Beruflich Dokumente
Kultur Dokumente
School of Science
Degree Programme of Computer Science and Engineering
Amit Soni
Master’s Thesis
Espoo, September 10, 2012
Amit Soni
3
Abbreviations and Acronyms
4
Contents
1 Introduction 7
1.1 Problem domain and context . . . . . . . . . . . . . . . . . . . 8
1.2 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . 8
2 Background 10
2.1 Building automation and control systems . . . . . . . . . . . . 10
2.1.1 Communication protocols in BACS . . . . . . . . . . . 10
2.1.2 Communication frameworks and functional architec-
tures in BACS . . . . . . . . . . . . . . . . . . . . . . . 13
2.2 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.1 XACML: eXtensible Access Control Markup Language 18
2.2.2 Kerberos: Centralized authentication system . . . . . . 20
5
5.3.1 Implementation 1: Centralized decision point . . . . . 47
5.3.2 Implementation 2: Hybrid decision point . . . . . . . . 51
6 Evaluation 60
6.1 Memory requirements . . . . . . . . . . . . . . . . . . . . . . . 60
6.1.1 Code size . . . . . . . . . . . . . . . . . . . . . . . . . 60
6.1.2 Policy size . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.2 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
6.2.1 Time measurements . . . . . . . . . . . . . . . . . . . . 62
7 Discussion 63
7.1 Complexity of the overall architecture . . . . . . . . . . . . . . 63
7.2 Context handling in third-party domains . . . . . . . . . . . . 64
7.3 BACS current and future . . . . . . . . . . . . . . . . . . . . . 64
8 Conclusions 66
A JSON protoype 72
6
Chapter 1
Introduction
7
CHAPTER 1. INTRODUCTION 8
Background
10
CHAPTER 2. BACKGROUND 11
ZigBee: Zigbee [17] is suite of communication protocols for low power wire-
less sensor devices. The ZigBee specification enhances the IEEE 802.15.4
CHAPTER 2. BACKGROUND 12
1. The figure 2.3 describes the architecture of Building Services (BS) pro-
posed by [14]. We see that BS might have to interact with various
external systems e.g. water system, sewer system, power distribution
network, heating network, gas distribution network, alarm network,
mobile network, etc. The top level BACS unit in the figure 2.4 is re-
sponsible for the management, installation, firmware update, and other
high level functionality. The lower level corresponds to the various BS
systems and their interface with the external services as shown in fig-
ure 2.4. The spaces in the building are at the lowest level of the systems
and contain the base module of the BS system (BSS) which commu-
nicates with an interface for external systems, space devices (actual
devices) and the space controller units (for communication with the
management unit). The space controller ( also called BACS) is re-
CHAPTER 2. BACKGROUND 14
sponsible for the control of various devices in the space through its
connection with the management layer. Colored lines describe the ser-
vice flows to and from external sources (e.g. electricity, air and water).
This architecture mainly depicts the functionality of the system but
can be easily seen in combination with the communication frameworks
discussed below.
in [16] is shown in the figure 2.6. It is almost on the line of the previ-
ously discussed functional architecture [14]. We have the field network
comprising the actual devices collecting data, executing functions, etc.,
on top of which we have the automation network consisting of a unit
controller and dedicated high resource devices, whose functionality in-
clude the aggregation of the data from the field level and presenting
it to the management level (e.g. trending) and executing all prede-
fined and context sensitive automated sequences. The management
level provides the dashboard for manual operations such as modifying
the system parameters at the run time, intervening during emergency
alarms, and scheduling new automated tasks. It also stores the long-
term historical data.
mainly in the field of BACS, that the subjects can be both human users and
other objects. Role to authentication in the access control is mainly to further
facilitate the authorization of the subjects. Sometimes, especially in the field
of BACS, one way authentication is not sufficient e.g. a device in BACS
might be programmed to execute some action on a certain kind of devices
which could only be verified with the help of authentication. Following are
the few classical access control models that are frequently used to incorporate
access control to various degree depending on the requirements.
