Académique Documents
Professionnel Documents
Culture Documents
SmartProducts
Contributing Partners:
TU Darmstadt
Version 1.0
Deliverable Lead
Contributors
Internal Reviewer
Disclaimer
The information in this document is provided "as is", and no guarantee or warranty is given
that the information is fit for any particular purpose. The above referenced consortium
members shall have no liability for damages of any kind including without limitation direct,
special, indirect, or consequential damages that may result from the use of these materials
subject to any liability which is mandatory due to applicable law. Copyright 2011 by
TU Darmstadt.
Revision Chart
Table 1: Revision chart in relation to [D4.2.1]
1
Status: n = new, u = updated, r = removed
Table of Contents
1 INTRODUCTION ........................................................................................................................................... 9
3 APPROACH .................................................................................................................................................. 16
ANNEX .................................................................................................................................................................. 48
A REQUIREMENTS ........................................................................................................................................ 49
B GLOSSARY ................................................................................................................................................... 52
REFERENCES ..................................................................................................................................................... 55
List of Figures
List of Listings
List of Tables
Executive Summary
WP4 provides secure storage and distribution services for the smart products platform. In task
4.2 the related security mechanisms for smart products are designed. In this Deliverable
reliable security mechanisms for smart products are developed that can satisfy the extended
needs for usability of non expert users that will handle this devices in the future.
A general analysis of the SotA of security current literature shows that for the security goals
integrity and confidentiality sufficient procedures exist, than can be adapted for smart products
needs, but there are gaps regarding authentication and access control. An in-deep analysis of
authentication and access control for smart products leads to the multi-Level Authentication
and multi-layer interactive rule-learning solutions.
Multi-layer interactive Rule-learning tackles the problem of usability and security in access
control mechanisms especially regarding the generation of proper access control rule sets. A
theoretical solution for this challenge is presented using the combination of automatic rule
learning and user interaction which results is the interactive rule learning approach. Interactive
rule learning is designed to complete attribute-based access control to generate concise rule
sets even by non-expert end-users. The resulting approach leads to adaptive access control rule
sets that can be used for smart products.
1 Introduction
Smart products are a new class of devices that bridge the gap between the real and the virtual
world. They provide a natural and purposeful product-to-human interaction and context-aware
adaptivity. Smart products need to have knowledge about the application and environment that
they are immersed to fulfil their tasks. Thus, they also need access to private/confidential
information, such as users' preferences. Moreover, smart products can exchange
private/confidential information among each other to complete collaborative tasks that require
information from multiple sources, such as the booking of flight tickets and hotels. Smart
products can be part of highly dynamic environments, where devices can appear and disappear
in non-predictable ways.
However, the amount of possible security breaches is increasing with the sheer number and
variety of smart products. Equally, the variety of devices with different user interfaces also
increase the complexity of administrative tasks for the end-users. Therefore, one of the main
challenges of IT-security regarding smart products is the design of mechanisms that combine a
customizable level of security and usability [Beckerle-2009a, Cranor-2005].
Current IT-security solutions tend to overstrain non-expert users. In home and enterprise
environments, users are frequently forced to choose passwords for local and remote
authentication and also define rules for access control, e.g., file sharing access rights. However,
the imposition of such security features often lead to insecure or unpractical measures, such as
written passwords and access control rules that are often too general. In addition, users tend to
deactivate security mechanisms or render them useless by: not changing default passwords or
leaving them blank; granting access to everyone; or turning off basic security mechanisms.
This behaviour is very common nowadays, especially regarding login passwords, browser
cookies, virus scanners, and file access controls [Cranor-2005].
In this deliverable, the usability aspects of security solutions are analyzed and mechanisms that
allow more user-friendly access control rules generation and flexible multi-factor
authentication are proposed. The initial analysis is used to identify usability gaps in basic
security mechanisms that can be applied for smart products. Such an analysis shows that there
are already sufficient solutions that can applied for confidentiality, integrity, and partly for
authentication services, but no appropriate access control solutions exist nowadays.
2.1 Goals
The SmartProducts project aims at developing a generic platform for realising smart products
that accounts for their specific characteristics and challenges and provides a comprehensive set
of functionality such as communication facilities, multimodal product-to-user interaction, as
well as context acquisition and processing. WP4 contributes to this platform by developing
mechanisms for the secure storage and distribution of proactive knowledge in distributed,
heterogeneous and dynamic environments during the entire life-cycle of smart products.
Secure therefore means that the security mechanisms are reliable and usable as defined next.
relevant for SmartProducts, which are access control for proactive knowledge and multi-level
authentication. Other security issues like, integrity, and encryption of data are also very
important for smart products, but they are not smart products-specific and considered by many
other research projects (e.g., Mosquito2, Awareness3, or Prime4). For those reasons and as they
have the lowest impact on the whole project, we will not consider these issues in the
SmartProducts project. We think it is better to conceive the main aspects well and to leave the
other issues for future extensions of the smart products platform or to make use of state-of-the-
art solutions.
However, access control alone is not sufficient to preserve user privacy and manufacturer data.
