e-passport chip and the Authorized Smartcard. The protocol also provides an important contribution towards terminal revocation. By using IBC-EAC scheme, the complexity of deploying and managing PKI can be reduced. And the computational cost for e-passport to verify the certificate chain in EU-EAC scheme can be saved.

Published

2010

20. Supporting Complex Access Control Policy in PDM System

Author

Chun Xiao Ye, Hong Xiang, and Yun Qing Fu

Subjects

Engineering, Delegation, Revocation, Computer access control, business.industry, media_common.quotation_subject, Distributed computing, Access control, General Medicine, System administrator, Extended Access Control, Systems architecture, Role-based access control, business, media_common, Computer network

Abstract

Based on previous works, this paper proposed an extended access control model for PDM system. In this model, complex access control policies are expressed and enforced to ensure the security of user role assignment, delegation and revocation of PDM system. To reduce system administrator’s work, the model provides an auto revocation mechanism which can be triggered by time, access control policies and user states. This paper also propose an implementation system architecture, an auto revocation algorithm and some examples to show how this complex policy supported access control model works in PDM system.

Published

2009

21. Electronic passports – from secure specifications to secure implementations

Author

Ingo Liersch

Subjects

Biometrics, Computer Networks and Communications, Computer science, business.industry, Member states, Internet privacy, Computer security, computer.software_genre, Waiver, Travel Documents, Extended Access Control, Terrorism, ComputingMilieux_COMPUTERSANDSOCIETY, European commission, Safety, Risk, Reliability and Quality, business, Implementation, computer, Software

Abstract

For some years more and more countries have been introducing electronic passports. A reason for that is the need of higher security of travel documents in an age where people fear terrorism and crime. There are the US requirements for VISA Waiver countries to issue biometric enabled Passports and the European Commission's decision for a chip based storage of facial image and fingerprints in passports issued by EU member states. In this article standards for ePassports in terms of security and the implementations of security mechanisms are analysed.

Published

2009

22. A secure and flexible e-Health access control system with provisions for emergency access overrides and delegation of access privileges

Author

Ken Sakamura and M. Fahim Ferdous Khan

Subjects

Authentication, Computer access control, Delegation, business.industry, Computer science, media_common.quotation_subject, Internet privacy, 020206 networking & telecommunications, Access control, 02 engineering and technology, Data breach, Permission, Security token, Computer security, computer.software_genre, Discretionary access control, Network Access Control, Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Physical access, Role-based access control, 020201 artificial intelligence & image processing, business, computer, media_common

Abstract

Protecting electronic health records (EHR) from unauthorized access and data breaches has been a great challenge for healthcare organizations in recent times. Controlling access to EHR demands a delicate balance between security and flexibility: There are emergency cases where the default access control policy must be circumvented in order to save patients' life — and cases where management of access control rights needs to be delegated to some trusted parties. Therefore, e-Health access control systems must be robust and flexible at the same time. Conventional general-purpose access control schemes like role-based access control (RBAC) and its derivatives emphasize mainly on the robustness of the access control mechanism, and treat flexibility issues like emergency access overrides and delegation management as addenda. However, in order to comply with the care first principle of the healthcare domain, an ideal e-Health access control system should consider such flexibility issues from the ground up. Recognizing these special requirements mandated by the very nature of the healthcare profession, in this paper, we propose a secure and flexible access control system for e-Health. The user-role and object-operation mappings in our proposed system lend themselves to the RBAC model, and we implemented context verification atop this layer in order for the system to make access decision responsive to emergency incidents. For managing delegation of access control rights, we developed a secure mechanism for creation, transfer and verification of a delegation token, presentation of which to the access control system enables a delegatee to access a delegator's EHR. Every access request in our system is preceded by mandatory user authentication which we implemented using eTRON tamper-resistant cards. Security and performance analysis of the proposed system showed promising results for achieving the desired level of balance between security and flexibility required for an e-Health access control system.

Published

2016

23. Attribute-Based Access Control Architectures with the eIDAS Protocols

Author

Marc Fischlin, Frank Morgner, and Paul Bastian

Subjects

Computer science, business.industry, Civil aviation, Cryptography, Attribute-based access control, Service provider, Computer security, computer.software_genre, Travel Documents, Extended Access Control, Identity (object-oriented programming), business, Protocol (object-oriented programming), computer

Abstract

The extended access control protocol has been used for the German identity card since November 2010, primarily to establish a cryptographic key between a card and a service provider and to authenticate the partners. The protocol is also referenced by the International Civil Aviation Organization for machine readable travel documents (Document 9303) as an option, and it is a candidate for the future European eIDAS identity system. Here we show that the system can be used to build a secure access system which operates in various settings (e.g., integrated, distributed, or authentication-service based architectures), and where access can be granted based on card’s attributes. In particular we prove the protocols to provide strong cryptographic guarantees, including privacy of the attributes against outsiders.