Discretionary access control Access policies for the resource are decided
by the owner of the resource. This boils down to two requirements in
the discretionary access control model.
to the PDP to check whether the user is allowed to access the particular
resource. The PDP then interacts with the PAP to get the relevant set of
policies related to this request to verify whether the user has access to it. The
PIP is also parallelly queried to get information about attributes to check
if a condition has to be satisfied for granting the user access to a particular
resource. The evaluated response is sent back to the PEP which takes action
according to the response.
1. U −→ AS : U, T GS, N1 , AddrU , T L
2. AS −→ U : U, T GT, EKU (KU −T GS , N1 , T GS, AddrU )
5. U −→ S : Ticket, AuthenticatorU S
6. S −→ U : AP REP
where,
KU , KT GS , KS = master keys of User, Ticket Granting Service and Service
KU −T GS = shared key for User and Ticket Granting Service
KU S = shared key for User and Service
T GT = S, EKT GS (INITIAL, KU −T GS , U, Tauth , Texpiry1 , AddrU )
Ticket = S, EKS (KU S , U, Tauth , Texpiry2 , AddrU )
CHAPTER 2. BACKGROUND 21
The same protocol is extended to the scenario when the User and the
Service are present in different domains. Separate domain requires new set
of the Authentication Service and Ticket Granting Service. As shown in the
figure 2.8, if a User in domain X requires to access a Service in domain Y,
the User first get a Ticket for the TGS of domain Y from the TGS of the
domain X and then the TGS of domain Y grants the Ticket for the actual
Service in domain Y.
Domain X Domain Y
3. TGT X
1. Auth 4. TGT Y
5. TGT Y
2. TGT X
6. Ticket Service
User Service
7. Ticket Service
8. Mutual Auth
22
CHAPTER 3. USE CASES AND REQUIREMENTS 23
Building Ethernet
Typical
Typical
light
switch
Gateway
controller
Floor
3. controller
Office 3
that the light outside is sufficient for the room illumination. However,
a blind should not be able to communicate with the light in a different
room. There are many other examples which present the requirements
for the device to device access controls. E.g. a door (device) might
want to communicate with the light (device) of same room and should
not able to communicate with the lights of the other rooms.
3.2 Requirements
Discussed use cases and related studies in [10], [38] guide us to categorize
requirements for our access control architecture in following types:
Requirements for the access control from device’s perspective :
The approach to design the access control architecture for BACS would be
to cumulatively consider each of the enumerated requirements and discuss
advantages and disadvantages as we introduce new components to fulfill those
requirements.
The sequence of incorporating the requirements in the architecture is
presented in the table 4.2. Before we go in to the details of the actual access
control architecture we present the terminology for various components in
table 4.1. These terms are motivated from XACML[20] but are not limited
to that.
For each design we typically consider three variants namely ‘distributed’,
‘centralized’ and ‘hybrid’. When functionality of all the involved compo-
nent are fully distributed to the end-devices we call the variant ‘distributed’.
When any involved component is functional from a centralized entity we
call the variant ‘centralized’. When a component is functional both from
a centralized entity and the end-devices we call the variant ‘hybrid’. The
‘hybrid’ variant is the most general since it can be easily transformed into
the ‘distributed’ or ‘centralized’. If in a design we find the ‘distributed’ and
the ‘centralized’ variants as trivial or not practical to implement, we directly
proceed to the details of the ‘hybrid’ variant.
26
CHAPTER 4. DESIGN OF ACCESS CONTROL SYSTEM FOR BACS27
control procedure. Since, the devices have limited resources we would assume
that symmetric key encryption and efficient hash functions are used for con-
fidentiality and authentication. Since confidentiality is not always required
we will concentrate our efforts on authentication. Authentication could be
performed using one of the several schemes discussed in [39], [6]. We use a
very simple form of authentication using message authentication code.
Assuming Kd1 −d2 is the shared key between device d1 and d2 , d1 uses
Kd1 −d2 to apply MAC on the message (m) along with a random nonce (n)
(for freshness). When d2 receives the message, it checks if Kd1 −d2 is correct
and n is fresh. This way it verifies the identity of d1 and freshness of the
message.
d1 −→ d2 : M AC[Kd1 −d2 , (m + n)]
The algorithm is robust against network eavesdropping, replay attacks,
and identity spoofing.
