A Dynamic Trust-Based Context-Aware Authentication ...

A Dynamic Trust-Based Context-Aware Authentication Framework With Privacy Preserving Pierre E. ABI-CHAR #

#1

, Abdallah M'HAMED

#2

, Bachar EL-HASSAN

∗3

, Mounir MOKHTARI

#4

Computer and Communication Department, Telecom SudParis (ex. INT) 9 Rue Charles Fourier, Evry, France

[email protected] 2 [email protected] 4 [email protected] 1

∗

Computer and Communication Department, Lebanese University Al Arz street, El kobbeh, Tripoli, Lebanon 3

[email protected]

Abstract—As ubiquitous technologies ingrain themselves fur-

released and nally trust denotes the grounds for condence

ther into our lives, rapid progress has been made in context-

that a system will meet its security objectives. The develop-

aware computing. Context-aware environments are set to become a reality. However, major challenges remain to be addressed including privacy, authentication, access control, and trust. These

ment of mobile communications technologies and ubiquitous computing paradigm and the convergence of m-healthcare,

security challenges have to be non-intrusive, intelligent, and able

m-business, m-entertainment and m-education services have

to adapt to the rapidly changing contexts of users. Context-aware

raised the urgency of dealing with privacy threats (i.e. personal

environments are expected to make these challenges more accu-

information, etc.). These threats are caused by the detection of

rate and to consider them in place from the start, so that a mutual trust relationship can be formed between entities. It is therefore, a key challenge in a ubiquitous network society to design an

personal sensitive information such as location, preferences, and activities about individuals through sensors or invisible

effective privacy preserving authentication and access control

computing devices gathering collating data and deriving user

framework that adequately meet security requirements posed

context. Moreover, the ubiquitous computing environment is

by the context-aware service paradigm in pervasive computing

characterized by people constantly moving, and engaged in

environment. In this paper, we propose a security framework that integrates context-awareness to perform authentication and access control approach in a very exible and scalable model that

numerous activities simultaneously. Therefore, we proposed an authentication and access control agent framework for context-

is both context-aware and privacy preserving. Moreover, we show

aware services. Our frameworks objectives are to provide the

how our framework can be integrated with trust management. In

most suitable security scheme on the basis of context, such as

this paper, we focus on introducing an anonymous authentication

users' location and proles, and to protect personal informa-

and access control scheme to secure interactions between users and services in ubiquitous environments. The architecture focuses on the authentication of users who request access to the resources

tion such as user location, user's ID, etc. This paper provides us a scheme to protect privacy of users and to maintain the

of smart environment system through static devices (i.e. smart

exibility for users while using available service in ubiquitous

card, RFID, etc.), or dynamic devices (i.e. PDA, mobile phones,

environments. The ultimate goal is anonymity which keeps

etc.).

the users anonymously interacting with the services, through

Index Terms—Context-Aware, Authentication, Access Control, Smart Spaces, Privacy Control, Fuzzy Logic, Trust Management, Risk Assessment, Quality of Privacy.

I. I NTRODUCTION The growing evolution of Information and Communication Technology (ICT) systems towards more pervasive and ubiqui-

that, preserving context privacy of users. And also it keeps condentiality and integrity on communication channels. The proposed schemes is at application level without relying on any underlying system infrastructure such as light house or Mist router in [6]. This scheme possesses many desirable security properties, such as anonymity, nonlinkability, trust management, etc.

tous infrastructures contribute signicantly to the deployment

The rest of this paper is as follows. Context-aware denition

of services anywhere, at anytime and for anyone. To pro-

and usage, authentication and access control characteristics

vide personalized services in such infrastructures, we should

and their privacy effects, and trust management denition

consider both user's privacy and security requirements and

and properties are outlined in Section 2. Section 3 provides

context-awareness environment. Security, Privacy and Trust in

an outline for the mathematical backgrounds needed for our

pervasive computing are currently hot issues in digital infor-

protocols process. Section 4 provides an important exhaus-

mation technology area. Security is used to describe techniques

tive summary regarding related work. Our proposed agent

that control who may use or modify private data and context

framework, its process descriptions, and security discussion

information, privacy is viewed as the ability of an entity to

are introduced in Section 5, 6, and 7 respectively. Finally, the

determine whether, when, and to whom information is to be

paper future work and conclusion are described in Section 8.

II. P ERVASIVE C OMPUTING PARADIGM

to the collected data, articulate what kinds of access to and

In this section we briey introduce some assumptions, concepts, and values that constitute a real way for viewing the necessity to a novel scheme.

use of the data will be allowed, and nally provide means for individuals to check on and correct any information held about them for use in authentication. Context-aware services should be able to trust context data provided to them from

A. Context-Aware:

these various sources and to respond to changes. The dynamic computing

nature of a context-aware environment necessitates the need

paradigm that tries to exploit information about the context of

for a very active and exible authentication mechanism that

its users to provide new or improved services. [2] have dened

allows members across different domains to identify and

context as: any information that can be used to characterize

communicate with each other with a reasonable level of trust.

the situation of an entity. An entity is a person, place, or

More generally, systems architects' developers should focus

object that is considered relevant to the interaction between

more on reconciling authentication and privacy goals when

a user and an application, including the user and applications

designing, developing, and deploying systems. Understanding

themselves. The use of context information gives a number of

security needs and developing appropriate threat models are

advantages in communication as motivated before. Context-

keys for determining whether and what authentication are

awareness is an enabling technology to build helpers that are

necessary and what kind is needed. According to ([1], [3]) the

disappearing from the users perception. This allows to create

context-aware authentication service has to hold the following

new classes of services. The combination of several context

distinguishing properties:

Context-Aware

computing

is

an

emerging

values provides a very powerful mechanism to determine the

Context-Awareness:

A context-aware service has to use

current situation. For example location, entity activity and

context data to provide relevant services to users. The security

time are typical context sources and form the primary context.

system adapts itself to match with the dynamism of context

Knowledge of the current location and time together with a

information. It also has to be able to prune its services

users calendar lets an application have a good estimation of

accordingly to changes in context data, such as changes in

the users social situation at a specic point in time.

time, location, activity, etc. Therefore, it is critical to check

B. Authentication and Access Control: Authentication systems are used for security purposes to

the authenticity and integrity of the context data from contextproviders.