If an attacker is able to circumvent authentication mechanisms by exploiting bugs, viruses, or
Trojan horses to pass herself off as a device already part of a smart products network, she is
able to manipulate proactive knowledge with the full rights of the device taken over without
being noticed. For that reason, enhanced intrusion detection is indispensable to defend against
identity theft and exposition of software and/or hardware bugs. It allows for detecting
misbehaviour of already authenticated entities and acts as a second line of defence. Access
control alone can only properly operate under the assumption that the attacker is not able to act
in the name of another entity. In contrast, intrusion detection also works out if the attacker is in
disguise and hides in the network, which can happen especially in a smart product environment
as participants are expected to dynamically join and leave the network and due to the
heterogeneity of smart products. For that reason, we will further address cooperative intrusion
detection as this represents a new research challenge arising with smart products.
2
http://www.mosquito-online.org
3
http://www.freeband.nl; http://ercim-news.ercim.org/content/view/261/435/
4
https://www.prime-project.eu/
There are two ways to prevent DoS attacks: Limit the requests an entity can pose over a
specific time or increase computational power and resources of the Smart Product which
processes the authentication requests. The first measure can be easily implemented. It may
decrease usability: consider a system that allows only five login attempts via password within a
timespan of fifteen minutes. In case a valid user mistypes her password five times, system
access is blocked until the end of this timespan.
For Smart Products with limited computational resources, this is often the only way to handle
DoS attacks. In many cases, an attacker possesses enough resources to overload every amount
of supplied resources on the victim’s side. Distributed-Denial-Of-Service (DDoS) attacks
distribute the attacker’s requests over large networks. It is unfeasible to counter such an attack
by increasing local capabilities [Mirkovic-2004].
Smart Products rely heavily on networks and data transfer. “Sniffing” data can be prevented by
low-level technical measures as e.g. protected transfer cables themselves. In the area of Smart
Products, this is not possible because devices may be mobile and wireless data transfer is used.
A solution is to encrypt and sign all sensible data before transferring it. This enables the
receiver to be sure that no attacker has received the data and also allows assuring that the data
is sent from the sender and has not been modified during transfer. A disadvantage of generally
encrypting all data is the high cost in terms of computational power. The sender as well as the
receiver has additional effort in encryption and decryption. Level-1 Smart Products may not be
able to apply secure encryption.
An alternative in some cases is local processing of sensible data. By not transferring large
packets of data but processing it locally, the amount of data that has to be encrypted can be
radically reduced. Imagine a system that uses fingerprint recognition for authentication. It
could either send the picture of a scanned finger to a second Smart Product which will extract
minutiae and compare them to a database of known fingerprint minutiae. Or the first device
could extract the minutiae locally and transfer only them (which means much less data) to the
second Smart Product. This results on lower computational effort for network communication
because less data has to be encrypted, transferred, and decrypted. In heterogeneous networks,
where different communication technologies are used and network traffic has to be converted
during transfer, this reduces the demands to all nodes but the initial sender.
3 Approach
3.1.1 Confidentiality
Confidentiality means that the assets of a computing system are accessible only by authorized
parties. Confidentiality is usually implemented using cryptographic algorithms.
3.1.2 Integrity
Integrity means that assets can be modified only by authorized parties or only in authorized
ways. Integrity is mostly implemented using one-way functions in combination with
cryptographic algorithms.
3.1.3 Authenticity
Authenticity means that an entity can prove who or what they claim to be. Authentication
services are usually implemented by a proof of knowledge, a proof of ownership, or a proof of
biometric trait.
3.1.4 Authorization
Authorization means that policies are used and enforced to specify access rights. Authorization
is implemented through access rules that are used by access control mechanisms to determine if
an entity is allowed to access information or not.
3.2.1 Confidentiality
Confidentiality can be achieved using encryption to protect data. Here are symmetric, such as
AES, and asymmetric encryption mechanisms like RSA. Symmetric key encryption demands
the distribution of cryptographic keys among participating devices. Asymmetric key encryption
performs, in general, worse than symmetric key encryption. Hence, large chunks of data are
rarely encrypted using asymmetric keys, but only selected data, such as symmetric keys. In
smart products, the process of symmetric key distribution is a potential challenge because if a
unique key is demanded for every pair of communicating entities, the number of required keys
equals where is the total number of communicating devices.
Nonetheless, it is feasible to embed public-private key pairs into them. Such an approach is
sufficient in principle and implements confidentiality into high dynamic environments using
existing and standard cryptographic systems.
3.2.2 Integrity
Integrity has to assure that any unauthorized change of data is recognized. Data integrity is
usually accomplished using one-way hash functions and public key encryption or with just
symmetric keys. Message Authentication Codes (MAC) [Krawczyk-1997] are implemented
using symmetric keys and digital signatures [Rivest-1978] with public-private key pairs. Since
such cryptographic tools are expected to be embedded into smart products in the future (as seen
in Section 1), there are going to be enough cryptographic tools available for securing data
integrity.
3.2.3 Authentication
Authentication is required to obtain a proof of correctness over an identity claim. In smart
product scenarios there are basically three types of authentication: device-to-device, device-to-
user, and user-to-user. There are sufficient mechanisms based on digital certificates that can
carry out device-to-device authentication automatically. Device-to-user and user-to-user
authentication can also be realized using proofs of knowledge, biometric traits or digital tokens
together with public-key encryption. In such a case, after users authenticate themselves to
smart products, such devices might be used to automatize other authentication procedures
between users and other devices.