Once mutual authentication of the messages is established, device d2
checks its access control rules and see if the device d1 is allowed to per-
form the action it requests. Therefore, we say the decision point (DP) is
in the device itself. Enforcement follows the decision. Since the DP is in
the same device where we want to perform the enforcement, enforcement is
rather trivial. The process running the device as the DP would inform the
access decision to the process running as the service provider. The whole
scenario is described in the figure 4.1
For monitoring and management of devices, the same scheme is repeated.
Devices would contain appropriate access control rules for the domain mon-
itor, automater, maintainer, etc. When the domain monitor, automater,
maintainer want to execute some actions on the devices, the above discussed
scheme for decision and enforcement is applied.
We have discussed the most trivial design for the access control in the
CHAPTER 4. DESIGN OF ACCESS CONTROL SYSTEM FOR BACS29
Device d1 Device d2
Authentication
Service granted/denied
Advantages :
Disadvantages :
Authentication
Service request
Evaluation request
Decision
Service granted/denied
Advantages :
Disadvantages :
Advantages :
1. More scalable since now we can have practically unlimited number
of devices in the network.
2. Easy management of the keys in the system e.g. revocation, mul-
tiple keys per device, etc.
Disadvantages :
1. Communication overhead for session (key) establishment.
2. Extra device (TP) if not already present in the network has to be
installed.
CHAPTER 4. DESIGN OF ACCESS CONTROL SYSTEM FOR BACS32
Service request
Evaluation request
Decision
Service granted/denied
(a) Device d2 does not know the identity and access clearance of d1
and there is no mutually shared key between the two devices. For
the first time access between d1 and d2 , there is definitely a cache
CHAPTER 4. DESIGN OF ACCESS CONTROL SYSTEM FOR BACS34
miss of this type. This might also happen during the subsequent
accesses from d1 to d2 if both the authentication and authorization
caches get cleared. The access procedure takes place similar to the
second centralized variant we discussed before with the notable
difference that DP, along with the final decision, also sends the
access rules responsible for the decision. These access rules are
encoded to reduce the bandwidth overhead.
(b) Devices d2 and d1 have the mutually shared key and device d1 has
the service ticket but device d2 does not know the access clearance
of the device d1 . This happens due to authorization cache-miss.
The access procedure, including both the authentication and au-
thorization, takes place similar to the first centralized variant we
discussed before. However, DP, along with the final decision, also
sends the encoded access rules responsible for the decision.
(c) Device d1 or d2 do not have the mutually shared key but device d2
still has the access rules corresponding to device d1 . This happens
due to authentication cache-miss. In this case, d1 and d2 au-
thenticate mutually using the centralized TP and d2 subsequently
evaluates the decision based on its stored rules.
3. Cache-hit access: The access procedure is similar to the distributed
variant we discussed before. We also propose that the authorization
cache update in the device either happens when the cache is full and
new entry needs to be added or through explicit communication from
the central DP when a cache entry is stale according to the DP.
Figure 4.4 summarizes the details of the hybrid variant.
Advantages :
1. Increased efficiency for frequently communicating devices.
Disadvantages :
1. Added complexity in the system architecture
Service request 1
Evaluation request
Decision,
Policy caching
Encoded policy
Service granted/denied
Service request 2
Service granted/denied
based on the cache
time notification is service provided by the device itself, people presence in the
room is provided by the presence detector, etc. This means that the access
control for a device now depends on the services provided by other devices or
on the services provided by the device itself (e.g. time or presence detector).
Incorporating this would make our access control rules dynamic as opposed
to the static rules that we have been dealing with till now. These dynamic
access control rules are termed access policies based on the study conducted
in [41]. However, we still need a framework to support the dynamism of the
access control rules. Incorporating the access control in our existing architec-
ture will only change the authorization phase while the authentication phase
will remain unmodified. We easily infer that a generalized implementation
of context handling would be impractical in a fully distributed variant e.g.
in case of fire, it would be impractical if a single resource-constrained fire-
alarm device had to inform all the other devices in the building about the
fire context. Therefore, we consider only the centralized and hybrid variant
in case of context handling.