Autonomy :

The context-aware service should involve the

verify the authenticity of one or more parties or entities

last human intervention possible. The security may improvise

during a transactions. Most traditional authentication methods

new policies based on the available or new context data.

either do not scale well in massively distributed environments,

Scalability: The authentication service has to be capable of

with hundreds or thousands of embedded devices like smart

bootstrapping trust and authentication across heterogeneous

spaces, or they are inconvenient for users roaming around

domains.

within smart environments. In addition, authentication in

F lexibility :

In an open, massively distributed, pervasive

smart environments can not use a one-size-ts-all approach,

computing system, using different means of authentication

as authentication requirements differ greatly among different

should be made possible, and it does not have to be constrained

spaces and different applications and contexts within the same

to a specic format. Therefore, the system has to be able to

smart space. In general, users must be able to authenticate

provide a great level of customization to each individual.

with other entities with a varied level of condence, in a

P rivacy -P reserving :

In

a

context-aware environment,

transparent, convenient, and private manner. The concept

there will be thousands of sensors recording every type of

of context-aware authentication and access control is: (1)

important information about users. They will silently track

Collect and recognize the users current context, and (2)

user's location, preferences, and activities in the environment.

Generate and control a secure user environment based on the

Therefore, protecting privacy of the user is important, and

current context. Generally, the context includes users location

there has to be a provision to protect it against abuse.

and services, present information, environmental information

Anonymity :

The real identity of a user should never be

(temperature, loudness, brightness), terminal attributes, and

revealed from the communications exchanged between the

network status (QoS), etc.

user and a server unless it is intentionally disclosed by the user. Different communication sessions between the same user

Privacy Effects: An inherent tension exists between authentication and privacy because the act of authentication often involves some disclosure or conrmation of personal

and service should not be linkable. Different devices of user should not be linkable.

Context privacy :

Except users want to disclose their con-

information. System designers sometimes fail to consider

text information (location, time, preference, name of services,

the myriad impact that authentication affects privacy. When

etc), no one should know about such information even system

designing an authentication system, selecting one for use,

administrator or service providers they interact with.

or developing policies for one, we should authenticate only

Conf identiality and integrity :

System should provide

for necessary (well-dened purposes), minimize the scope of

protection measures on the communication channels while

the data collected, articulate what entities will have access

users are interacting with services in order to protect sensitive

T rust Based on Reputation: Is used when the system can

information from eavesdroppers.

N onlinkability :

Ideally, nonlinkability means that, for

derive the clients' trustworthiness from the client's behavior

both insiders (i.e., service) and outsiders, 1) neither of them

records. Because the system may need to collect the clients'

could ascribe any session to a particular user, and 2) neither

reputation from other peer systems, the trust level of the

of them could link two different sessions to the same user.

network and the peers systems are taken into account when deciding the trust reputation of the clients.

In reality, the quests for authentication/access control and

T rust Based on Context and Ontology :

Can be use

user privacy protection conict with each other in many

when clients and the systems may have the smart sensing

aspects, and the problem is highly complex in ubiquitous

devices. This ontology information can help the system to

computing as the context information of users is more of a

determine the trust levels of its clients or assign them trust

concern. On one hand, the service generally depends on the

rights in the given context.

user identity information and corresponding pre-established

III. M ATHEMATICAL BACKGROUND:

trust relationship as well as the service contract between them to accomplish user authentication and conduct access control. On the other hand, the user does not want to be tracked by the service for wherever he is and what ever he does. The trade off between the two thus poses a great challenge to security designers [1]. Beside that, these environments present

In this section we briey introduce some mathematical backgrounds necessary for the description of our scheme. A. Elliptic Curve Cryptography, ECC: Many researchers have examined elliptic curve cryptosys-

more privacy concerns to users as there is no existing trust

tems,

relationship between the user and the environments owner.

Koblitz [19]. The elliptic curves which are based on the

which

were

rstly

proposed

by

Miller

[18]

and

So, providing exibility as personalizing services from these

elliptic curve discrete logarithm problem over a nite eld

environments is difcult because users must provide informa-

have some advantages than other systems: the key size can be

tion to the system without breaching their required levels of

much smaller than the other schemes since only exponential-

privacy [1].

time attacks have been known so far if the curve is carefully chosen [20], and the elliptic curve discrete logarithms might be still intractable even if factoring and the multiplicative group

C. Trust Management:

discrete logarithm are broken. In this paper we use an elliptic

Trust in pervasive computing is a complex subject relating to

belief

in

the

honesty,

trustfulness,

competence,

and

reliability of an entity. In the context of pervasive computing, trust is usually specied in terms of a relationship between a resource or service requester and a resource or service provider [1]. To trust pervasive computing systems, we must be able to manage the privacy, condentiality, availability, and controlled access to digital information as it ows through the system. Trust forms the basis for allowing a requester

curve

E

dened over a nite eld

Fp .

The elliptic curve

parameters to be selected [21] and [22] are:

a

1 -Two eld elements

and

b ∈ Fp ,which dene the y 2 = x3 +ax+b

equation of the elliptic curve E over Fp (i.e., 3 2 in the case p ≥ 4, where 4a + 27b 6= 0. 2 -Two eld elements xp and

yp in Fp , which dene a nite P (xp , yp ) of prime order in E(Fp ) (P is not equal to O, where O denotes the point at innity). 3 -The order n of the point P . point

to use services or manipulate resources owned by a service provider. Also, it may inuence a requester's decision to use

The Elliptic Curve domain parameter can be veried to meet

a service or resource from a provider. So trust is an important

the following requirements [21] and [22]. In order to avoid

factor in the decision-making process.

the Pollard-rho [23] and Pohling-Hellman algorithms for the elliptic curve discrete logarithm problem, it is necessary that

For trust establishment in the pervasive computing envi-

Fp -rational

the number of

points on

E,

denoted by

n.

#E(Fp ),

ronments, the mobility and uncertainty of the systems and

be divisible by a sufciently large prime

clients need more dynamic and exible trust strategies. In

reduction algorithms of Menezes, Okamoto and Vanstone [24]

addition to the traditional trust strategies such as access control

and Frey and Ruck [25], the curve should be non-supersingular

and PKI, other trust strategies are proposed and used for

(i.e.,

trust establishment and management in pervasive computing

attack of Semaev [26] on

environments [1]. These trust strategies are:

should not be

T rust N egotiation:

p

To avoid the

(p + 1 − #E(Fp ))). To Fp -anomalous curves, Fp -anomalous (i.e., #E(Fp ) 6= p).

should not devide

avoid the the curve

Is needed when system does not have

the client information and there is no third party to consult with on the trustworthiness of the client. In this case, it is only

B. ECDLP-Based Okamoto Identication Scheme: In this subsection, we briey describe the elliptic curve

reasonable and practical for the client and system to build their

based

trust relationship by disclosing their credentials gradually to

identication protocol is considered secure against active

meet the access control policies of each other.

and concurrent attack under the assumption of the hardness

T rust Delegation: Is needed when one entity in the system trusts the client and can assign its rights to the clients.