3.2.4 Authorization
Authorization is needed to specify access rights and enforce them. It is implemented through
access rules, and the collection of such rules is referred to as a rule set. There are mechanisms
that allow fully automated generation of rule sets for smart products. Such approaches,
however, disregard adaptivity to the end-user. The general problem is resulting from the
diversity of user preferences, so more information regarding the users is required.
Authorization problems regarding adaptivity and user in smart products are discussed in
Section 4, where the existing access control models are outlined and evaluated regarding their
suitability to smart product scenarios.
Usability influences security in the way that users which do not understand security measures
tend to work around them rendering the measures inefficient [Adams-1999].
The explanation generally is that the (authentication) process is too complex or too abstract for
the human user to understand.
Only authentication that is usable supports security. Reliability on the other hand is crucial for
security because an unreliable system guarantees no security.
A trade-off between usability and reliability for human users must be found. Ignoring one
aspect incriminates the whole system.
Authentication
Knowledge
“what you know/remember”
Possession
“what you have”
Biometry
“what you are/do”
Entity Device
Identification
Challenge
Response
Comparison with
stored information
Authentication
result
5
Passfaces™http://www.realuser.com/ and Déjà Vu [Dhamija-2000]
Entity Device
Identification
Challenge
Relay challenge to
possessed object
Response
Comparison with
stored information
Authentication
result
The main disadvantage of authentication by possession is that the possessed object could be
stolen. The advantage over authentication by knowledge is that the attacked entity can notice
the theft and initiate countermeasures, e.g. notifying an administrative instance about the theft.
An important aspect of the possessed thing is that it cannot easily be copied. This would reduce
the security to the level of authentication by knowledge. Lending an object to another person to
circumvent authentication processes temporarily is possible, but after the object has been
returned, the other person will not be able to authenticate again. Sharing a password is
permanent.
Another disadvantage in the earlier days of authentication by possession is the possessed
objects (for example SecurID6 tags by RSA Security) were expensive. Nowadays, there are
affordable solutions available. The Smart Products prototype implementation is able to
authenticate users by possession of RFID tags.
6
RSA SecurID, http://www.rsa.com/node.aspx?id=1156
Entity Device
Identification
Supply biometric
trait using special
hardware
Extract relevant
parts (and apply
helper scheme)
Comparison with
stored information
Authentication
result
4.1.5 Taxonomy
Figure 5: A Taxonomy of Authentication Mechanisms presents a taxonomy of the three
authentication mechanisms as well as their most important aspects for reliability and usability.
necessarily notice that her secret knowledge has been compromised. Possession used for
authentication cannot easily be copied. Furthermore, theft requires direct interaction with the
possessed object while knowledge can be retrieved by a spectrum of methods, like e.g. social
engineering or searching the whole search space (“brute force” attack). Authentication by
biometric traits has an even higher level of reliability because biometric traits are difficult to
steal, to copy or to forge. Even a “stolen” finger can be recognized by some fingerprint readers
which check the finger’s temperature.
It is to note that reliability depends heavily on how a specific authentication mechanism is
implemented. For example, if a fingerprint reader that simply takes pictures taken with a
camera is not as reliable as one that checks contour and body temperature. A complex
password may deliver higher security and reliability as the fingerprint reader presented first.
In 2008, the Debian Security Team7 disclosed an error in the widely used SSL implementation
OpenSSL which rendered many cryptographic keys vulnerable. The vulnerability allowed the
forgery of certificates used for authentication.
Authentication processes should be designed to have few impacts on user’s cognitive load and
therefore always act predictable.
This means that the authentication process is transparent: the outcome of authentication should
be displayed to user as soon as this information is available. Elements of the user interface
should behave as expected and work for the user.
A bad example for “correct” behaviour is the reset button in HTML form fields. When clicked,
it sets all fields of the associated form to their initial values. If authentication is included in a
greater process, as e.g. entering a new phone number and a combination of username and
password in a single form to reduce cognitive load, the reset button clears all entered
information. This is a problem when the user is not sure if she typed the correct password
characters (the password field displays bullets instead) and only wants to clear this particular
field.
Other examples of unpredictable behaviour are PIN input fields that are automatically
processed after the character maximum has been entered. A related problem arises from system
that requires additional steps before entering the authentication data. Imagine an electronic
cash system that first requires to user to enter her smartcard, then press “ok”, enter her PIN and
press “ok” again. The first press on “ok” seems unnecessary.
Usable authentication has to be easy to use, the user must always know (or at least have a slight
idea) what is expected from her and what happens next. Standard rules for usability taken from
human-computer-interaction research apply as well.
5.1.1 Blacklist
A Blacklist AC is a very simple AC that blocks all requests from entities that are included in a
Blacklist. It is used to thwart known or recurrent attackers. Blacklists have to be configured
manually or, sometimes, they can be updated automatically according to predefined rules, e.g.,
multiple unauthorized requests, or a series of failed authentication procedures. Blacklists
usually outperform other AC mechanisms because their complexity class is lower than those,
and its performance can be O(1) in big O notation with a very small constant factor for the
blacklist lookup. Blacklists are a rather simple to use AC, but also rather inflexible, since there
no conditional access policies can be defined.