Device 1 Device 2
Decision
Point (DP)
Policies Contexts
Administrative
Point (AP)
Hybrid: All the relevant context parameters that can be fetched without
contacting the device d2 are stored in the central context repository
and evaluated at the DP, others are stored in d2 and are evaluated
at the d2 itself. In this approach, the decision evaluation is actually
distributed in the sense that only a part of the decision is taken at
centralized DP. When a particular policy is invoked as result of d2
requesting the access decision from DP , the context parameters present
in the DP are evaluated. The remaining context parameters are left
for the d2 to evaluate. Two logic of the policy, one containing the
unevaluated context parameters and other containing the results of
evaluated contexts, are encoded in the TLV format. The encoded policy
is then sent to the device d2 . d2 first stores the encoded policy in the
authorization cache, then calculates the final decision by substituting
current values of the local context in the partial decision.
In the case of subsequent similar requests from d1 to d2 , d2 acts as
CHAPTER 4. DESIGN OF ACCESS CONTROL SYSTEM FOR BACS37
a context repository for all the context present in the policies stored
in its cache. The communication protocol (event publish subscribe or
explicit communication) is specified in the encoded policy itself which
helps the device d2 to gather those context variables.
TA TP
AS TGS AS TGS
3. TGT TA
1. Auth 4. TGT W
5. TGT W
2. TGT TA
6. Ticket Service
Lighting (L) domain
User Service
Device Device
7. Ticket Service
8. Mutual Auth
TA
AS TGS
5. TGT TA
6. TGT W
TP TP
AS TGS AS TGS
3. TGT L
1. Auth 4. TGT TA
2. TGT L 7. TGT W
8. Ticket Service
User Service
Device Device
9. Ticket Service
10. Mutual Auth
contact the DP to check if the user device light is allowed to perform the
requested action. The service request is allowed or rejected according
to the decision provided by the DP in the window-blind domain.
The model centralized-distributed can be easily understood in terms of
this model with the parties interchanged.
centralized-centralized : In this variant, both the local and and the 3rd
party domain have centralized architecture for access control. For au-
thentication between devices of different domain, as presented in the
figure 4.7, we have transited domain TA which facilitates the trust rela-
tion. Overall, the authentication is a ten step process and is analogues
to the distributed-centralized variant except we have one more TGS (in
the local domain).
Once the authentication in between the devices is established, the au-
CHAPTER 4. DESIGN OF ACCESS CONTROL SYSTEM FOR BACS42
hybrid-hybrid : This variant explain the scenario when both local and
3rd party domain have hybrid architecture for access control. There
can be many other combinations with the hybrid variant, such as,
hybrid-distributed, centralized-hybrid, but understanding of hybrid-
hybrid would trivialize them. Again, the main motivation for the
hybrid-hybrid variant come from the fact that it would be impracti-
cal to have so much communication overhead for a window-blind to
just dim the light present in the same room. In hybrid-hybrid variant
the devices store the session keys of the devices in the authentication
cache.
The same pattern follows with the authorization policies. Once the
authorization decision is evaluated by the DP in the domain providing
the service, the encoded policies are sent to the actual device providing
the service. Hence, upon receiving subsequent similar requests, the
device providing the services would not need to contact the DP of its
domain. The authorization cache update procedure is similar to the
single domain architecture. It either happens when the cache is full
and new entry needs to be added or through explicit communication
from the central DP when a cache entry is stale according to the DP.
Context parameters are handled in almost the similar way as in the case
of single party domain except the context variables can now be shared
between the domains. We propose that all the context variables whose
values are obtained from outside the domain are categorized as global
context variable and hence be processed at the central DP and stored
at the central context database. This proposal not only simplifies the
architecture but also increases the scalability in case of multiple 3rd
party domains.
Step by step procedure is presented in the figure 4.8. In figure 4.8, we
present the procedure when the authentication and authorization cache
are empty. In the case when encoded policy is present in the cache of
the device, device evaluates the policy by itself and access procedure is
trivial. Context parameters from the third party are handled centrally.
Therefore, context from the third-party are stored and evaluated at
DP. The access control on the context variables themselves from the
third-party domain is discussed in detail in the discussion chapter 7.2.
Overall the architecture is very similar to the one presented in the
centralized-centralized variant except the caching functionality.