Okamoto

Identication

of the discrete logarithm problem parameters are

Scheme.

The

Okamoto

[29]. The set of system

(q, F R, a, b, P1 , P2 , n, h).

The Prover's secret

are

(s1 , s2 )

such that

Z = −s1 .P1 − s2 .P2 .

the steps of the

MapToPoint Algorithm [27]:

protocol are: Let A prover: the prover picks ri

∈ {0, ....., n − 1}, i = 1, 2 and

X = r1 .P + r2 .P to the reader. The reader picks up t a number e ∈ [1, 2 ] and sends it to the prover. The prover computes yi = ri +e.si , i = 1, 2 and sends them to the reader. The Reader checks if y.p + e.Z = X , by computing y1 .P1 + y2 .P2 + e.Z and comparing it to X . if they are equal, then the sends

p

a prime such that

p = 2(mod3)

p = 6.q − 1.

and

Let

E be a supersingular curve

y0 = H(ID) and x0 = (y02 − 1)2.p−1 (modp) ∗ 2 -Let Qi = (x0 , y0 ) ∈ E/F p2 , and set QID = 6.Qi . Then QID has order q as required. 1 -computes

IV. R ELATED W ORK

reader accept else reject.

In this section, we briey highlight existing research that C. Bilinear Pairing:

has inuenced our work with attribute-based authentication,

This section briey describes the bilinear pairing, the BDHP and CDHP assumptions.

G1

Let

and

G2

denote two groups of prime q, where G1 is

an additive group that consists of points on an elliptic curve, and

G2

is a multiplicative group of a nite eld. A bilinear

pairing is a computable bilinear map between two groups, which could be the modied weil pairing or the modied Tate pairing

([27], [28]). For our proposed architecture

e

within this paper, we let

e : G1 × G1 −→ G2 ,

denote a general bilinear map

which has the following four properties:

Zq∗ ,

1 -Bilinear : if

P , Q, R ∈ G1 and a ∈ e(P + Q, R) = e(P, R).e(Q, R), e(P, Q + R) = e(P, Q).e(P, R) a and e(aP, Q) = e(P, aQ) = e(P, Q) . 2 -N on − degenerate: There exists P, Q ∈ G1 , such that e(P, Q) 6= 1. 3 -Computability : There exist efcient algorithms to compute e(P, Q) for all P, Q ∈ G1 . −1 4 -Alternative: e(P, Q) = e(Q, P ) . Denition 1 -The bilinear Dife-Hellman problem (BHDP) for

a

bilinear

pairing

is

dened

P, aP, bP, cP ∈ G1 , where a, b and ∗ abc from Zq , compute e(P, P ) ∈ G1 .

as

follows:

Given

c are random numbers

BDHP assumption: The BDHP problem is assumed to be hard, that is, there is no polynomial time algorithm to solve BDHP problem with non-negligible probability. Denition 2 -The computational Dife-Hellman problem (CDHP) is dened as follows: Given P, aP, bP ∈ G1 , where ∗ a and b are random numbers from Zq , compute abP ∈ G1 . CDHP assumption: There exists no algorithm running in polynomial time, which can solve the CDHP problem with non-negligible probability.

group

G1

Related

published

to

Work:

Recently,

address

many

mechanisms

papers

designed

have

against

security, privacy threats, and trust in pervasive computing environments. However, most of these designs fall in the scope of establishing a general security framework identifying general security and privacy requirements. Some of these efforts

focused

on

designing

security

infrastructures

to

protect users' personal information such as Mix-Network architecture, Mist system, Aware Home Architecture, Solar, etc.

Others

focused

on

designing

identity

management

approach. Some efforts focused on providing privacy control through integrating privacy preferences (P3P), policies and context-aware systems. Various trust management strategies including, trust negotiations and trust establishments, have been proposed to prevent unauthorized disclosure of any relevant information that can be used for inferring sensitive credentials. In [1], ABI-CHAR et al. provide a full exhaustive comparison study of most important relevant works. In the table below (Table I), we compare some of the most important features for those schemes described in [1]. The comparison is done based on privacy and security related features. The following comparison cover these features includes Trust Management (TM), Context-Awareness (CA), Mutual Authentication (MA), User Context Privacy (UCP), Non-Linkability (NL), Data Condentiality and Integrity (DCI), Differentiated Service Access Control (DSAC), Level of Anonymity (LA), Quality of Privacy (QoP), and Risk Awareness (RA). From this table, we can deduce that much research still needs to be done concerning privacy, trust, and security. provide

and

G2 .

quality

of

service

(QoS).

To

overcome

these

limitations, a deep study is required and a cohesive model

A trusted Key Generation Center (TKGC) chooses two order

Basic been

Moreover, according to [1], none of these above schemes

D. MapToPoint/Curve Function:

prime

security, and trust.

Next

cryptography hash function denoted by

h

TKGC

selects

a l

h : {0, 1} s ∈ Zq∗ as its = sG, where G

where

should

be

created

to

reect

user's

real

world

and

its

perception on privacy, trust, and risk in different situations and environments.

for some l. Then it picks a random number private key and compute its public key is a generator of For a user maps

IDi

Ui

Ppub

G1 .

whose identication information is IDi , TKGC

onto a point on

Closely Related Work: Authors, in [11], have dened a model that uses contextual attributes to achieve an approach

G1

using the

M apT oP oint.

The

to authentication that is better suited for dynamic, mobile computing environments. They examined the use of trusted

TABLE I P ROTOCOL S ECURITY F EATURES C OMPARISON (P.: PARTIALLY, H.:

perform authentication process. However, we have presented

H IGH , M.: M EDIUM , N.A.: NOT AVAILABLE)

a more generic approach that allows any attributes to be

MA

UCP

NL

LA

DCI

DSAC

CA

TM

RA

Mist [6]

P.

N.A

Yes

H.

Yes

No

No

No

No

Aware

Yes

Yes

N.A.

N.A.

Yes

No

No

No

No

N.A.

No

N.A.

N.A.

N.A.

N.A.

No

No

No

P.

Yes

N.A.