Published

2016

24. Physical Access Control for Captured RFID Data

Author

Magdalena Balazinska, Dan Suciu, Evan Welbourne, C. Borriello, Nodira Khoussainova, Vibhor Rastogi, Travis Kriplean, and Tadayoshi Kohno

Subjects

Information privacy, Focus (computing), Ubiquitous computing, business.industry, View, Computer science, Data management, Internet privacy, Access control, Computer security, computer.software_genre, Computer Science Applications, Computational Theory and Mathematics, Extended Access Control, Physical access, business, computer, Software

Abstract

To protect the privacy of RFID data after an authorized system captures it, this policy-based approach constrains the data users can access to system events that occurred when and where they were physically present. RFID security is a vibrant research area, with many protection mechanisms against unauthorized RFID cloning and reading attacks emerging. However, little work has yet addressed the complementary issue of protecting the privacy of RFID data after an authorized system has captured and stored it. We've investigated peer-to-peer privacy for personal RFID data through an access-control policy called Physical Access Control. PAC protects privacy by constraining the data a user can obtain from the system to those events that occurred when and where that user was physically present. While strictly limiting information disclosure, PAC also affords a database view that augments users' memory of places, objects, and people. PAC is appropriate as a default level of access control because it models the physical boundaries in everyday life. Here, we focus on the privacy, utility, and security issues raised by its implementation in the RFID Ecosystem.

Published

2007

25. An information flow control model for C applications based on access control lists

Author

Chin-Yi Chang and Shih-Chien Chou

Subjects

Computer access control, business.industry, Computer science, Access control, Information security, computer.software_genre, Mandatory access control, Discretionary access control, Hardware and Architecture, Extended Access Control, Information leakage, Operating system, Role-based access control, Physical access, Information flow (information theory), business, computer, Software, Information Systems, Computer network

Abstract

Access control within an application during its execution prevents information leakage. The prevention can be achieved through information flow control. Many information flow control models were developed, which may be based on discretionary access control (DAC), mandatory access control (MAC), label-based approach, and role-based access control (RBAC). Most existing models are for object-oriented systems. Since the procedural C language is still in use heavily, offering a model to control information flows for C applications should be fruitful. Although we identified information flow control models that can be applied to procedural languages, they do not offer the features we need. We thus developed a model to control information flows for C applications. Our model is based on access control lists (ACLs) and named CACL. It offers the following features: (a) controlling both read and write access, (b) preventing indirect information leakage, (c) detailing the control granularity to variables, (d) avoiding improper function call, (e) controlling function call through argument sensitivity, and (f) preventing change of an application when the access rights of the application's real world users change. This paper presents CACL.

Published

2005

26. Keep on Blockin' in the Free World: Personal Access Control for Low-Cost RFID Tags

Author

Melanie R. Rieback, Andrew S. Tanenbaum, Bruno Crispo, Computer Systems, and Secure and Liable Computer Systems

Subjects

Computer science, business.industry, Access control, Jamming, Computer security, computer.software_genre, Hardware_GENERAL, Extended Access Control, Free world, ComputerSystemsOrganization_SPECIAL-PURPOSEANDAPPLICATION-BASEDSYSTEMS, SDG 7 - Affordable and Clean Energy, business, Access control list, Mobile device, computer

Abstract

This paper introduces an off-tag RFID access control mechanism called "Selective RFID Jamming". Selective RFID Jamming protects low-cost RFID tags by enforcing access control on their behalf, in a similar manner to the RFID Blocker Tag. However, Selective RFID Jamming is novel because it uses an active mobile device to enforce centralized ACL-based access control policies. Selective RFID Jamming also solves a Differential Signal Analysis attack to which the RFID Blocker Tag is susceptible. © Springer-Verlag Berlin Heidelberg 2007.

Published

2005

27. A policy-driven approach to access control in future internet name resolution services

Author

Wade Trappe, Janne Lindqvist, and Liu Xiruo

Subjects

Computer access control, Computer science, business.industry, Internet privacy, Access control, Internet traffic, Computer security, computer.software_genre, Internet security, Internet Architecture Board, Extended Access Control, Physical access, The Internet, business, computer

Abstract

The lack of access control and regulation in the current Internet has resulted in many security and privacy problems. To prevent unauthorized access to protected information, integrating access control into future Internet design is crucial. In this paper, a suite of access control mechanisms that are well-suited for the mobile Internet are introduced. We employ a representative future Internet architecture that is currently being developed as a part of a clean slate design effort. The emphasis of the proposed methods is on supporting new spatio-temporal access control, which can be a powerful new paradigm for security in mobile systems.