5.1.3 RBAC
RBAC [Ferraiolo-1992] introduced a new way by setting roles between the entity and the
related rights. That way, each entity can have several roles and each role can be held by
multiple entities. For administrative purposes, roles are established first, and afterwards they
are assigned to entities. Since roles usually rarely change, this reduces the complexity for
administrating RBAC significantly after the first setup. If only those entities change that inherit
a role, this can be simply addressed by adding or deleting entities (in form of the name or a
unique identifier) that are associated with the regarding role. Roles can change dynamically
and in that way the user might gain and lose roles automatically when doing special tasks.
5.1.4 ABAC
One of the newest models is ABAC [Yuan-2005]. ABAC uses attributes instead of roles to link
rights to entities. This procedure allows the use of dynamic conditions encoded in attributes,
such as the location of an entity, to decide whether to grant access or not. Since the role as well
as the security level of an entity can be seen as an attribute, it is possible to integrate concepts
known from other AC models like DAC or RBAC.
In general two classes of TNs can be distinguished: First, TNs composed of devices that have
the same owner and second, TNs that are composed of devices of the same manufacturer. Thus,
every smart product participates in two TNs. TNs are strictly separated from each other, that
means, no confidential information is exchanged between TNs (i.e., no transitivity). The
manufacturer is e.g. not able to access the owner data and vice versa. Inside a single TN, smart
products can exchange confidential information like access rules (owner TN or manufacturer
TN), user profiles (owner TN), or manufacturer data (manufacturer TN). To realise the idea of
TNs, smart products of the same TN have a pre-shared secret. This pre-shared secret is sent to
every smart product after it is bought and activated for the first time. In this process, the user
has to verify that this new smart product is allowed to integrate itself into the owner’s TN. This
can be done manually, e.g., with out of bound communication [Statjano-2002] or automated
with the help of a ME. Overall, this is similar to the Resurrecting Duckling Model proposed by
[Statjano-2002].
ABAC models are, however, more complex than the other models listed in this Section. Such
complexity resultss in a larger consumption of computational resourcesresources than simpler
approaches. Resources on smart products are limited, thus,
hus, to reduce to costs of AC operations
a Blacklist AC mechanism can be executed before the ABAC mechanism. The Blacklist filters
out known misbehaving entities and their requests do not reach the ABAC mechanism. For
instance, after an entity, which was not blacklisted at first, has multiple identical requests
denied by the ABAC mechanism, such an entity can be temporarily or permanently added to
the blacklist.
AC mechanisms like ABAC are dynamic and flexible. However, they are also hard to
configure in the right way. While MAC and DAC have only one way to link access rights to
the user, RBAC and, especially, ABAC allow for different ways of binding access rights to
entities through indirect mapping. This flexibility enables very compact and meaningful policy
sets. However, if not correctly used, it can lead to a complex and incomprehensible set of rules.
This problem is very likely to occur
occur in case of inexperienced users. This is an important
challenge that is addressed with Interactive Rule Learning in Section 5.5..
The relation between flexibility of an AC mechanisms and the usability is shown in Figure 6.
This figure shows that MAC / DAC can be used by non-expert
non expert users but the number of needed
rules for non-trivial
trivial scenarios is extremely high. The figure also illustrates that RBAC and
ABAC can have very short rule sets, however, only expert users might be able to do so (since it
is difficult to manually define a minimal rule set for a complex scenario). If more rules are used
in RBAC and ABAC, it is possible to emulate MAC / DAC mechanisms with the difference
that always a role or an attribute is in between entities and their related access rights. Finally,
the figure shows that ABAC plus Interactive Rule Learning can be used to create reduced rule
sets even by non-expert users.
In particular, redundancy may lead to less strict access rules because every device that has to
store the data needs the corresponding rights. If an attacker is able to steal the identity of a
user/ device or to circumvent the authentication process in another way, she gets full access
rights of the user or infiltrated device. This is called an inner attack [Beckerle-2009a]. Under
these conditions, a traditional AC mechanism is not able to fend the intruder off. An intrusion
detection mechanism is needed. Different kinds of IDS can be distinguished. A non-exhaustive
list of existing IDS is shown in Figure 7. In the following, the different attributes of an IDS are
described according to [Debar-1999].
Detection Method
The method of detecting an intruder can be either behaviour- or knowledge-based. For
behaviour-based detection, a database with “normal” behaviour of all accessing entities is
needed as a basis for comparison. In case the behaviour of an entity differs from this “normal”
behaviour, it is classified as an attack. A knowledge-based IDS includes a database with known
attack signatures. If the behaviour of an entity has such a signature, it can be detected and
classified as an attack.
Behaviour on Detection
In case an IDS detects an attack two options exist. The IDS can simply activate an alert to
disclose the attack. The other option is to actively defend against the attack, e.g., by blocking
all future requests from the attacker.
Usage Frequency
The intrusion detection can take place in real-time or periodically. For real-time monitoring, a
continuous analysis is required.