CHAPTER 4. DESIGN OF ACCESS CONTROL SYSTEM FOR BACS43
TA
AS TGS
5. TGT TA
6. TGT W
TP TP
AS TGS AS TGS
3. TGT L
1. Auth 4. TGT TA
2. TGT L
12. Policy Request DP
7. TGT W
15. Policy Response
8. Ticket Service
14. Context
13. Context
Response
Request
User Service
Contexts
Device 9. Ticket Service Device
10. Mutual Auth
11. Service Request
16. Service Response
We discussed a very basic model for the 3rd party access control system.
There are various aspects for the future work. Notably, a framework for
the discovery of devices based on various attributed and automated policy
definition for the device just after the discovery.
Chapter 5
• The hybrid design presented in the section 4.1.2 is the most sophisti-
cated design which is feasible to implement in the planned time period.
• We used the centralized design presented in the section 4.1.2 as the first
step to implement the hybrid design so that we could later compare the
time efficiency and memory requirements of the two designs.
44
CHAPTER 5. IMPLEMENTATION AND SYSTEM PROTOTYPE 45
application layer. The DTLS for sensor network is a system developed and
implemented by a parallel project which is based on generic DTLS protocol
[23].
– 2.4GHz
– 16 selectable channels
Although all the components described in the XACML are not incorporated
in the implementation, the policy language (JSON) is such that it has one-
to-one mapping to the markup language for future enhancements.
A part of the model policy file in the DP is presented in the figure 5.1.
The policy file has been designed such that target device is on the top of
the JSON hierarchy. This is because encoding the policy related to the
target device becomes more efficient, which we will see in the details of the
hybrid implementation. The JSON policy language supports the role based
definitions of the policies. Therefore, we are able to aggregate the policies for
large numbers of users in the BACS. Each target devices is mapped with a
number of roles which applies on it. Therefore, if a request comes to a target
device from a certain user, then the user must belong to one of the mapped
roles in order to successfully execute the action.
Inside each role we have a set of the actions that are associated with
the role e.g. “action” : “on” in the role admin as seen in the figure 5.1.
Each action is further associated with an array of conditions related to con-
text variables. Details regarding each context variable starts with the tag
attribute. Following are the details of subtags of attribute:
priority: This tag is used to denote the priority of the context variable
during caching. Caching algorithm is supposed to use this tag for
intelligent caching.
eval: Finally, we have a recursive structure of eval tags which depicts a series
of nested binary condition to which the context variable is subjected.
In JSMN, tokens do not hold any memory for the data, but point to
token boundaries in JSON string instead. JSMN has following token
types:
Once the token boundaries are extracted, the user loops over the to-
ken to match the interested objects. On our case, the process works
according to the pseudocode 1. The JSON interpreter evaluates the
policies containing the context variables to get the decision. It returns
the final decision to the CoAP server. The CoAP server sends the final
evaluated decision to the CoAP client in Node 2. The message pass-
ing is again done through the Bridge. These set of conversation are
CHAPTER 5. IMPLEMENTATION AND SYSTEM PROTOTYPE 49
802.15.4 Network
Device
Services
AC Layer
5 10
CoAP Client
CoAP server
4
DP
CoAP server
11
6 9
1 16 JSON
Interpretor
8
CoAP server JSON file
7
2 CoAP Client Database
15
12
AC Layer
14 13 3
CoAP Client
Device
Services
MC1322x Econotag Hardware PC Hardware
Node 2 (service provider) DP
condition 0000
attribute 0001
id 0010
communication 0011
priority 0100
scope 0101
eval 0110
function 0111
value 1000
Each type has a value. The scope of the value in the encoded policy is
de-limited by the length. The length describes number of bits in which
the value is represented. The basic length is represented by four bits.
If the first bit of those four bits is 0, then the next 3 bits describes the
actual length of the value. Otherwise, if the first bit is 1, then the next
3 bits describe the length of the actual length in four bit words.
The values in the system are also pre-defined. For example, the type
‘id’ has the pre-defined values of length four presented in the table 5.2.
If in future, the number of pre-defined values for the type ‘id’ increases
beyond 16 (= 24 ) we increase the length and interpret the value in
the big-endian format. Therefore, if we increase the length of the type
‘id’ from four to five we have the values presented in the table 5.3.