Published

2014

28. An extended attribute based access control model with trust and privacy: Application to a collaborative crisis management system

Author

Patrice Clemente, Jean-François Lalande, Waleed W. Smari, Ball Aerospace and Technologies Corp., Laboratoire d'Informatique Fondamentale d'Orléans (LIFO), Ecole Nationale Supérieure d'Ingénieurs de Bourges-Université d'Orléans (UO), Sécurité des Données et des Systèmes (SDS), Université d'Orléans (UO)-Institut National des Sciences Appliquées - Centre Val de Loire (INSA CVL), Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)-Université d'Orléans (UO)-Institut National des Sciences Appliquées - Centre Val de Loire (INSA CVL), and Institut National des Sciences Appliquées (INSA)-Institut National des Sciences Appliquées (INSA)

Subjects

Decision support system, Computer Networks and Communications, Computer science, Access control, Context (language use), 02 engineering and technology, Crisis management, Computer security, computer.software_genre, Trust, [INFO.INFO-CR]Computer Science [cs]/Cryptography and Security [cs.CR], Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Distributed collaboration, Flexibility (engineering), business.industry, Crisis management system, Context, 020206 networking & telecommunications, Attribute-based access control, 16. Peace & justice, Hardware and Architecture, Privacy, Scalability, 020201 artificial intelligence & image processing, The Internet, business, ABAC, computer, Software

Abstract

International audience; Many efforts in the area of computer security have been drawn to attribute-based access control (ABAC). Compared to other adopted models, ABAC provides more granularity, scalability, and flexibility. This makes it a valuable access control system candidate for securing platforms and environments used for coordination and cooperation among organizations and communities, especially over open networks such as the Internet. On the other hand, the basic ABAC model lacks provisions for context, trust and privacy issues, all of which are becoming increasingly critical, particularly in high performance distributed collaboration environments. This paper presents an extended access control model based on attributes associated with objects and subjects. It incorporates trust and privacy issues in order to make access control decisions sensitive to the cross-organizational collaboration context. Several aspects of the proposed model are implemented and illustrated by a case study that shows realistic ABAC policies in the domain of distributed multiple organizations crisis management systems. Furthermore, the paper shows a collaborative graphical tool that enables the actors in the emergency management system to make better decisions. The prototype shows how it guarantees the privacy of object's attributes, taking into account the trust of the subjects. This tool incorporates a decision engine that relies on attribute based policies and dynamic trust and privacy evaluation. The resulting platform demonstrates the integration of the ABAC model, the evolving context, and the attributes of actors and resources.

Published

2014

29. Controlling aggregation in distributed object systems: a graph-based approach

Author

Zahir Tari and A. Fry

Subjects

Distributed database, Computer science, business.industry, Distributed computing, Authorization, Data security, Access control, Distributed object, Information security, Computer security model, Security policy, Data access, Computational Theory and Mathematics, Security service, Common Object Request Broker Architecture, Hardware and Architecture, Extended Access Control, Signal Processing, business, Computer network

Abstract

The Distributed Object Kernel is a federated database system providing a set of services which allow cooperative processing across different databases. The focus of this paper is the design of a DOK security service that provides for enforcing both local security policies, related to the security of local autonomous databases, and federated security policies, governing access to data aggregates composed of data from multiple distributed databases. We propose Global Access Control, an extended access control mechanism enabling a uniform expression of heterogeneous security information. Mappings from existing Mandatory and Discretionary Access Controls are described. To permit the control of data aggregation, the derivation of unauthorized information from authorized data, our security framework provides a logic-based language, the Federated Logic Language (FELL), which can describe constraints on both single and multiple states of the federation. To enforce constraints, FELL statements are mapped to state transition graphs which model the different subcomputations required to check the aggregation constraints. Graph aggregation operations are proposed for building compound state transition graphs for complex constraints. To monitor aggregation constraints, two marking techniques, called Linear Marking Technique and Zigzag Marking Technique, are proposed. Finally, we describe a three-layer DOK logical secure architecture enabling the implementation of the different security agents. This includes a Coordination layer, a Task layer, and a Database layer. Each contains specialized agents that enforce a different part of the federated security policy. Coordination is performed by the DOK Manager, enforcing security is performed by a specialized Constraint Manager agent, and the database functions are implemented by user and data agents.