Conclusion
Since not all possible attacks are known for the diverse application scenarios of smart products,
only a behaviour-based IDS is feasible. An alert is not enough to protect users against attackers
because most inexperienced users do not know what to do if an attack takes place and
automated attacks occur very fast. For that reason, a continuous real-time monitoring is needed.
Only this way an active defence is possible. A network-based IDS needs some kind of router
between the devices. However, since smart products are connected in ad-hoc networks, a
network-based IDS is not applicable.
Most attackers will act in a way that is different from normal behaviour. Such “abnormal”
behaviour can be detected by anomaly detection [Vaccaro-1989]. The challenges thereby are
the limited resources of a smart product and the limited awareness that a single device has
about its environment. It can be difficult to determine which behaviour can be considered
normal and which behaviour can be considered as an anomaly.
For that reason, smart products will work together to cooperatively decide whether an attack
takes place. For this purpose, smart products of the same owner-TN share information about
entity behaviour, and monitor and compare the behaviour of every entity with earlier
behaviour. In addition, the potential type of attack is limited by the lower layer security
mechanisms (see Section 5.2). For example, as described above, DoS attacks are already
detected and prevented by the AC mechanism.
If, for example, the user Mr. Smith normally accesses his personal documents between 6am
and 10pm from the location “Brussels” and an access takes place at 3am from an entity
authenticated as Mr. Smith but from the location “China”, this is a potential security breach
and has to be further analysed. If a smart product of the same TN is able to track Mr. Smith in
another location like his bedroom, the cooperative decision of the smart products will be
“deny” for the access request from China. Furthermore they can inform Mr. Smith that his
authentication has been abused and that he should, e.g., use a better password in the future.
Again, it is important to ensure that authorised users are not hindered in performing their tasks.
A suitable (and potentially configurable) trade-off between security and usability is subject for
future research. Since time constraints it may not be possible to design and implement
cooperative intrusion detection in SmartProducts but since it is mostly independent it should be
possible to integrate it later without a huge amount of effort.
After defining a suitable AC model and a cooperative intrusion detection system for smart
products it is still fundamental to define how the rules for such AC model are generated. Such
rule generation should consider a set of requirements that are discussed in the next Section.
5.2.3 Usability
As described in Section 5.2.1 and 5.2.2, AC and cooperative intrusion detection provide a very
secure basis for protecting confidential data. However, one important question to answer is:
What is private and confidential data? The answer to this question cannot be stated clearly, it
depends on the person being asked. For that reason, it is important that the user’s preferences
are considered in the decision of what is made public and what has to be kept secret. However,
it cannot be expected that the user is satisfied by defining all these rules manually for every
device she is going to use [Cranor-2005]. There is a need for some kind of automation in such
a way that every user has to select his preferences only once and that this preferences are used
afterwards automatically with respect to his earlier decisions. In addition, a set of default rules
suitable for most use case enhances the usability of the security mechanism.
That way, the user’s intervention is merely required to generate the access rules. However,
there still may remain a lot of interaction requests if rules are too fine-grained or if there are
simply too many to handle them in a comfortable way. Appropriate rules should not only cover
the current context but also future situations such as for example "Any employee may use the
printer”. When new employees are hired, they directly have the right to use the printer. An
overly specific rule that does not generalise would be: "Mr. Jonson can use the printer”. Rules
of this kind would be necessary for each employee, leading to a hardly manageable set of rules.
Too general rules are problematic, too, because they may allow unauthorised entities to do
restricted tasks. If e.g. a rule says "Everyone is allowed to do anything" the AC itself
is needless.
A good set of rules for smart products should be specific enough to allow only authorised
entities to access confidential proactive knowledge while being as general as possible to
minimise the administration effort. Unfortunately, many users tend to define too fine-grained
or too general rules. The concept presented in section 5.5 represents a means of supporting the
user in defining appropriate access rules by applying an AI-supported rule
learning mechanism.
Another problematic point arises if user-defined rules are inconsistent and, consequently,
contradictory. Also, rules that become outdated over the years often remain in the system. A
huge number of required user interactions as well as unexpected behaviour of the AC
mechanism due to inconsistencies, old rules, and the actual amount of rules that arise over the
years, cause that most users become overwhelmed or irritated. In that case, users often tend to
either define overall rules such as “Everyone is allowed to do everything” or completely turn
off the AC mechanism. For that reason, a rule management tool is required that solves all of
the challenges listed above.
Owner
The entity, that is the owner or responsible of a system.
5.3.2 Entities
All Entities
The Set of all entities in the world is called W
• All entities:
Group
A group is a subset of entities in the system
• Group: | ⊆
Entity
An entity e is a person or a device which is able to access information or functionality of an
object in the system. This connoted that all e are authenticated to the system.
• Entity:
|
∈
5.3.3 Objects
All Objects
The set of all objects in the world is called O
• All objects =
Group of Objects
A group of Objects is a subset of objects in the system
• All objects in the system: ⊆
Object
An object is information, a function or a set of functions in the system
• Object: | ∈
Access allowed means that a single entity or a group is allowed to access an object. In the
following this is represented by the number 1.
• Access allowed: 1
Access denied
Access denied means that a single entity or a group is not allowed to access an object. In the
following this is represented by the number 0.
• Access denied: 0
Rule
A rule is a function that describes for a set of Entities E that they have (1) or do not have (0)
access to the object d.