The comprehensive table 5.4 presents all the basic types and their pre-
defined value till now.
CHAPTER 5. IMPLEMENTATION AND SYSTEM PROTOTYPE 54
Table 5.2: TLV pre-defined values for Table 5.3: TLV pre-defined values
the type ‘id’ changes for the type ‘id’
For example, again consider the role admin and action on in the policy
presented in the Appendix A. The encoding of the policy is showed in
the table 5.5. The pseudo code for encoding and decoding of the policy
consists of trivial mapping and hence omitted.
This encoded policy is sent to the device as the reply. The sending
procedure is similar to the sending procedure of the final decision of
the centralized implementation 5.3.1.
1 {
2 "target":"light1",
3 "admin" : [{
4 "action" : "on",
5 "condition" : [{
6 "attribute":{
7 "id":"time",
8 "communication":"expcomm",
9 "priority":"normal",
10 "scope":"local",
11 "eval":{
12 "function": "lt",
13 "value":"12"
14 }
15 }
16 }],
17 },
18 ...
19 ],
20 "user" : [{
21 "action" : "on",
22 "condition" : [{
23 "attribute":{
24 "id":"time",
25 "communication":"pubsub",
26 "priority":"normal",
27 "scope":"local",
28 "eval":{
29 "function":"OR",
30 "eval":{
31 "function":"AND",
32 "eval":{
33 "function":"lt",
34 "value":"20"
35 },
36 "eval":{
37 "function":"gt",
38 "value":"16"
39 }
40 }
41 "eval":{
42 "function":"eq",
43 "value":"3"
44 }
45 }
46 }
47 }],
48 },
49 ...
50 }
type
length
value
condition 0000
attribute 0001
id 0010
4 0100
time 0001
fire 0010
people presence 0011
natural illumination 0100
temperature 0101
humidity 0110
communication 0011
1 0001
pubsub 0
expcomm 1
priority 0100
2 0010
high 00
normal 01
low 10
scope 0101
1 0001
local 0
global 1
eval 0110
function 0111
4 0100
AND 0000
OR 0001
gt 0010
lt 0011
eq 0100
value 1000
Evaluation
60
CHAPTER 6. EVALUATION 61
Other than the size of the code presented in the table 6.1, we use 2000
bytes to store all the data structures for the CoAP and the access control
system. Moreover, we use extra 2000 bytes as the cache to store various
policies in a linked-list data-structure.
Table 6.1: Code size of the each part of the access control system
6.2 Performance
We have strict requirement for low latency in the BACS e.g. there must not
be a notable lag between the action switch on and actual turning on of the
light. The following section presents the time required for serving a typical
request in the system prototype.
CHAPTER 6. EVALUATION 62
The time required by the device between receiving the request and sending
the reply (i.e. between steps 1 and 16 according to the figure 5.3) when using
the central DP to get the decision is approximately 0.09 secs. This does not
include the time required to put the policy in the cache. The time required
when there is a cache hit in hybrid architecture is approximately 0.02 secs.
The number of significant digits in the time measurements comes from the
limitation of the system clock in the device. These time measurements are
averaged over 10 samples. The increased time efficiency of the system in the
hybrid version is clearly perceived. Following are the main reasons for this
increase in the time efficiency:
Discussion
63
CHAPTER 7. DISCUSSION 64
central controllers. Whereas, in the case of the central controller being used
for only bootstrapping and initial configuration purposes, there needs to a
new framework for access control since service request-response is device to
device and devices have constrained resources.
• Chillers
• Boilers
• Ventilation units
• Roof-top units
• Power monitoring
• Security system
• Lighting
The list is dynamic and new systems frequently gets added. There are
various management units that run behind these systems for cost optimiza-
tion and security purposes. Some such units are as follows:
Trending units are deployed in the building to find the patterns in the
devices’ service accesses. These patterns are typically used by the au-
tomation units to optimize the energy consumption. The patterns are
also used in the commissioning and maintenance of the building.
Conclusions
This thesis presents various functional models for the access control in BACS.
The access control models are primarily based on the various use-cases for
access control in BACS. The presented models fulfill the requirements and
satisfy most of the use-cases. In other words, the models provide efficient,
context-aware, role based access control with no single point of failure in
BACS.