Published

2001

30. Towards a More Secure and Scalable Verifying PKI of eMRTD

Author

Harald Baier and Nicolas Buchmann

Subjects

Revocation, Computer science, business.industry, computer.internet_protocol, Public key infrastructure, Computer security, computer.software_genre, Certificate, Extended Access Control, Network Time Protocol, The Internet, Online Certificate Status Protocol, business, computer, Protocol (object-oriented programming)

Abstract

The new electronic passport stores biometric data on a contactless readable chip to uniquely link the travel document to its holder. This sensitive data is protected by a complex protocol called Extended Access Control (EAC) against unlawful readouts. EAC is manifold and thus needs a complex public key infrastructure (PKI). Additionally EAC is known to suffer from unsolved weaknesses, e.g., stolen (mobile) passport inspection systems due to its missing revocation mechanism. The paper at hand seeks for potential approaches to solve these shortcomings. As a result we present an evaluation framework with special focus on security and scalability to assess the different candidates and to give a best recommendation. Instead of creating new protocols, we focus on solutions, which are based on well-known protocols from the Internet domain like the Network Time Protocol (NTP), the Online Certificate Status Protocol (OCSP), and the Server-based Certificate Validation Protocol (SCVP). These protocols are openly standardised, widely deployed, thoroughly tested, and interoperable. Our recommendation is that the EAC PKI would benefit most from introducing NTP and OCSP.

Published

2014

31. Development of RFID EPC Gen2 Tag for Multi Access Control System

Author

Tharek Abd Rahman, Sharul Kamal Abdul Rahim, Sri Listia Rosa, and Evizal Evizal

Subjects

General Computer Science, business.industry, Computer science, Reading (computer), Access control, Computer security, computer.software_genre, Identification (information), Ultra high frequency, Extended Access Control, Control system, Radio-frequency identification, Electrical and Electronic Engineering, business, computer, Computer network

Abstract

A Radio Frequency Identification (RFID) use radio waves to identify an object, this technology become useful for the future because of the advantages. Access system using RFID card is commonly used in a building, parking area, housing complex, etc. This paper explore and develop the use of RFID EPC Class1 Gen2 tag for multipurpose access system for identification and access control, such as personal identity identification, door access control and gate entry permit or access control. With the same tag Identity (ID) user can access many areas. RFID EPC Class1 Gen2 tag working at UHF band 902-928 MHz, this type of tag more suitable for multi access control because of scaterring technique in reading for the tag, as for gate access need longer distance read range. All users ID and information stored at the one central database, every transaction at the controlled were recorded in a control system. DOI: http://dx.doi.org/10.11591/ijece.v3i6.3855

Published

2013

32. Protecting Outsourced Data Privacy with Lifelong Policy Carrying

Author

Qi Yong, Yuehua Dai, Xiaoguang Wang, Jianbao Ren, and Zhang Hang

Subjects

Information privacy, Data grid, Computer access control, Computer science, business.industry, Access control, Data breach, Service provider, Computer security, computer.software_genre, Data modeling, Data access, Data model, Data efficiency, Extended Access Control, Data quality, Server, Logical data model, business, computer, Computer network

Abstract

The lack of remote data access control capability and the loss of remote data access trail make data owners hesitate when they have to outsource their sensitive data to remote third party platform. The data owners have no choice but to trust the remote third party software before they ship their data to the remote environment. In this paper we propose a new set of guiding principles for protecting outsourced data with data owner specified policy. Compared with traditional access control mechanism equipped by service providers, which can be regarded as the first layer of confinement, we aim to provide data owner a second layer of confinement on data propagation and access without modifying existing data-access applications. This is achieved by two critical techniques: (1) a policy-carrying data model that binds customer data with logical data access policy, and (2) a remote application running environment which acts as data access verifier and propagation controller. To demonstrate the feasibility of this approach, we build the logical data propagation and access control (LDPAC) system, in which a human-readable policy abstract is provided to formulate data propagation and access. When policy-carrying data is shipped to remote service provider, the per-node LDPAC verifier module conducts the logical proof checking to mediate sensitive data access. Meanwhile, the authorized application which intends to access sensitive data is forced to run in an application container, in order to prevent sensitive data leakage through in-memory data breaches. Our evaluation shows that LDPAC system adds reasonable performance overhead for the remote sensitive data access and propagation mediation, while preserving the original service deployment.

Published

2013

33. Implementing graceful RFID privilege reduction

Author

John Hale, Steven Reed, Peter J. Hawrylak, and Matthew Butler

Subjects

business.industry, Computer science, Access control, Privilege (computing), Computer security, computer.software_genre, Product (business), Reduction (complexity), Public transport, Extended Access Control, Microsoft Windows, Radio-frequency identification, business, computer, Computer network

Abstract

Radio frequency identification (RFID) technology is used for access control systems, public transit fares, credit and debit cards, and for anti-counterfeiting purposes. In all three cases malicious duplication of RFID tags or their theft can have significant consequences for the owner or product user. This paper presents an implementation of a risk-based access control system, Dynamic Risk Assessment Access Control (DRAAC) for the Microsoft Windows operating system. This implementation of DRAAC can be connected to a wide range of devices including RFID systems, smartphones, and PCs.