H.

Yes

No

Yes

No

No

No

No

No

M.

No

Yes

No

No

No

Yes

Yes

No

M.

No

No

Yes

No

No

Yes

Yes

P.

H.

Yes

Yes

Yes

No

No

Yes

Yes

P.

H.

No

Yes

Yes

No

No

Yes

Yes

Yes.

H.

Yes

Yes

Yes

No

No

Yes

Yes

Yes

H.

Yes

Yes

Yes

No

No

No

Yes

N.A.

N.A.

N.A.

No

Yes

Yes

No

No

N.A.

N.A.

N.A.

Yes

No

Yes

Yes

Yes

No

No

N.A.

N.A.

N.A.

No

No

Yes

Yes

No

Yes

N.A.

N.A.

N.A.

N.A.

Yes

Yes

No

No

Yes

N.A.

N.A.

N.A.

N.A.

Yes

Yes

No

No

No

N.A.

N.A.

N.A.

N.A.

Yes

Yes

Yes

No

No

N.A.

N.A.

N.A.

N.A.

No

Yes

Yes

No

Yes

N.A.

N.A.

N.A.

N.A.

Yes

Yes

No

No

Yes

N.A.

N.A.

N.A.

N.A.

Yes

Yes

No

H. [9] Solar [8] PawS [10] Jend 02 [7] He 04 [5] Ren 05 [48] Ren 06 [49] Kim 07 [4] Ren 07 [50] FIRE

04 [45] Dim.

06 [43] Yuan

07 [42] Xu 07 [41] Uddin

does not t these requirements. Although they discuss authentication of entities using attributes, they did not present a framework for authentication as we have done. In [15], Authors present a service provision mechanism which can enable effective service provision based on semantic similarity measure with the combination of user proles and situation context in WLAN enabled environment. The paper suggests the combination of user proles and contextual information to provide a more pervasive service experience in smart assistive environments with mobile device. Behzad et al. [16] propose a framework to construct a context-aware authentication system. Although the framework is exible and privacy preserving, it is not context-aware user authentication and does not support user trustworthiness evaluation neither user role assignment. Ad-Hoc network, does not provide users a way to control attributes, and not suitable for static environments where users authentication scheme for a mobile ubiquitous environment, in which the trustworthiness of a users device is authenticated anonymously to a remote Service Provider (verier), during

06 [44] Ries

vasive computing and discuss how traditional authentication

may be holding RFID tags only. In [17], Authors propose an

05 [46] Yuan

overview of security requirements for authentication in per-

Moreover, the framework is designed to be applicable to

04 [47] Dim.

used for authentication. Creese et al. [13] present a general

the service discovery process. However, the scheme do not provide support for contextual information, and does not support fuzzy private matching.

08 [39] Mohan 08 [40]

V. TOWARDS A N EW S OLUTION Here, we outline our proposed authentication-based privacy enhancing infrastructure. Our framework is based on context-

platforms to provide assurances for these contextual attributes. Although authors claimed that their model provides a seamless and exible user experience that can protect privacy and reduce administrative overhead, it does not provides trust and reasoning and there no mention about how to protect privacy (i.e, user, attributes, and data privacy). Marc Langheinrich, [10], introduce a privacy awareness system that allows data collectors to both announce and implement data usage policies. The announced data collections of each services and their policies is delegated by a mobile privacy assistant to

aware authentication, context-aware Access Control and the use of attributes-based private set intersection and trust evaluation engines. Our framework is a layered architecture that discriminates service providers (context consumers), authentication process, access control process, service receivers (context producers) and the borders that separate these processes. The gure below (Figure 1) shows the process of granting access to resources with the help of user and attributes. Attributes can contain identity and prole information (i.e user's prole).

a personal privacy proxy residing on the platform, which interact with corresponding service proxies and inquires their

User Attributes Assignment

privacy policies (Privacy Beacon). Corner et al. [12] describe

T ransient Authentication

users with devices through a small, short-ranged wireless communications token. This research is limited to the use of location-based context

Trust/Risk Broker

as a means of authenticating

(i.e, proximity)

as an attribute

RFID &PDA PDA S.C. RFID

Users Request To Access Resources

Get User Attributes Authentication Broker Get R. Attributes

Retrieve Definitions and Policy Decision Broker

in authentication. A similar approach is taken by Glynos et al. [14] where they combined traditional authentication with a limited set of contextual information used to identify

Trust/Risk Broker Resource Attributes Assignment

users. Another similar approach is taken by Covington et al. [15] where they also have used a limited set of attributes to

Fig. 1.

Context-Aware Framework

A.G.

A.D.

In our framework, we design an integration scenario where mobile subjects (i.e

users)

and access-control) and then to establish a secure communi-

carrying RFID tags or/and PDA

cation link between entities, whilst preserving the privacy of

receive pervasive services according to their identity and real-

users. Moreover, we will introduce context-aware based user

time context information environments. The cornerstone of

trustworthiness and role's required trustworthiness and show

our framework is the exibility to provide authentication

how to improve user assignment and role activation.

and access control for independent and dependent (With a

Our framework is composed of various mechanisms that al-

special need) people both at context level and where privacy

together yield a exible, scalable context-aware based authen-

is preserved. Moreover, our framework provides a distributed

tication. In our model, condence and trust are dened based

infrastructure that allows the tracking of the context in a

on each user's contextual information. First, we introduce the

real-time manner. In the following sections, we detail the

system parameters initialization used for the protocol process.

functionality of these components and describe how they

Next, we state the different phases upon which the scheme is

interact with one another. A high-level overview of these

based. Finally, we describe the operation of the architecture.

logical component and how they interact is given in following gure (Figure 2). User Access Request

Access Server

Attributes-Based Advertise Engine

Service Provider

Authentication Process Decision Access Request -2.3Client

Set B

UBA E

Access Decision -5.3A.C. Req. Reply-5.2

Request AuhtP . rocess-3-

Request Reply-4-

Auth. Platform Engines

Auth. Platform Engines

Set A (TL, UA) Set A

PSIE

Trust Policies Proxy Engine

Platform’s Attributes Provider 1 Platform’s Attributes Provider 2

Services Proxy

IdentityBased Encrypt. Protocol

Authentication Process

Platform Layer Interface

Fig. 3.

Context Manager

Sensors Layer

Fig. 2.