In the distributed model for access control, we have all the pre-shared
keys and the access control rules were stored in the devices themselves. Al-
though time efficient, this model has the limitation that a particular device
can possibly serve only a few other devices. In the centralized model for
the access control, we have a centralized trust point (TP) for establishing
authentication between two devices and centralized decision point (DP) for
the evaluating the policies stored in the central repository named retrieval
point (RP). Although highly scalable and manageable, this model has high
latency in providing the service. Moreover, it has various bottlenecks and
single points of failure.
Combining the distributed and centralized model, we proposed a hybrid
model in which we cache the session key between the pair of devices. We also
cache the encoded policies in the device. This enables us to intelligently store
the policies and session keys related to the important devices. Although, the
efficiency is the same as in the centralized model if there is a cache miss, the
efficiency is as good as distributed model for most of the subsequent similar
requests. We have also incorporated context awareness in the hybrid model
by first partially evaluating the context parameters at the DP, then send-
ing the policy to the device containing equations to evaluate the remaining
context parameters which local to the device.
To facilitate storing, communication, and total and partial evaluation
of the policies we have defined a JSON based policy language. The policy
66
CHAPTER 8. CONCLUSIONS 67
language also takes care of the role based grouping of the user devices. The
policy language is designed in such a way that communication protocol (e.g.
pub-sub or explicit communication), caching priority and scope are specified
for each context variable. A general boolean formula for the evaluation of
each context variable can also be specified in the policy language. To evaluate
the policy corresponding to a service request from a user device, firstly all
the roles of the user device are extracted. Then each role is checked one by
one to see if the user device is allowed the requested service. In case a role is
found, all the context variable with global scope are evaluated and the one
with the local scope are left for the device to evaluate. The role is encoded
and send to the device. In case no role is found, the user request is denied.
We have also proposed an encoding format for the policies. This not
only reduces the memory footprint of the policies but also facilitates efficient
evaluation of the policies. The encoding of the policies also saves significant
bandwidth during the transfer of the policies from the DP to the device.
Therefore, policies inside the devices are stored in the encoded format. The
encoding is done in the compressed TLV format. Appropriate translation
algorithms are devised from JSON to TLV format and vice versa. The design
for access control is not only limited for the application in BACS but also to
general embedded systems.
As a proof of concept, we have implemented a prototype of the centralized
and the hybrid design including all the functionality proposed in the design.
We have implemented the evaluation algorithm for the policies which also
include their partial evaluation at the central decision point. The encoding
and decoding algorithms of the policies were also implemented. We then
compared the memory footprint and the latency of both the designs and the
results were as expected. The hybrid design is more efficient in serving the
devices with little more memory footprint (used for caching) compared to the
centralized design. Excluding the cache memory and the memory required
for various data-structures, the access control engine requires approximately
5 KB of memory. Needless to mention, the hybrid prototype provides a
practical solution for efficient and scalable access control in constrained en-
vironments.
Bibliography
[5] Blundo, C., Mattos, L., and Stinson, D. Trade-offs between com-
munication and storage in unconditionally secure schemes for broadcast
encryption and interactive key distribution. In Advances in Cryptology-
CRYPTO’96 (1996), Springer, pp. 387–400.
[6] Chen, Y.-c., and Yeh, L.-y. An Efficient Authentication and Access
Control Scheme Using Smart Cards. Review Literature And Arts Of The
Americas (2005).
[7] Du, W., Deng, J., Han, Y., Varshney, P., Katz, J., and
Khalili, A. A pairwise key predistribution scheme for wireless sen-
sor networks. ACM Transactions on Information and System Security
(TISSEC) 8, 2 (2005), 228–258.
[9] Ferraiolo, D., Sandhu, R., Gavrila, S., Kuhn, D., and Chan-
dramouli, R. Proposed nist standard for role-based access control.
ACM Transactions on Information and System Security (TISSEC) 4, 3
(2001), 224–274.
68
BIBLIOGRAPHY 69
[10] Grummt, E., and Muller, M. Fine-grained access control for epc
information services. In Proceedings of the 1st international conference
on The internet of things (2008), Springer-Verlag, pp. 35–49.