Published

2013

34. Authentication and authorization: Domain specific Role Based Access Control using Ontology

Author

R. H. Goudar, S. Panwar, Avita Katal, Mohammad Wazid, Shaila Joshi, P. Gupta, and A. Mittal

Subjects

Authentication, Computer access control, Computer science, business.industry, Access control, Ontology (information science), Computer security, computer.software_genre, Mandatory access control, Discretionary access control, Extended Access Control, Role-based access control, business, computer

Abstract

Access control technologies are being used today in various organizations for assuring the secure and authorized access to the sensitive data or resources. Many technologies have emerged from the past like Discretionary Access Control (DAC) and Mandatory Access Control (MAC). But these technologies had restrictions associated with them to be used for all organizations in commercial arena. The Role Based Access Control (RBAC) has emerged some years back and has become the most widely used technology across organizations for controlling the access. The administration and management of privileges becomes easy as roles can be updated without updating the privileges for every user on an individual basis. In this paper we are implementing Role Based access Control (RBAC) for University domain using Ontology. Roles are implemented in the form of classes having permissions associated with them, in turn making the process of administration and management of access control easy. Two step accesses are provided, first is Authentication and second is Authorization.

Published

2013

35. A location sensitive access control system

Author

Vasu Devulapalli and Samrat Mondal

Subjects

Engineering, Computer access control, business.industry, Access control, Computer security, computer.software_genre, Security policy, Resource (project management), Extended Access Control, Network Access Control, Role-based access control, Physical access, business, computer

Abstract

Role Based Access control (RBAC) is a popular security technique to impose restriction on different resources. To capture various emerging security requirements, RBAC has been evolved from time to time. Due to advancement in wireless devices new security requirements have come up and it is quite challenging for the existing access control models to tackle such requirements. In this paper, a location sensitive access control (LSAC) model is proposed to incorporate security policies related to mobile users. It has been observed that different characteristics of moving objects such as velocity, acceleration, etc., are often ignored while granting access to a particular resource. In this work, an attempt is made to consider those parameters while allowing or disallowing access to location sensitive objects.

Published

2012

36. Sensory-data-enhanced authentication for RFID-based access control systems

Author

Yu Gu, Yuanchao Shu, and Jiming Chen

Subjects

Authentication, Computer access control, business.industry, Computer science, Key space, Authorization, Access control, Multi-factor authentication, Computer security, computer.software_genre, Generic Bootstrapping Architecture, Authentication protocol, Network Access Control, Extended Access Control, Physical access, business, computer, Common Access Card, Computer network

Abstract

Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges can not be transferred among trusted users. In this work, we introduce a sensory-data-enhanced authentication for access control systems. By combining sensory-data obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss and stolen. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with simple sensor data and empirically demonstrate simple rotations can increase key space by more than 30, 000 times with an authentication accuracy of 95%. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Published

2012

37. Efficient authorized access security system control using ATMEL 89C55 & mobile bluetooth

Author

Basil Hamed

Subjects

Visual Basic, business.industry, Computer science, Access control, computer.software_genre, Computer security, Logical security, Networking hardware, law.invention, Bluetooth, law, Network Access Control, Data logger, Extended Access Control, Operating system, business, computer, computer.programming_language

Abstract

Security is gaining awareness and importance in recent years. Authorized Access Security System (AASS) is a network device for validating, monitoring and controlling the security within buildings. Today, they are many building that are using security access approach to protect the building from unauthorized access. In this paper a low cost electronic system has been designed which can control different locking mechanisms. Low operating power consumption, small circuit, flexible mechanical design and user friendly interface are the salient features of this security system. The system implemented to meet both of these needs uses a user-friendly high-security interface that allows users to access an alarmed area, and authorized users to have field control of the access lists to that alarmed area. The paper presents the technology of Authorized Access Security System. This technology uses ATMEL 89C55 microcontroller and visual basic program to build data logger which provides multiple accesses to a protected area that can be an office, home, bank or whatever needed. The data logger was added to the system to make records of users who accessed the system at any time. Bluetooth-enabled mobile phones design is also proposed providing wireless and automatic unlocking Index Terms—Security System, ATMEL 89C55 microcontroller, visual basic, and data logger, bluetooth

Published

2012

38. Introduction and Overview

Author

Thomas Norman

Subjects

Engineering, Computer access control, business.industry, Access control, Computer security, computer.software_genre, Credential, Installation, Extended Access Control, Control system, Physical access, State (computer science), business, computer

Abstract

Publisher Summary This chapter deals with physical Access Control Systems. Access Control Systems are electronic systems that allow authorized personnel to enter controlled, restricted, or secure spaces by presenting an access credential to a credential reader. Access Control Systems can be basic or highly complicated ranging across state and national borders and incorporating security monitoring elements and interfaces to other security systems and other building systems. Security technicians, designers, and program managers who fully understand access control systems are at a distinct advantage over their brethren who have only a passing knowledge. The chapter covers virtually every aspect of electronic Alarm/Access Control Systems and also includes insight into the problems that will be faced while installing, maintaining, or designing them, including valuable information on how to overcome those challenges.