Therefore we define a Set of relations that describes the space of all possible rule
relations in a system.
• : × ! → #, , ↦ , ∶= #
| ∈ , ∈ !, # ∈ (0,1)
• = ( × × # . : , → # | ∈ ! , ∈ !, # ∈ (0,1) )
• + ∈
• ∀+ !∃. : × → #,
, ↦
, ∶= #
|
∈ , ∈ , # ∈ (0,1)
Rule set
A rule set is a set of rules that describes the access rights for a system.
• /0 = ( ). ∀
, ∃ , .
∈ , ∈
User preferences
The security constraints for building up AC rule sets are regarding specific or permissive rules
and also the meaning of such rules. Each requirement is assigned a letter S followed by a
number.
The usability constraints for building up AC rule sets are regarding the existence of redundant
rules, their consistency and understandability, and also related to the total number of rules.
Each usability requirement is assigned a letter U followed by a number.
Formal:
Minimize (|123 / 3104 |)
Formal:
Minimize (| 3104 ∆ 123 | + | 3104 ∆ 45 |) | ∀
.
∈
Formal:
∀ (?, @) → # ∈ /0 ∄ B (? B , @ B ) → # B ∈ /0.
? B ⊆ ? ∩ @ B ⊆ @ ∩ # = #′
Formal:
∀(
∈ , ∈ ). ∀ (
, ) ∈ /0 ∄ B (
, ) ∈ /0.
(
, ) ≠ B (
, )
5.4.5 Usability constraint U3: general, understandable and manageable rule sets.
AC rules need to be general enough for users to understand and manage.
Formal:
Minimize (| 3104 ∆ 123 | + | 3104 ∆ 45 | | ∀
.
∈
Formal:
Minimize |/0 |
The use of general rules in requirement U3 contradicts the requirement S1 regarding specific
rules. Thus, the best compromises between specific and general rules need to be reached. The
best compromise is, however, connected to the user’s preferences and it is, therefore,
individual.
Rule U2 is not only a usability requirement, since it can also impact the security level obtained
by the AC mechanism. An inconsistent rule set can lead to a non- expected behaviour that can
compromise the security of the smart product.
In the next Section we develop a rule generation procedure that takes the aforementioned
requirements into account. Such procedure combines automatic rule generation with user
interaction.
Rule learners pursue in relation to the algorithms mentioned in the previous Section, a very
intuitive approach. They try to find causalities in recorded databases and express them in
simple rules. For example, in a database that describes the attributes of different animals like
ravens, sparrows and pigs such a rule could be as follows: "If an animal can fly and has
feathers, it is a bird". This approach has the particular advantage of being relatively easy to
understand for humans as opposed to for example the hyperplane of a support vector machine.
It could be possible to decide which information should be public and private by analyzing the
user profile. Thus, automatic rule set generation is possible, but it is expected that errors would
also be a commonplace. However, if related information for automatic rule generation is
missing, automatic processes are not possible. Hence, the smart product owners have to decide
by their own regarding the access rules.
Therefore, a proper solution is to use automatic rule generation to create an initial rule set that
is later presented to the user. Interactive Rule Learning algorithms can generate a set of rule
sets and present them to users that decide which specific rule set suits best to their context. A
rule learner can be used to analyze the set of access rules of a smart product regarding the
actual behaviour of entities [Fürnkranz-1999].
Such an analysis disclose whether rules are shadowed, redundant, or correlative, and which
exceptions exist following the definition and classification presented in [Hamed-2006].
Furthermore, in interaction with users, the number of rules usability is minimized by analysing,
pruning, and rebuilding the set of access rules. This procedure is called Interactive Rule
Learning (IRL) [Beckerle-2009].
Combined with the ABAC, the IRL helps the user to build a secure and usable set of access
rules. The expected outcome of ABAC+IRL is shown in Figure XXX 3. This concept
represents an important step towards usable security. An automated rule learning algorithm can
fulfill the following requirements: S1, U1, U2 and U4. Users have to verify the compliance of
requirement S2, since it depends on the context and also on the smart product owner
preferences. To satisfy requirement U3, regarding general rules, interaction between the smart
product owner and the rule leaner is required.
For access control, based on analysis of the different AC mechanisms, the combination of a
blacklist with an attribute based approach is proposed to fulfil todays and future needs for
adaptive devices. A series of security and usability constraints for access control rule sets are
listed. It is shown that the combination of automated rule learning with user interaction is able
to solve such constraints to a secure and usable system for smart products.
Future work will focus on the implementation and evaluation of these concepts in the smart
products platform.
Annex
A Requirements
The following table presents a mapping of the proposed concepts and the requirements investigated in [D4.1.1].
Authentication
SP.WP4.SEC.1 Smart products shall support fine-grained rights management x ABAC is a superset of IBAC and RBAC since an
mechanisms based on the identity (IBAC), role (RBAC) or mission attribute in ABAC can be a role as defined in RBAC or
(MBAC) of an entity. the identity as defined in IBAC
SP.WP4.SEC.2 Smart products shall support fine-grained rights management x ABAC supports fine-grained rights management
mechanisms regarding the granularity of data/ data structure.
