Policy extension for data access control (original) (raw)
Related papers
Security Modules for Access Control in Mobile Applications
A critical issue for the wide acceptance of mobile applications relies mainly on the protection of the data residing in mobile devices. In this paper we propose an access control solution for the enhancement of trust in wireless network environments. Taking into account the inherent problems of mobile devices with wireless communication capabilities and the adoption of an integrated access control approach that exploits different types of certificates based on public key technologies, we propose the use of security modules for storing sensitive security data on mobile devices. In addition, we distinguish between fixed and removable security modules, where in combination with the certificate types a flexible and effective access control mechanism can be employed, with the ability to support a variety of application and user operation scenarios.
Contrôle d’Accès Sécurisé dans l’Info-Nuage Mobile (Secure Access Control in Mobile Cloud)
2018
L'info-nuage mobile (MCC) a émergé comme une technologie prometteuse ; il utilise des serveurs hautement évolutifs dans le nuage et permet de surmonter les limitations (en termes de calcul et d'énergie) des appareils mobiles. En raison des risques liés à la sécurité et la vie privée, les entreprises, actuellement, ne sont pas intéressées à utiliser MCC. Ces préoccupations sont intensifiées lorsque les utilisateurs/employés ont tendance à utiliser des dispositifs sans fil (par exemple, les ordinateurs portables et les smartphones) pour rester connectés tout en se déplaçant à travers/en dehors de l'entreprise. Dans cette thèse, nous développons de nouvelles méthodes, basées sur la technique Attribute-Based Encryption (ABE), pour concevoir un contrôle d'accès aux données sécurisé et e cace pour le Info-nuage mobile. Ces méthodes permettent aux propriétaires de données (entreprises ou particuliers) de garantir la sécurité des données et de fournir aux utilisateurs mobiles un accès fin aux données en utilisant des politiques et des contraintes définies. Nous commençons d'abord par explorer les menaces et les défis de sécurité liés à la fourniture de l'accès aux données stockées dans le nuage. Nous avons constaté que le contrôle d'accès basé sur des attributs pour les appareils mobiles posait des problèmes complexes liés à l'anonymat, à la mobilité et aux ressources de calcul restreintes des appareils. Pour résoudre ces problèmes, nous développons trois méthodes dont chacune fait l'objet d'une contribution. La première contribution fournit la confidentialité préservant l'accès anonyme des données stockées dans le nuage. Elle décrit un nouveau modèle d'anonymat statistique pour ABE, fournit des résultats de cryptanalyse pour les contributions existantes dans le chi rement basé sur les attributs anonymes, et présente une nouvelle technique muti-autorité basée sur ABE (appelée FACS), qui anonymise les identités des utilisateurs (sans faire confiance à une autorité ou un fournisseur). Elle étend également FACS à EFACS, ce qui lui permet de supporter l'anonymat statistique des utilisateurs. La seconde contribution fournit des services basés sur la localisation (LBS s) pour le contrôle d'accès par attributs pour le Info-nuage mobile. Plus précisément, elle introduit un nouveau schéma de contrôle d'accès basé sur des attributs multi-autorité (appelé PPLBACS) qui anonymise les identités des utilisateurs contre les autorités et les fournisseurs malveillants. Le système proposé utilise l'emplacement dynamique des utilisateurs mobiles en tant qu'attribut contextuel ainsi que Location-Based Access Control Scheme (LBACS) is proposed. LBACS aims at : (a) supporting coexistence of spatio-temporal attributes as well as static attributes ; (b) using range of values (instead of a specific value) for domains of spatio-temporal policies and specific values for other policies/constraints ; and (c) protecting users' identities against malicious Cloud Service Provider (CSP). We also extend LBACS to ELBACS in order to provide untraceability and spatio-temporal statistical anonymity of users without trusting authorities and providers.
A Privacy Enhanced Service Architecture for Mobile Users
Third IEEE International Conference on Pervasive Computing and Communications Workshops, 2005
Location, presence and messaging services provide the essential ingredients for emerging information and communications services. Nevertheless, the users are concerned about revealing their actualized location, presence or contact address information, especially to non-trusted third party applications. In this paper we propose a privacy architecture to achieve unlinkability between services related to a certain user and the user identity itself. The architecture is based on a privacy service which is integrated in the telecom service architecture Parlay-X, currently being standardized by the Parlay Group, and a chained hash technique called PRIVES, well suited to run in small mobile devices.
Security-by-Contract-with-Trust for Mobile Devices
2010
Security-by-Contract (S×C) is a paradigm providing security assurances for mobile applications. In this work, we present the an extension of S×C, called Security-by-Contract-with-Trust (S×C×T). Indeed, we enrich the S×C architecture by integrating a trust model and adding new modules and configurations for managing contracts. Indeed, at deploy-time, our system decides the run-time configuration depending on the credentials of the contract provider. The run-time environment can both enforce a security policy and monitor the declared contract. According to the actual behaviour of the running program our architecture updates the trust level associated with the contract provider. We also present a possible application of our framework in the scenario of a mobile application marketplace, e.g., Apple AppStore, Cydia, Android Market, that, nowadays, are considered as one of the most attractive e-commerce activity for both mobile application developers and industries of mobile devices. Sinc...