Published

2012

39. Access control and security for a distributed control system

Author

W. D. Klotz, J. Meyer, and Andrew Götz

Subjects

Physics, Nuclear and High Energy Physics, Computer access control, Network Access Device, Computer security, computer.software_genre, Discretionary access control, Distributed System Security Architecture, Network Access Control, Extended Access Control, Role-based access control, Physical access, Instrumentation, computer

Abstract

The control system of the European Synchrotron Radiation Facility (ESRF) is object-oriented and distributed. Device access is based on the client-server model. To protect sensitive hardware devices an access control and security system has been added. This offers users read, write, super-user or single-user access to hardware objects, families or even whole areas of the facility. A memory-based security database, accessed by an internal control system service, combines device names, access rights, user IDs, group IDs and host/network addresses. Access rights must be requested at connection time and are guaranteed by a fast access key mechanism. The paper describes the design and discusses the needs for the implemented access rights and protection possibilities.

Published

1994

40. Access control: principle and practice

Author

Ravi Sandhu and Pierangela Samarati

Subjects

Computer access control, Computer Networks and Communications, Computer science, Network security, Access control, Audit, Computer security, computer.software_genre, Logical security, Discretionary access control, Distributed System Security Architecture, Extended Access Control, Role-based access control, Message authentication code, Electrical and Electronic Engineering, Authentication, business.industry, Information security, Multi-factor authentication, Computer security model, Computer Science Applications, Network Admission Control, Network Access Control, Physical access, business, computer

Abstract

Access control constrains what a user can do directly, as well as what programs executing on behalf of the users are allowed to do. In this way access control seeks to prevent activity that could lead to a breach of security. This article explains access control and its relationship to other security services such as authentication, auditing, and administration. It then reviews the access matrix model and describes different approaches to implementing the access matrix in practical systems, and follows with a discussion of access control policies commonly found in current systems, and a brief consideration of access control administration. >

Published

1994

41. Security architecture for distributed systems

Author

Morris Sloman and Sead Muftic

Subjects

Computer Networks and Communications, Computer science, computer.internet_protocol, media_common.quotation_subject, Distributed computing, Generic Security Service Algorithm for Secret Key Transaction, Sherwood Applied Business Security Architecture, Covert channel, Data security, Access control, Computer security, computer.software_genre, Security policy, Logical security, Security information and event management, Distributed System Security Architecture, Extended Access Control, Data integrity, media_common, Cloud computing security, Delegation, business.industry, Enterprise information security architecture, Information security, Computer security model, Certificate, Security service, Software security assurance, Network Access Control, Security through obscurity, Network security policy, Kerberos, Computational trust, Smart card, business, computer, Computer network

Abstract

The paper describes the concept of the security architecture for open distributed systems, which may be used for distributed applications which support a variety of security policies. The components of an open distributed system can be grouped into domains corresponding to organizations, networks or services etc. for the purposes of applying security policy. The paper proposes a design for a security system which is based on use of Kerberos in each domain. Kerberos is extended with several additional security functions: extended access control lists, delegation properties and smart cards. In addition, data confidentiality and data integrity of distributed system resources are provided by configurable cryptographic modules. Finally, the X.509 certificate system is suggested for inter-domain interaction. An example application for the use of this security architecture is briefly described at the end of the paper.

Published

1994

42. Making distributed multimedia systems secure

Author

Chris Zimmermann

Subjects

Scheme (programming language), Authentication, Multimedia, Computer science, Extended Access Control, Distributed computing, General Earth and Planetary Sciences, Distributed object, computer.software_genre, computer, General Environmental Science, System model, computer.programming_language

Abstract

The following paper describes a security scheme for a distributed multimedia environment called Switchboard. After a brief introduction to the philosophy of the Switchboard and the underlying system model, the main building blocks of the concept are described. These are: an authentication mechanism preventing intruder attacks and a protection scheme based on an extended access control matrix approach. This protection scheme covers both static and dynamic aspects of access protection for multimedia devices. Some remarks on the implementation of the mechanisms and a discussion conclude this paper.