Context Trustworthy Server

TE Request Attributes-2.1

AC. Platform Engines

AC Process Req. -5.1-

Provd ie Artb iue ts-2.2-

AC. Platform Engines

Client’s Attributes

Adver. Services-1-

The Authentication Architecture Process

A. The Scheme Parameters

A High-Level View

Initialization: Our infrastructure involves a

context-based authentication process, a context-based access Our model is based on contextual information obtained from a distributed network of sensors. In the following we will detail the functionality of these components.

control process, a trusted key generation center (T KGC ), embedded devices engines

IEs,

EDs,

Service Providers (SP ), Inference

and users denoted by (Ui ). The trusted Key

Generation Center (TKGC) chooses two primes order group

combine authentication and access control processes both at

G1 and G2 of prime order q . q is a prime which is large enough to make solving discrete logarithm problem in G1 and G2 infeasible. The TKGC chooses G as a generator of G1 , chooses Map-To-Point/Curve function H and chooses e where e is the bilinear pairing map. The TKGC computes PT KGC = s.G, ∗ where s ∈ Zq is the TKGC 's private master key and keep s secret. We dene each user as Ui = hID, AKra i, where ID is a user identity information and AKra is a set of assigned

context-aware level. The authentication process (Figure 3) con-

keys corresponding to the roles assigned to the user dened

tains a trust process (Figure 4) where the trustworthiness

as

parameters value are computed in order to provide access to

registered, TKGC calculates

VI. C ONTEXT-BASED AUTHENTICATION S CHEME The dynamic nature of a context-aware environment necessitates the need for a very active, exible authentication mechanism that allows users to securely authenticate and access services with a reasonable level of trust and while privacy is preserved. Our framework consists of an access process which

In the following sections, we detail the functionality of these

AKra = {KIDr1 , ..., KIDrn }. For each user Ui to be Qi , where Qi is user's partial public key with Qi = H(IDi ), and determines Ui 's partial private key Si = s.Qi and calculates QSP , QP SI and QT E

processes and describe how they interact with one another.

which are the framework entities' partial public key. Moreover,

users, and contains a private set intersection process

(P SI).

In this section, we present the access process architecture scheme. The gure below (Figure 3) shows the authentication process architecture. The purpose of access process is to provide authentication and access control according to user's prole and environment (attributes-based

authentication

the TKGC calculates a user's or an entity's public key [30] ∗ as PU = xu .PP ub = xu .s.G, where xu ∈ Zq is generated on user's or entity's behavior. In addition, we dene a role as a set of pair of public and private keys belonging to the role. Each role is represented

r = hrpub , rpriv i. When a role ri is added to the system, T KGC picks a random rpki as ri 's private key and sets RP Ki = rpki .G as ri 's public key. To assign the role ri to a user with an identity ID , the T KGC check the user ID , computes QID = H(ID), and generates the user's assigned key KIDri corresponding to ri with KIDri = rpki .Q(ID) and where rpki is the ri 's private key. Finally, T KGC sends Si , Pi , Z and the set of Q = {QSP , QP SI , QT E } to the user via a secure channel. The User-Based Authentication Engine U BAE manages an stores, for each user Ui with an ED , a record pair consisting of hQi , Si , s1 , s2 i, where (s1 , s2 ) are the prover's secret. (Ta-

a comprehensive high level overview of our framework model.

ble II) shows the mathematical parameters that are to be

in smart environment. Moreover, we took the assumption that

used in our proposed framework. The table below (Table II)

the proposed protocol in [31] is extended to add two new

shows the mathematical parameters that are to be used in our

context type elds which will be executed during the provision

proposed framework.

process. The rst context type is related to users with special

as

the

Join Phase: The purpose of this phase is to automatically provide services to users through a context-based provision process. In our attributes-based authentication, we aim to have a service provision framework that combines user's proles and contextual information to select appropriate services to the end users from thousands of desultory services. In order to achieve our contributions, we rstly have adopted the framework proposed by Qin et al. [31] that automatically provide appropriate services to the right person with the right form with the relevant consideration of contextual information

needs equipped with a body network sensor. This context type TABLE II

is collected by a

EC M ATHEMATICAL N OTATIONS Index

T KGC G1 G2 G Ppub s

An additive group with prime order

in well selecting services. Once, the service provider,

q

we can go a step forward to start the Authentication

G1 T KGC , Ppub = s.G Zq∗ by T KGC , s is kept

it is chosen from

IDi ∈

The long term private key of user i,

s.H(IDi ),

where

H

the exchange of service advertisement and service reply

1 ≤i≤ n Qi =

messages between the user and service provider. To avoid

is a Map function

A map to curve algorithm where an ID is

e

G1

the

communication

overheads,

we

incorporate

messages. In other words, service discovery and authentication can take place concurrently. We now examine how these

denote a bilinear pairing map

large prime numbers, where

increasing

our extended previous authentication mechanism into these

Hash function mapped into a point on

Authentication Phase: Service discovery typically involves

{o, 1}∗

The long term public key of user i,

e p, q P, Q a, b E B x(Q)

P hase.

The public key of

The identity of the user i,

H 1 , H2 H

SP ,

has initiated the context-aware service provision process,

An multiplicative group with prime order q

secret

IDi Si Qi

adapter and translated to the provision

related to a meta classication process which will be helping

Explanation The trusted key generation center

A generator of

BN S

protocol in order to be proceeded. The second context type is

messages are constructed to achieve our aim of attributes-

p = 2.q + 1

based authentication.

Random points over elliptic curve Random generated private keys

=⇒W ithin T he F irst Round,

non-supersingular elliptic curve

B ∈ E(Fq ) with order q x coordinate of point Q

(From:

SP −→ ED):

Our Attributes-based authentication model will start with a service provider engine advertising available context-aware

In the following, we will propose our model to achieve

services to the end user, clients

Ci ,

as indicated in (1).

attribute-based authentication. In our architecture, end-users

SP

can interact with the infrastructure (e.g. walking into a room, entering the subway system using smart phone, PDA, etc).