SP.WP4.SEC.3 Smart products shall support fine-grained rights management x To secure the privacy a very versatile AC is used
mechanisms regarding privacy policies. combined with a beyond state of the art cooperative
intrusion detection
SP.WP4.SEC.4 There shall exist an identity management system. x The authentication and AC mechanisms and are able to
handle smart product IDs and biometric IDs
Authentication
SP.WP4.SEC.5 Smart products should be able to cooperatively check the behaviour x The cooperative intrusion detection checks the
of other entities for harmful activities. behaviour of interacting entities and protects against
intruders
SP.WP4.SEC.6 Smart products should maintain a history of earlier interactions x The rule learning mechanisms will use a database which
which other products and users. stores the earlier behaviour of entities
SP.WP4.SEC.7 If malicious entities are detected, smart products should react in a x Both the AC and the IDS will react if misbehaviour if
proper manner such as restricting the rights of the entities or detected. One solution is blocking the entity via the
entirely removing them from the network. blacklist
SP.WP4.SEC.8 The owner of a smart product shall be the highest authority to x By using the IRL, users are
determine trustworthiness of other smart products. able to manipulate the security mechanisms
SP.WP4.SEC.9 Smart products should determine the trustworthiness of other smart x The AI mechanism of IDS and IRL will analyse and rate
products automatically by proactive information exchange. the trustworthiness of other entities
SP.WP4.SEC.10 Smart products should have the ability to encrypt and decrypt data Encryption is out of scope (see Section 2.2Fehler!
for communication. Verweisquelle konnte nicht gefunden werden.)
SP.WP4.SEC.11 Smart products should have the ability to encrypt and decrypt stored Encryption is out of scope (see Section Fehler!
data. Verweisquelle konnte nicht gefunden werden.)
Authentication
SP.WP4.SEC.12 There shall exist authentication devices that provide user-related x For the biometric authentication of users there will be
security services. devices called Authentication Device.
SP.WP4.SEC.13 There shall exist authentication mechanisms for smart products in x Challenge Response combined with a pre-shared secret
order to enable reliable identification. on smart products is able to reliably identify smart
products
SP.WP4.SEC.14 Smart products shall detect unauthorized manipulations of proactive x The IDS is able to detect misbehaviour of any kind
knowledge for ensuring its integrity.
SP.WP4.SEC.15 Smart products should detect and try to avoid Denial-of-Service x The blacklist of the AC combined with the IDS is able
(DoS) attacks in a collaborative manner. to detect and potentially avoid DoS attacks
SP.WP4.SEC.16 Smart products should enable applications to prohibit certain x The AC is able to prohibit the distribution of proactive
proactive knowledge from being distributed among other peers. knowledge
B Glossary
Context Context characterizes the actual situation in which the application is
used. This situation is determined by information which
distinguishes the actual usage from others, in particular
characteristics of the user (her location, task at hand, etc) and
interfering physical or virtual objects (noise level, nearby resources,
etc). We thereby only refer to information as context that can
actually be processed by an application (relevant information), but
that is not mandatory for its normal functionality (auxiliary
information).
Environment An environment is an identifiable container with a clear border that
may contain smart products and other, non-smart product entities.
Entities inside the container can influence each other but they are
not influenced by anything outside the container.
Event Any phenomenon in the real world or any kind of state change
inside an information system can be an event. However, it must be
observable and some component in the information system must
observe it in order to notify parties interested in the event.
Lifecycle The lifecycle considered in the SmartProducts project consists of
the following four stages: Design, manufacturing, usage and
maintenance.
Proactive Knowledge The proactive knowledge of a smart product is defined as the
ensemble of data and formal knowledge representations, which
directly or indirectly facilitate its proactive behaviour.
Proactive behaviour in turn denotes mixed-initiative
communication, interaction, and action where the actual situation
and goals affect the turn-taking between a smart product and its
environment i.e. users and other smart products. In particular,
proactive knowledge may trigger human-product interaction and
product-environment communication based on perceived needs
(interaction needs may be ‘computed’ by the product as part of its
smartness, e.g., based on context changes).
Proactivity Proactivity is defined as a capability to initiate actions and exhibit
goal-driven behaviour without an explicit request or pre-defined
schedule.
Situation Situations are interpretations of context data. Thus, they can also
C List of Acronyms
References
[D1.2.1] D1.2.1 Initial Concepts for Smart Products. SmartProducts, 2009.
[D2.4.1] D2.4.1 Initial Infrastructure for Semantic Data Management. SmartProducts, 2009.
[D4.1.1] D4.1.1 Requirements Analysis for Storing, Distributing, and Maintaining Proactive
Knowledge Securely. SmartProducts, 2009.
[D8.1.1] D8.1.1 Scenarios and Requirements for Smart Consumer Appliances. SmartProducts,
2009.
[D9.1.1] D9.1.1 Scenarios and Requirements for Vehicle Product Lifecycle Management
Application. SmartProducts, 2009.
[Adams-1999] Adams, A.; Sasse, M.: Users are Not the Enemy. In: Communications of the
ACM, Volume 42, Issue 12, 1999, 40-46.