Published

1994

43. Role-based integrated access control and data provenance for SOA based net-centric systems

Author

Bhavani Thuraisingham, I-Ling Yen, Wei Zhu, Wei She, and Farokh B. Bastani

Subjects

Service (systems architecture), Information Systems and Management, Computer Networks and Communications, Computer science, computer.internet_protocol, media_common.quotation_subject, 0211 other engineering and technologies, Access control, 02 engineering and technology, computer.software_genre, Data modeling, Resource (project management), 020204 information systems, Extended Access Control, 0202 electrical engineering, electronic engineering, information engineering, Role-based access control, Quality (business), Information flow (information theory), media_common, 021110 strategic, defence & security studies, Database, Net-centric, business.industry, Service-oriented architecture, Computer Science Applications, Data flow diagram, Hardware and Architecture, Data quality, business, computer

Abstract

Service-oriented architecture (SOA) has been widely adopted in the development of many net-centric application systems. In SOA, services potentially from different domains are composed together to accomplish critical tasks. In these systems, security and trustworthiness are the major concerns that have not been well addressed. Many access control models have been developed to ensure proper accesses to critical resources from local as well as external domains. Also, many data provenance schemes have been proposed in recent years to support data quality assessment and enhancement, data reproduction, etc. However, none of the existing mechanisms consider both access control and data provenance in a unified model. In this paper, we propose an integrated role-based access control and data provenance model to secure the cross-domain interactions. We develop a role-based data provenance scheme which tracks the roles of the data originators and contributors and uses this information to help evaluate data trustworthiness. We also make use of the data provenance information and the derived data quality attributes to assist with role-based access control. In this integrated model, the secure usage of a data resource must also consider the quality and trustworthiness of the data. To realize this concept, we develop an extended access control model in which access permissions are specified with constraints over the provenance attributes. Also, to assure confidentiality, we record the access constraints from the data originators and contributors to help decide how the data should be further disseminated.

Published

2011

44. Securely and Flexibly Sharing a Biomedical Data Management System

Author

Fusheng Wang, Peiya Liu, and Phillip Hussels

Subjects

Computer access control, Data grid, business.industry, Computer science, Data management, Data security, Access control, Information security, computer.software_genre, Security information and event management, Article, Discretionary access control, World Wide Web, Data access, XML database, Extended Access Control, Network Access Control, Role-based access control, Physical access, business, computer

Abstract

Biomedical database systems need not only to address the issues of managing complex data, but also to provide data security and access control to the system. These include not only system level security, but also instance level access control such as access of documents, schemas, or aggregation of information. The latter is becoming more important as multiple users can share a single scientific data management system to conduct their research, while data have to be protected before they are published or IP-protected. This problem is challenging as users’ needs for data security vary dramatically from one application to another, in terms of who to share with, what resources to be shared, and at what access level. We develop a comprehensive data access framework for a biomedical data management system SciPort. SciPort provides fine-grained multi-level space based access control of resources at not only object level (documents and schemas), but also space level (resources set aggregated in a hierarchy way). Furthermore, to simplify the management of users and privileges, customizable role-based user model is developed. The access control is implemented efficiently by integrating access privileges into the backend XML database, thus efficient queries are supported. The secure access approach we take makes it possible for multiple users to share the same biomedical data management system with flexible access management and high data security.

Published

2011

45. Authorization and Access Control

Author

Jason Andress

Subjects

Computer access control, Computer science, business.industry, Control (management), Internet privacy, Logical access control, Access control, Computer security, computer.software_genre, Mandatory access control, Discretionary access control, Extended Access Control, Physical access, Role-based access control, business, computer, Computer network

Abstract

Publisher Summary This chapter discusses the use of authorization and access control. Authorization allows one to specify where the party should be allowed or denied access, and access control enables one to manage this access at a very granular level. Authorization is implemented through the use of access controls, more specifically through the use of access control lists and capabilities, although the latter are often not completely implemented in most of the common operating systems in use today. The chapter covers the various access control models that are used when putting together such systems, such as discretionary access control, mandatory access control, and role-based access control. The use of the simpler access control models is often, seen such as discretionary access control, mandatory access control, role-based access control, and attribute-based access control, in daily lives. In environments that handle more sensitive data, such as those involved in the government, military, medical, or legal industry, the use of multi-level access control models, including Bell LaPadula, Biba, Clark-Wilson, and Brewer and Nash, may be seen. In addition to the commonly discussed concept of logical access control, the chapter also deals with some of the specialized applications that one might see when looking specifically at physical access control.