[13] Hein, P. Dali-a digital addressable lighting interface for lighting elec-
tronics. In Industry Applications Conference, 2001. Thirty-Sixth IAS
Annual Meeting. Conference Record of the 2001 IEEE (2001), vol. 2,
IEEE, pp. 901–905.
[17] Kinney, P., et al. Zigbee technology: Wireless control that simply
works. In Communications design conference (2003), vol. 2.
[20] Lorch, M., Proctor, S., Lepro, R., Kafura, D., and Shah, S.
First experiences using xacml for access control in distributed systems.
In Proceedings of the 2003 ACM workshop on XML security (2003),
ACM, pp. 25–37.
[31] Ramkumar, M., and Menon, N. Pre-loaded key based multicast and
broadcast authentication in mobile ad-hoc networks. In Global Telecom-
munications Conference, 2003. GLOBECOM’03. IEEE (2003), vol. 3,
IEEE, pp. 1405–1409.
[32] Ratner, B. Rs-485 multipoint power line modem, Nov. 4 1997. US
Patent 5,684,826.
[33] Rubinstein, F., Treado, S., and Pettler, P. Standardizing com-
munication between lighting control devices. In IEEE Industry Appli-
cations Society Annual Meeting (2003), pp. 805–811.
BIBLIOGRAPHY 71
[35] Shelby, Z., Hartke, K., Bormann, C., and Frank, B. Con-
strained application protocol (coap). An online version is available
at http://www. ietf. org/id/draft-ietf-core-coap-01. txt (08.07. 2010)
(2010).
[37] Wang, J., Sinnarajah, R., Chen, T., Wei, Y., and Tiedemann,
E. Broadcast and multicast services in cdma2000. Communications
Magazine, IEEE 42, 2 (2004), 76–82.
[39] Woo, T., and Lam, S. Authentication for distributed systems. Com-
puter 25, 1 (1992), 39–52.
[41] Zhi, L., Jing, W., Xiao-su, C., and Lian-xing, J. Research on
policy-based access control model. In Networks Security, Wireless Com-
munications and Trusted Computing, 2009. NSWCTC’09. International
Conference on (2009), vol. 2, IEEE, pp. 164–167.
Appendix A
JSON protoype
1 {
2 "target":"light1",
3 "admin" : [{
4 "action" : "on",
5 "condition" : [{
6 "attribute":{
7 "id":"time",
8 "communication":"expcomm",
9 "priority":"normal",
10 "scope":"global",
11 "eval":{
12 "function": "lt",
13 "value":"12"
14 }
15 },
16 "attribute":{
17 "id":"people presence",
18 "priority":"normal",
19 "scope":"local",
20 "eval":{
21 "function": "eq",
22 "value":"true"
23 }
24 },
25 "attribute":{
26 "id":"natural illumination",
27 "priority":"normal",
72
APPENDIX A. JSON PROTOYPE 73
28 "scope":"local",
29 "eval":{
30 "function": "lt",
31 "value":"1000"
32 }
33 }
34 }],
35 },
36 {
37 "action" : "off",
38 "condition" : [{
39 "attribute":{
40 "id":"time",
41 "communication":"pubsub",
42 "priority":"normal",
43 "scope":"local",
44 "eval":{
45 "function": "gt",
46 "value":"13"
47 }
48 }
49 }],
50 }],
51 "user" : [{
52 "action" : "on",
53 "condition" : [{
54 "attribute":{
55 "id":"time",
56 "communication":"pubsub",
57 "priority":"normal",
58 "scope":"local",
59 "eval":{
60 "function":"OR",
61 "eval":{
62 "function":"AND",
63 "eval":{
64 "function":"lt",
65 "value":"20"
66 },
67 "eval":{
68 "function":"gt",
APPENDIX A. JSON PROTOYPE 74
69 "value":"16"
70 }
71 }
72 "eval":{
73 "function":"eq",
74 "value":"3"
75 }
76 }
77 }
78 }],
79 },
80 {
81 "action" : "off",
82 "condition" : [{
83 "attribute":{
84 "id":"time",
85 "communication":"pubsub",
86 "priority":"normal",
87 "scope":"local",
88 "eval":{
89 "function": "gt",
90 "value":"13"
91 }
92 }
93 }],
94 }]
95 }