[Beckerle-2009a] Beckerle, M.: Towards Smart Security for Smart Products. In: AmI-
Blocks'09: 3rd European Workshop on Smart Products: Building Blocks of Ambient
Intelligence, Salzburg, 2008.
[Bell-1976] Bell, D. E.; LaPadula, L. J.: Secure Computer Systems: Unified Exposition and
Multics Interpretation. In: MTR-2997 Rev. 1, MITRE Corp., Bedford, Mass., March 1976.
[Berghel-2000] Berghel, H.: Identity Theft, Social Security Numbers, and the Web. In:
Communications of the ACM, Volume 43, Issue 2, 2000, 17-21.
[Bimmel-2000] Bimmel, P.; Rampillon, U.; Meese, H.: Lernerautonomie und Lernstrategien.
Langenscheidt, 2000.
[Carbonell-1983] Carbonell, J., Michalski R., Mitchell T.: An overview of machine learning.
Tioga Publishing Company, Palo Alto, 1983.
[Courtois-2008] Courtois, N.; Nohl, K.; O’Neil, S.: Algebraic Attacks on the Crypto-1 Stream
Cypher in MiFare Classic and Oyster Cards. In: IACR ePrint Archive: Report 2008/166, 2008.
[Cranor-2005] Cranor L.; Garfinkel, S.: Security and usability: Designing Secure Systems that
People can use. O’Reilly Media, Inc., 2005.
[Debar-1999] Debar, H.; Dacier, M.; Wespi A.: Towards a Taxonomy of Intrusion-Detection
Systems. In: Computer Networks, 31:805–822, 1999.
[Derawi-2010] Derawi, M.; Nickel, C.; Bours, P.; Busch, C.: Unobtrusive User-Authentication
on Mobile Phones using Biometric Gait Recognition. In: Sixth International Conference on
Intelligent Information Hiding and Multimedia Signal Processing, 2010.
[Dhamija-2000] Dhamija, R.; Perrig, A.: Déjà Vu: AUser Study Using Images for
Authentication. In: Proceedings of the 9th conference on USENIX Security Symposium –
Volume 9, 2000, 4.
[Dolev-1983] Dolev, D.; Yao, A.: On the Security of Public Key Protocols. In: IEEE
Transactions on Information Theory, 1983, 198-208.
[Ferraiolo-1992] Ferraiolo, D.; Kuhn, R.: Role-Based Access Control. In: 15th NIST-NCSC
National Computer Security Conference, 554-563, 1992.
[Hamed-2006] Hamed, H.; Al-Shaer, E.: Taxonomy of Conflicts in Network Security Policies.
In: IEEE Communications Magazine, 44(3):134–141, March 2006.
[Haykin-2008] Haykin, S.: Neural Networks: A Comprehensive Foundation. Prentice Hall, 3rd
edition, 2008.
[Mattern-2010] Mattern, F.; Floerkemeier, C.: Vom Internet der Computer zum Internet der
Dinge. In: Informatik-Spektrum, 33 (2), 2010
[Mirkovic-2004] Mirkovic, J.; Reiher, P.: A Taxonomy of DDoS attack and DDoS Defense
Mechanisms. In: ACM SIGCOMM Computer Communication Review, Volume 34, Issue 2,
2004, 39-53.
[Neisse-2007] Neisse, R.; Wegdam, M.; van Sinderen, M.; Lenzini, G.: Trust Management
Model and Architecture for Context-Aware Service Platforms. In Lecture Notes in Computer
Science, Springer Berlin / Heidelberg, 1803-1820, 2007.
[Pritchett-2008] Pritchett, D.: BASE: An Acid Alternative. In: Queue, 6 (3), 48-55, 2008.
[Ray-2006] Ray, I.; Kumar, M.; Yu, L.: LRBAC: A Location-Aware Role-Based Access
Control Model, In: Lecture Notes in Computer Science, Springer, 2006.
[Reding-2009] Reding, V.: What policies to make it happen? In The Future of the Internet - A
conference held under the Czech Presidency of the EU. Belgium: European Commission -
Information Society and Media, 2–5, 2009.
[Renaud-2005] Renaud, K.: Evaluating Authentication Mechanisms. In: Security and Usability
– Designing Secure Systems That People Can Use, 2005, 103-128.
[Schölkopf-1999] Schölkopf, B.; Burges, C. J. C.; Smola, A. J.: Introduction to support vector
learning. In: Advances in Kernel Methods: Support Vector Learning, 1-15, 1999.
[Statjano-2002] Stajano, F.: Security for Ubiquitous Computing. John Wiley and Sons, 2002.
[Vaccaro-1989] Vaccaro, H.; Liepins, G.: Detection of Anomalous Computer Session Activity.
Technical report, 1989.
[Yair-1990] Yair, E.; Gersho, A.: The Bolzmann Perceptron Network: A Soft Classifier. In:
Neural Networks, 3:203-221, 1990.
[Yuan-2005] Yuan, E.; Tong, J.: Attributed Based Access Control (ABAC) for Web Services.
In: ICWS 2005 Proceedings, 2005.
[Zhou-2009] Zhou, X.; Wolthusen, D.; Busch, C.; Kuijper, A.: A Security Analysis of
Biometric Template Protection Schemes. In: Lecture Notes in Computer Science, Volume
5627, 2998, 429-438.