Published

2011

46. Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents

Author

Özgür Dagdelen and Marc Fischlin

Subjects

Provable security, Authenticated Key Exchange, Security analysis, Security association, Security service, Computer science, Extended Access Control, Information security, Computer security model, Computer security, computer.software_genre, computer

Abstract

We analyze the Extended Access Control (EAC) protocol for authenticated key agreement, recently proposed by the German Federal Office for Information Security (BSI) for the deployment in machine readable travel documents. We show that EAC is secure in the Bellare-Rogaway model under the gap Diffie-Hellman (GDH) problem, and assuming random oracles. Furthermore, we discuss that the protocol achieves some of the properties guaranteed by the extended CK security model of LaMacchia, Lauter and Mityagin (ProvSec 2008).

Published

2011

47. Cryptography based access control in healthcare web systems

Author

Wasim A. Al-Hamdani

Subjects

Computer access control, business.industry, Computer science, Access control, Information security, Computer security, computer.software_genre, Discretionary access control, World Wide Web, Extended Access Control, Role-based access control, Physical access, business, NSA Suite B Cryptography, computer

Abstract

Access control is the capacity of a particular subject (user, process) to permit or deny the use of a specific object (data, file). Access control mechanisms can be used in managing physical resources and logical resources. Cryptography access control in a healthcare Web system provides logical control for sharing resources and access rights subject to object. However, designing access control for healthcare information systems is difficult due to the culture of the healthcare, the rapid changing, and the tasks performed. This work examined existing access control models, providing a broad presentation for cryptographic algorithms including cryptography access control-based systems. In the last part, a new model is presented based on integrating cryptography access control with role access control and hierarchy using Suite B (NSA recommendation). The model is based on the using entity (which could be a local medical center or hospital), while the security level between entities are distributed and based on PKI.

Published

2010

48. Securing RFID-based authentication systems using ParseKey+

Author

Selcuk Celik, Atilla Elçi, and Behnam Rahnama

Subjects

Password, Authentication, Computer access control, business.industry, Computer science, Access control, Computer security, computer.software_genre, Login, Distributed System Security Architecture, Extended Access Control, Network Access Control, business, computer

Abstract

Currently RFID authentication systems rely only on matching tag ID with the one kept in database. Additionally, an alphanumerical password might be matched as extra security. However, tag ID and information inside can be compromised. Therefore, a more secure scheme is required in order to enhance safety of access control through RFID tags in particularly highly secure environments such as secure virtual meetings or authentication and access control to access high security locals. We wish to present attendance control system which is more like access control in general as an application of our novel security enhancement on RFID based access control systems. The security enhancement utilizes partial ParseKey+ multi-way authentication scheme. ParseKey+ scatters randomly divided sub-keys into uniformly distributed noise. Generated file is encrypted using AES256 and then it is written into RFID device. Each successful login changes the key and its trace kept in DB in addition to updating the device for future login.

Published

2010

49. The Application of RBAC in Digital Rights Management System

Author

Wei Qin, Liu Quan, and Li Fen

Subjects

Context model, Digital rights management, business.industry, Computer science, Access control, Context (language use), Complex network, Computer security, computer.software_genre, Extended Access Control, Role-based access control, business, Digital rights management system, computer

Abstract

Through further study on the characteristics of digital rights management system and the expansion of hierarchical role-based access control (RBAC) model, we proposed a context and hierarchical role based access control model and applied it to the digital rights management system. This model dynamically changes the permissions of users by obtaining context information related to security under complex network environment, and also can keep the advantages of traditional hierarchical RBAC model. This extended access control system is being implemented in practice, which makes the access control of digital rights management system become more flexible, safe and effective.

Published

2010

50. Modular context-aware access control for medical sensor networks

Author

Klaus Wehrle and Oscar Garcia-Morchon

Subjects

Computer access control, business.industry, Computer science, Network Access Device, Access control, Computer security, computer.software_genre, Key distribution in wireless sensor networks, Extended Access Control, Network Access Control, Physical access, Mobile wireless sensor network, business, computer, Computer network

Abstract

Medical sensor networks allow for pervasive health monitoring of users in hospitals, at home, or on the way. The privacy and confidentiality of medical data need to be guaranteed at any moment to make sure that unauthorized parties cannot retrieve confidential information. This is a great challenge due to two main reasons. First, wireless sensors are resource-constrained devices that limit the applicability of traditional solutions. Second, the access control system must be context-aware and adapt its security settings to ensure the users' safety during, e.g., medical emergencies. To solve these issues, this paper presents a modular context-aware access control system tailored to pervasive medical sensor networks in which the access control decisions and the response delay depend upon the health acuteness of a user. Our system extends traditional role-based access control systems by allowing for context-awareness in critical, emergency, and normal access control situations. We further present a lightweight encoding for our modular access control policies as well as an access control engine efficiently running on resource-constrained sensor nodes. Finally, we analyze how the proposed access control system suits existing security architectures for medical sensor networks.

Published

2010