Advertise Context Aware Services

−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Ci

(1)

The infrastructure provides a set of resources generally tied

For example, a location-based service allow providers to

to different geographical areas, such as printers, surveillance

advertise its services to any user within a certain acceptable

cameras, campus-based location tracking functionality, and

proximity. The advertised service announcement contains the

so on. These resources are all modelled as services that

following: A

can be automatically discovered based on different relevant

could allow a client

mechanisms which are out of our band. Our Authentication scheme involves two distinct phases: the the

M utual Authentication P hase.

various

interactions

that

take

place

Join P hase,

U niversal Resource Locator, (U RL), that Ci to locate and access the advertised access. Authentication Requirements (AR), allowing clients

and

to package its access request with the necessary authentication

We will describe the

credentials and contextual information. The exchange of trafc

between

between the service provider

the

entities

SP ,

the user

Ui ,

and inference

described in our logical system model. later, we will show

engines is based on an extension for our previous work [32].

how are framework is exible in a way that it could be

For the

applicable for different authentication scenarios, starting with

advertisement message, he will be performing the following:

a simple RFID or smart card each alone, simple PDA or smart

The

phones, and a combination of two of these embedded devices

nonce

(i.e, RFID and PDA). We refer our readers to (Figure 2) for

SP

to construct and send the authenticated services

SP starts the protocol by generating two fresh random r1 and r2 ∈ Zn , then he calculates the point X where X = r1 × P1 + r2 × P2 . Next, SP constructs the service

advertisement message as in (2):

message) to the client seeking to collect needed relevant

Adv = (Qsp , (S1 , S2 , ...Sn ), X) {S1 , S2 , ..., Si }

Where able

context-aware

(2)

services

dening

in

the

rst

AP

phase

in (3).

Where

EK (AAP1 , AAP2 , ... AAPn ) Ci −−−−−e−−−−− −−−−−−−−−−−−−−→

AAPi

(6)

are the relevant set of context that describe user's

environment. When an

AP

is introduced in the infrastructure,

the access request itself must be altered to include information

SP

EKe (Qsp , (S1 , S2 , ...Sn ), X, U RL) Ci −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

(3)

Y,

and

that was provided by the

AP .

Context-Aware providers will

publicize to their users information such as positions, roles,

In our framework and hereafter, any two entities denoted

X

provider. The reply message is as given in (6).

represent the set of available suit-

(Join P hase). Finally, the service provider encrypts and sends the Adv message to the embedded device ED , as given

by

information that can be used in its exchange with the service

can directly compute a partial private shared

activities, etc. The validity of these data is veried by introducing

Context T rustworthy Engine, CT E

in our framework.

key between them without exchanging any previous message.

This is the role of the authentication broker, using the CT E , to

Based on the one's own partial private key and the other party's

validate these data before starting the authentication process.

partial public key, they can directly compute the share key

After receiving relevant reply message from the AP , the client

as follows. We denote their partial private key/public key by

will decrypt the message and retrieve the data. Whenever

Sx = s.Qx , where Qx = H1 (IDx ) and by Sy = s.Qy , where Qy = H1 (IDy ). Now the nodes X and Y compute Kx/y = e(Sx , Qy ) and Ky/x = e(Qx , Sy ) respectively. And nally the private shared key will be Ke where KX/Y

= = = = =

H2 (Kx/y ) H2 [e(Qx , Qy )s ] H2 (Ky/x ) KY /X Ke

(4)

This approach is very efcient in terms of communications and computations and this feature makes it very attractive to the environments where the entities capabilities are limited.

=⇒W ithin T he Second Round,

(From:

ED −→ SP ):

After receiving the advertised service announcement, the client

Ci

decrypt the message and retrieve the credentials.

Suppose that the client is interested in an advertised service

Si ,

(i.e,

service

request

Si

access

to

perform

an

operation

O

on

from the service provider), he will be performing

the following: As

Si

is a context-based resource,

Ci

is

the user receive the set of contextual information from the attribute provider(s), he will be performing the following: The queried

ED

equation (8) for the protocol process run. Finally, the client will package all the collected attributes encrypted (i.e., user's prole and environment's attributes) with needed information in order to be sent to the service provider for authentication process. Let assume that a user, set of context-data the set

Ua

A,

A

In our attribute-

based authentication model, authentication requirements are dynamic and can vary dramatically from one access to the next. Moreover, we do not expect that all attributes will be generated solely by the platform. Our model provides the client with options of collecting contextual information attributes from a third trusted party

AP .

The client send

a request attributes message to an attribute provider

AP

in order to retrieve needed attributes to fulll the access request. However, we may have an attribute provider service that allows clients to request attributes from different service

Ui ,

has received the request

from a context provider CPi . Therefore,

given as in (7), denotes all the attributes that user

the all required contextual information and bundle them

SPi .

D

may present to set her rules in the authentication process.

promoted to present not only identity credentials but also with the access request that is sent to

selects the role or the corresponding set of roles

SR = {r1 , r2 , ..., rh }. Generates the message Q and calculates the signature SigQ on Q with Q = Si |SR|per and where per is the permission that the user wants to enforce. The SigQ is denoted by hU, V i. In addition, ED generates t two fresh random nonces f and a, where f ∈R Z2 and ∗ a ∈ Zq , she calculates TED , where TED = a.G. For a static context-less system, the user computes (Rx , Tx ), where (Rx , Tx ) is the signature pair over the user's private key Si . This (Rx , Tx ) will be replacing the couple hU, V i in denoted by

Where

D

= = = ⊆

{ACi , AAP i } {a1 , ..., ai , b1 , ..., bj } {ca1 , ..., cai , cai+1 , ..., caj } D

(7)

is the reference set that contains all the attributes

a user may hold or the context data received and ca represent the context data collected. Finally, the client packages the nal required set of context and attributes that the service provider may use for authentication process and construct the message as described in (8).

Ci

EKe (QCi , (S1 , ...Sn ), EKU/P SI (A)), f, hU, V i SPi −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ (8)

providers. The client will construct the request message as

Hereafter, these attributes are mapped into integer numbers

given in (5).

cai for i = 1,2,3,.......l; that is ca1 is a number representing N ame, ca2 is a number representing Location, and so on.