Personalized Security in Mobile Environments Using Software Policies
2011
With the advance of technology and the widespread of mobile devices that enable users to have access to a wide range of services wherever they are, and whenever they want, many security issues arise. Both users and service providers feel the need to protect themselves from the large number of threats that are present on every network. Some time ago, users could have access to services only if they were physically present in a certain, predefined, area. This gave a lot of user personal information to the service providers which helped them secure their systems and their transactions with users. Now, it is not anymore the case. Therefore, the need arose for a novel way, for mobile users and service providers, to secure their information and their transactions. In this paper, we show that combining software policies and context information provides users and service providers with confidentiality, data integrity, data availability, and accountability. Keywordsmobility; security; softwa...
Privacy Enforcement Embedded in Mobile Services
Wireless Information Systems, 2004
Next generation mobile services in business-to-employee (B2E) settings put very high demands on the privacy protection features of contextaware, personalization and adaptation enabling technologies. To this end we propose a middle agent framework that allows parties to securely exchange personal or business sensitive contextual information independently of the available networks. In order to demonstrate our privacy enforcing middle agent framework, we build a scheduling service, in which the middle agents collectively arrange an update of a meeting between employees by adapting location and time on the basis of privacy and scheduling policies of the traveling employees themselves or the companies they work for. We developed and deployed this scheduling service on a LEAP agent platform and used a PDA to communicate with the middle agents on the server using WLAN and GPRS networks.
The SIM card as an enabler for security, privacy, and trust in mobile services
2008
The paper describes an architecture for mobile services where the SIM card is integrated for providing basic services related to security, privacy, and trust. The presented work is part of a cooperative research initiative aiming at an open architecture for mobile services. Nowadays, the security of mobile networks is mainly established through the SIM card. It provides an identity and can be used for authentication. Moreover, the SIM includes secure tamper-proof storage capabilities as well as cryptographic modules required for basic functions like signing, and ciphering. Consequently, in our architecture for mobile services, the SIM has also the role of a security token providing basic security related services. The SIM is integrated in the architecture using standard internet protocols. A web server on the card enables the exchange of data with the mobile device through HTTP. Moreover, a servlet architecture on the card allows for the provisioning of SIM services with an interface similar to that of WEB services. An important issue within the open and heterogeneous infrastructures for future mobile services is support for identification, evaluation, and rating of service offers. As an example for a SIM based service, we therefore propose a trust management service. The service is designed following the ideas of a web of trust infrastructure with an on-card key ring and trust value management. It uses digital signing for identification of services as well as for signatures by the user.
Sensitive Information Protection on Mobile Devices
2014
Mobility of users and information is an important feature of information systems that must be considered during design of sensitive information protection mechanisms. This paper introduces the architecture of MobInfoSec system. MobInfoSec is designed to be an information system that allows sharing documents with sensitive information using fine-grained access rules described by general access structures. The system is for users who want to use cryptographic data protection mechanisms to protect sensitive information on mobile devices with a specialized cryptographic module. MobInfoSec will be distributed, modular, and configurable cryptographic access control system to sensitive information that works in a public environment. The system will enable cryptographic protection of sensitive information in accordance with ORCON access control rules. The architecture is designed to be flexible enough, so several business scenarios can be implemented. The paper presents the MobInfoSec system, which the two main goals are to secure mobile information and to release the user from the obligation to monitor any classified information contained in his/her mobile device.
A Privacy-Considerate Framework for Identity Management in Mobile Services
Mobile Networks and Applications, 2011
The subscribers' personal information and services that mobile operators are able to provide to Web developers offer new and exciting possibilities in numerous domains. However, bringing mobile information services to the Web to enable a new generation of mobile Web services presents several research challenges on identity and privacy management. In this paper, we describe a framework for identity management in mobile services that empowers users to govern the use and release of their personal information. Our framework is based on a brokering approach that intermediates between the mobile operator's information services and the Web service providers. By leveraging on Web services, identity management infrastructure and privacy enhancing technologies, our framework provides an effective, privacy-considerate delivery of services over the mobile Web environment. This paper describes the design principles and architecture of the framework as well as the feasibility, applicability and user-experience evaluation we have carried out.
Privacy Preserving Trust Authorization Framework Using XACML
2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks(WoWMoM'06), 2006
Nowadays many organizations share sensitive services through open network systems and this raises the need for an authorization framework that can interoperate even when the parties have no pre-existing relationships. Trust Negotiation is the process used to establish these first relationships, through the transfer of attributes, embedded in digital credentials, between the two parties. However, these attributes may themselves be considered sensitive and so may need protection from disclosure. In some environments, the policies that govern the protected services may also be considered sensitive and their release to arbitrary strangers may leak confidential business information. This paper describes a way to unify the protection of services, sensitive credentials and policies in a synchronized trustworthy manner. We propose a trust authorization framework (TAF) that builds on the capabilities of XACML to support the bilateral exchange of policies and credentials through trust negotiation.