Ci

Qu , Requested-Attributes APi (5) −−−−−i−−−−−−−−−−−−−−−−−−→ requesting attributes from the AP , attributes providers

Our model is very exible in that the service provider engine

will supply these contextual information, (i.e, via a reply

to different level of condence. If the user can present all

After

may accept or refuse a subset of attributes in A corresponding

attributes in

A

required by service provider in order to

and

access for identication, a full condence will be achieved, PSI's by

reasoning

computing

process user's

and

on

the

trustworthiness

user's and

required

trustworthiness. In the next section, we will demonstrate

Logic

(10)

requirements

role's

T imed F uzzy

how our scheme could be combined with

CT Ei EKe (QCT Ei , (V erif ication result) ←−−−− −−−−−−−−−−−−−−−−−−−−−−−−−−

P SI

otherwise the condence level will be depending both on

[33] in order to set a threshold under uncertainty and

P SI

Once

determines

the

verication

process

of

these

attributes provided on behalf of the client, it passes the authentication

credentials

and

attributes

to

the

relevant

engines that will complete the processing of the client's access request. Each engine will start it's own process as

to account for changes in context-data.

follow:

=⇒W ithin T he T hird Round,

(From

SP −→ IEs):

The service provider now has an authentication package, containing the requested context attributes, that was provided by the client. The rst step requires the

SP

to decrypt the

encrypted message and retrieve the data in order to determine the source and authenticity of these attributes provided by both

Ui

and

AP ,

and later on to complete authentication

process. Once the service provider has retrieved the data set from equation (8), the authentication process will be performed as follows: The service provider send the encrypted set

A

where

A

=

engines, and send

{ca1 , ca2 ,...,caj } to both P SIE and T E B = {hU, V i, f } to U BAE engine.

Description of The PSI Engine: One new component that will be added to our architecture is the notion of Private

(P SIE). P SI

Set Intersection Engine

are cryptographic

techniques allowing two or more parties, each holding a set of inputs, to jointly identify the intersection of their inputs sets (i.e, shared context), without leaking any information about credentials that each entity might have. Nevertheless, both entities, the prover and the verier, need to protect their

credentials

from

each

other.

Moreover,

any

entity

awaiting to be authenticated by a server has to establish enough condence in it and be able to present the required attributes. Therefore, the conditions that the server sets for

The service provider's platform is composed of the two

authentication become extremely valuable, as they determine

main brokers. The authentication process and the access

the reasoning mechanisms in the authentication protocol.

control process. Each of these brokers contains different

To keep a high level of security, the server needs to keep

relevant engines that they interacted altogether provide a

those

exible, and scalable context-aware authentication framework.

engine will be interacting

(P SI). Once, The PSIE receive and extract/decrypt the set A of attributes and upon the sender request's selected Si , the P SIE will initializes a PSI protocol over the two sets A and Ssi . Where SSi = {SSi 1 , SSi 2 , ..., SSi j } represent the needed set of contextual information dened by the service Si administrator deployment. The SSi set reside on a Services Proxy Server SP S , and the PSI protocol will be initialized between P SI engine and SP S . There are many P SI protocols in

engine to accomplish the attributes verication

the literature. We adopt the one that was chosen by ([33],

For the authentication broker, we have the following engines:

(P SIE),

a Private Set Interaction Engine

(T E),

a Trust Engine

and a User-Based Authentication Engine

(U BAE).

We also have an Identity Based Encryption Engine (IBEE) that will be responsible for setting a shared secret key for secure future communications. This interacting with the

P SI

secret key. Moreover, the with the process.

CT E

Therefore,

Our

IBE

protocol will be

in order to calculate the shared

P SI

authentication

process

decision

of

attributes

the

Private

private. Set

For

this

purpose,

we

make

use

Intersection

[34]) since it has a provision for approximate matching,

F uzzy P rivate M atch.

will be based on the output of these three engines. The

referred to as

description of these engines and their interacting process will

engine performs two kinds of tasks: First, it gives a level

be explained in the coming section.

of condence when a user is on an authentication process.

The PSI Inference

It makes use of authentication contextual information to

=⇒W ithin T he F ourth Round,

(From:

IEs −→ SP ):

assign the condence level. Second, it evaluates a Fuzzy

Upon receiving the encrypted messages from the service

Logic Matching protocol queries from applications about

provider, the PSI start the attributes verication process. To

whether

AP 's attributes, we have introduced the Context T rustworthy Engine (CT E ) which is responsible for verifying all attributes provided by AP (s) and other

resources. It makes use of applications specic contextual

contextual information provided by the client (i.e., case of an

authenticated and has access to resources. For convenient

RFID or a smart card and a client with special need). The

readerships, we urge our readers who want to go deeper in the

verify the source of

P SI requesting attributes cai .

interactions (9) and (10) show the to verify the validity of the

the

CT E

a

information, contextual

theory of

certain the

entity

is

allowed

credentials

information

to

of

the

decide

to

access

entity,

whether

a

and an

F uzzy P rivate M atching P rotocol

certain entity's

entity

is

and getting

acquainted with the principles of PSI theory to refer to ([3], [33]). Moreover, the

P SI

engine will be also interacting with

the identity Based encryption protocol to calculate the secret

P SI

EKe (QSPi , (ca1 , ca2 , ...caj )) CT Ei −−−−−−−−−−−−−−−−−−−−−−−−−→

(9)

shared key. This step will be discussed as follow:

Description of The Identity-Based Encryption Protocol

IBE

The

removes the need to set and exchange certicates

and roles permission, respectively. The user assignment

UA

level is performed based on the trust level U T in comparison

RT .

as the message can be encrypted based on the identity of the

with the trust level

entities. The identity can be dened as a location, name, email

on the trust policies, the environment contextual information,

address, time,... or a combination of them. The combination

and the users roles permissions. As a cognitive process, trust

of them could be refereed to the context data. For convenient

is complex and fuzzy. That is, for a special context, we

readership, we urge our readers to refer to [35]. In the

can not easily make a decision about whether to trust an

following, we will describe the details of how P SI interacts

entity or distrust it. Therefore, Our T rust evaluation engine is

IBE

with

From the

S Si

protocol in order to calculate the shared secret key.

P SI ,

let

A ∩ S Si

be the intersection set of

A

and

dened above.

di

(11)

denotes the context that are shared between the user

IBE P will calculate = ( di ).G

and the service provider. Finally, the send

TSP

to

P SI

adopted as a combination from ([36], [37]) where trust model is provided by integrating trust into a fuzzy logic-based trusted decision upon building the trustworthiness's prediction. For

A ∩ SSi = {d1 , d2 , d3 , ..., di } where

However, our trust model is based

engine with

TSP

and

convenient readership of this work, we will briey describe the trust model process here: Trust establishment can be thought as a process that identies or veries the principal's claim against the trust evidence. Trust evidence,

Tev ,

are

further classied into the following categories: credentials, the context of the environments, and behavior records. We denote

Description of the Trust Engine: Another new component that will be added to our architecture is the notion of Trust Engine

(T E).

Tev = {Tc , Tce , Tbr }. We user by a Function ,F , as

To trust pervasive computing, we must be able

dene user trust level,

UT,

of the

given in (12)

U T = Fres (Tp , Tev ) = F (Tp , Tc , Tce , Tbr )

to manage privacy, condentiality, availability, and controlled

Fres

(12)

access to digital information as it ows through the systems. In

Where

the following, we will describe the Trust process architecture.

to access the resource and

The gure below (Figure 4) shows the Trust process design

the resources. In our denition, The trust level of the user,

architecture. Our ultimate goal is to provide a trust model

U T , for accessing the resource in the system is determined by

that is exible and adaptive for applications scenarios and

evaluating the trust evidence against the trust policies for the

environments. This approach could be solved using the concept

U A, is evaluated based on U T in comparison with RT . For simplicity, we will consider Tev = Tattributes = Ta and f inally U T = F (Ta ). F , U T , and RT , parameters could be calculated using the formal

of fuzzy-based trustworthiness.

is the function of the trust level of the client

Tp

is the set of trust policies for

resource and the user assignment,

Tp

Tev-br

mathematical equations from [36]. Once these parameters TL Parameter

Trust Parameters: User Context and Roles Permissions

Trust Evaluation Modular

UA RT Parameter

Risk Parameters

Is UA Level Accepta ble

are calculated, the trust decision modular will evaluate the Trust Decision Modular

user assignment

UA

based on

UT

in comparison with

Authentication P rocess Decision. Description of the UBA Engine: Moreover, upon receiving

Risk Evaluation Modular

the encrypted signature pair message UA: User Assignment

service provider, the

TL: User Trust level RT: Role Required Trustworthiness

U BA

EKe (Rx , Tx )

from the

engine will decrypt the message,

then verify the signature pair, if it is valid, then the Fig. 4.

RT ,

and will package the nal result in order to be sent to the

engine accept, and the pair

The Trust/Risk Process Architecture

thenticated

ED

(s1 , s2 )

U BA

associated with the au-

is extracted from the database server, and

In this section, a dynamic trust model is formally introduced

encrypted using the Weil-Pairing-based encryption algorithm.

to incorporate trust strategies in order to rst build up the

Finally, the user based authentication engine packages the

user's and role's required trustworthiness level and than the

encrypted message

User Assignment

UA

trustworthy value. There are several

EKe (s1 , s2 )

with the evaluated result in

order to be sent to the authentication process decision broker.

ways and approaches to design trust models. The component-

The authentication process decision will take the decision

based approach is chosen for our model design because it can

based on its different engines evaluation and package the

be implemented in a distributed way and be extended easily

nal output result and send it encrypted to the service provider.

and transparently (i.e, To include later the Risk Assessment Engine). During a real-time trust management process in

=⇒W ithin T he F if th Round,

(From:

SP −→ ED):

pervasive computing environments, the trust information may

Upon receiving the message from the authentication process

be from different resources at any time. Therefore, the our

decision broker, the service provider rst decrypt the message

adopted trust model is designed to be able to evaluate the

and then evaluates the output. If the result is false, he will

trust information concurrently. Using this approach, the trust

denied access request to resources, otherwise, if true (i.e.,

engine derives the

level

trustworthiness of a user

role's required trustworthiness

RT

UT

and

by using users attributes

the user is authenticated, the user trustworthiness parameters are acceptables, and the conf idence level is

acceptable)

the service provider extracts the pair (s1 , s2 ) and

then computes

yi = (ri + (f × si ))(modn) for

i = 1

(yi , with

ED.

Rule Denition 1:

Dynamic Adjustment In our approach,

we believe that any pervasive model should dynamically (13)

2 and starting packaging the following data i = 1 and 2) in order to be sent later to the and

Meanwhile, as the nal decision will be evaluated based

on both authentication and access control process decision brokers, the user's access request is also subject to contextaware access control rules which will be discussed in the following: Context-Based Access Control Process A key challenge in ubiquitous environment is the design of an effective active access control schemes [36] that can adequately meet the security challenges represented by the system's ability to capture security relevant contextual information, such as time, location, user's prole, or environmental state available at the time the access request are made and to incorporate these information in its access control process. We specify and integrate our own context-aware access control rules denitions to further enhance the security of our proposed authenticationbased framework scheme. Moreover, The context directly affects the level of trust associated with a user, and hence the authorizations granted to him. Therefore, we introduce the user

adjusts role assignments and permission assignments based on presented context information. Therefore, we consider DRBAC concept [38] where each user is assigned a set of roles and the context information is used to decide which role is active at a time. User will access the resource with the active role. Moreover, each role is assigned a set of permission, where the context information will be used to decide which permission is active for that role. The systems-based context for resources should be taken into consideration, and the security policy for the resources should be able to dene a permission transition for a current role. Rule Denition 2:

Context T ype: A context type is dened

as a property related to every participant in a service. In simple scenario, context type may ba a concrete property familiar in everyday life, such as time or location, etc. However, in a more complex scenario, we believes that context type should be extended to describe more attributes such as user's capability and/or willingness (i.e, case of People with special need equipped with a hidden body network sensor). We dene

CTc . Therefore, based on a complete CTi we can dene that each resources ri set CS , which is dened as follow:

such context type by users' context types has its own context

trustworthiness and role's required trustworthiness parameters

CSri = {CT1 , CT2 , .., CTc , .., CTn }

into the design the context-based access control by incorpo-

(14)

rating them within the development of the context constraints.

In any access control design to be integrated within our

Conditions on the access control to solve the semantic problem

framework, we dene two sets of context types, passive and

UT

U A,

if they

active sets. While the authentication process will be subject to

satisfy the condition, the user will be subject to authorization

only the active set, the access control decision will be subject

rules and policies based on the available presented attributes.

to the two sets.

is to check the trust engine parameters

and

Rule

We believe that the introduction for the rules denitions is necessary for providing an adequate authorization decision for any

Service Access Request

and to accomplish a secure

ne is

Denition

our

context

capable

of

authentication process. In the following gure, (Figure 5),

to

we show our extended access control scheme with the rules

ments.

general

denitions. Access Control Process

Access Control Scheme

OutpuF tromTE

Our extended Definitions Layer

Access control Process Decision

Context Constraint:

specifying

constraint In

3:

constraint

introduce a

as any

all

context

a

regular

complex

kinds set

of is

We

de-

expression

that

context security

dened

as

follow:

Context Constraint := CC := Clause1 ∪ Clause2 ... ∪ Clausei where Clause := Condition1 ∩ Condition2 .. ∩ Conditionj and where Condition :=< CT >< OP >< V ALU E >, where CT ∈ CS ; OP is a logical operator in the set {>, ≤,