ebook img

Secure Access Control to Personal Sensor Information in Federations of Personal Networks PDF

236 Pages·2012·6.66 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Secure Access Control to Personal Sensor Information in Federations of Personal Networks

Thesis submitted to the University of Twente Faculty of Electrical Engineering, Mathematics and Computer Science chair for Design and Analysis of Communication Systems in partial fulfillment of the requirements for the degree of Master of Science in Telematics Secure Access Control to Personal Sensor Information in Federations of Personal Networks J.W.C. Beusink July 12, 2012 Supervising committee ⋆ Dr. Ir. G. Karagiannis ⋆ Dr. Ir. G.J. Heijenk ⋆⋆ Dr. H. Benz ⋆⋆ Prof. Dr. Ir. S. Heemstra de Groot ⋆ ⋆⋆ University of Twente, Twente Institute for Faculty of EEMCS, Wireless and Mobile Communications B.V., DACS chair, Business & Science Park, P.O. Box 217, Institutenweg 30, 7500 AE Enschede, 7521 PK Enschede, The Netherlands. The Netherlands. Any intelligent fool can make things bigger and more complex. . . It takes a touch of genius - and a lot of courage to move in the opposite direction. — Albert Einstein (1879-1955) Abstract This thesis provides a secure access control architecture for personal sensor information in Federated Personal Networks (FedNets) applied to the context of the VITRUVIUS project. To that end suitable authentication protocols, cipher suites, credential providers and policy languages are analyzed. We provide and test a prototype of our proposed architecture. Security in this context entails more than the usual suspects being au- thentication, authorization, non-repudiation, data integrity and confidential- ity. Due to the nature of a PN, confidentiality is notably complex. Privacy in this context consists of user and component identity confidentiality, user location confidentiality and user untraceability. Mobile devices are also sus- ceptible to depletion attacks, aimed at draining the battery. We found EAP-IKEv2 the best suitable authentication protocol based applicable security requirements we adopted from several fields of study. We recommend a ciphersuite consisting of ECDH, ECDSA, AES and SHA-2 based upon keystrength, governmental and institutional recommen- dations and the wireless nature of PNs and FedNets. We recommend WebDAV as credential provider as its usage allows for more efficient revocation checking. We recommend PERMIS as reasoning engine along with its policy lan- guage. Our prototype shows that the suggested security framework can be run on a resource constrained device though further performance improvements to the authentication and the authorization engine are needed. iii Dedication This thesis is dedicated, in loving memory, to my father Johan Willem (Joop) Beusink, who passed away on June 7, 2012, during the final stages of my thesis. I know you were worried about me graduating and wanted to be there at my graduation. Thank you for everything you have shown me, done for me, and inspiring me to be a better man. v Acknowledgements I would like to express gratitude to my supervisors, Dr. Ir. G. Karagiannis, Dr. Ir. G.J. Heijenk, Dr. H. Benz and Prof. Dr. Ir. S. Heemstra de Groot, without whom this thesis would not have been made possible. I would also like to thank experts in the field for creating and making the software available that is the basis on which our prototype was developed and for providing answers to questions on the inner workings of this software. For strongSwan they are Tobias Brunner; Martin Willi; and Prof. Andreas Steffen, HSR University of Applied Sciences Rapperswil, Switzerland. For PrivilEge and Role Management Infrastructure Standards (PERMIS) they are Prof. BSc. PhD. David W. Chadwick, University of Kent, United King- dom; Dr. Stijn Lievens, University of Kent, United Kingdom. For their patience and financial support I thank Everett NL B.V. Special thanks to Dr. Ing. Bianca Beusink and BSc. Achiel van der Mandele for reviewing drafts and providing usefull feedback. Last but not least I would like to thank my friends and family for their support and giving me the strength to finish this thesis. vii Contents Abstract iii Dedication v Acknowledgements vii 1 Introduction 1 1.1 Context/Motivation . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 Specific Problem . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.3 Research Questions . . . . . . . . . . . . . . . . . . . . . . . . 3 1.4 Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.5 Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2 Personal Networks 5 2.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Overall Architecture . . . . . . . . . . . . . . . . . . . . . . . 9 2.2.1 Connectivity Level Abstraction . . . . . . . . . . . . . 9 2.2.2 Network Level Abstraction . . . . . . . . . . . . . . . 9 2.2.3 Service Abstraction Level . . . . . . . . . . . . . . . . 11 2.3 Network Components . . . . . . . . . . . . . . . . . . . . . . . 13 2.3.1 Personalization . . . . . . . . . . . . . . . . . . . . . . 13 2.3.2 Cluster Formation . . . . . . . . . . . . . . . . . . . . 14 2.3.3 Intra-Cluster Routing . . . . . . . . . . . . . . . . . . 14 2.3.4 Inter-Cluster Routing and Tunneling . . . . . . . . . . 14 2.3.5 Foreign Communication . . . . . . . . . . . . . . . . . 15 2.3.6 Radio Resource Management and Link Layers . . . . . 15 2.4 Service Components . . . . . . . . . . . . . . . . . . . . . . . 15 2.4.1 PN Administration Integrity Service . . . . . . . . . . 16 2.4.2 User Agent & Authentication . . . . . . . . . . . . . . 16 2.4.3 Service & Content Discovery . . . . . . . . . . . . . . 16 2.4.4 Access Control . . . . . . . . . . . . . . . . . . . . . . 17 ix x Contents. 2.4.5 Service Context Service . . . . . . . . . . . . . . . . . 17 2.4.6 Federation Management . . . . . . . . . . . . . . . . . 17 2.4.7 Service & Content Management . . . . . . . . . . . . . 17 2.4.8 Management Consoles . . . . . . . . . . . . . . . . . . 18 2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3 FedNets 19 3.1 FedNet Types . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.2 The FedNet Lifecycle . . . . . . . . . . . . . . . . . . . . . . . 22 3.2.1 Initial Phase . . . . . . . . . . . . . . . . . . . . . . . 22 3.2.2 Formation Phase . . . . . . . . . . . . . . . . . . . . . 23 3.2.3 Operation Phase . . . . . . . . . . . . . . . . . . . . . 23 3.2.4 Dissolution Phase . . . . . . . . . . . . . . . . . . . . . 25 3.3 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3.3.1 Architectural Components . . . . . . . . . . . . . . . . 26 3.3.2 FedNet Manager . . . . . . . . . . . . . . . . . . . . . 27 3.3.3 FedNet Agent . . . . . . . . . . . . . . . . . . . . . . . 28 3.3.4 Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . 29 3.3.5 Service Proxy . . . . . . . . . . . . . . . . . . . . . . . 29 3.3.6 Service Management Node . . . . . . . . . . . . . . . . 30 3.3.7 A FedNet Service . . . . . . . . . . . . . . . . . . . . . 30 3.3.8 A FedNet Client . . . . . . . . . . . . . . . . . . . . . 30 3.3.9 Service Discovery . . . . . . . . . . . . . . . . . . . . . 30 3.3.10 FedNet Access Control Policies . . . . . . . . . . . . . 30 3.3.11 Service Access Control Policies . . . . . . . . . . . . . 30 3.3.12 FedNet Services . . . . . . . . . . . . . . . . . . . . . . 31 3.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 4 Access Control Architectures 33 4.1 Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . 33 4.2 Security Definitions . . . . . . . . . . . . . . . . . . . . . . . . 36 4.3 Security Access Control Architectures That Can Be Applied in FedNets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 4.3.1 AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 4.3.2 IEEE 802.1X . . . . . . . . . . . . . . . . . . . . . . . 45 4.3.3 IMS Security ACA . . . . . . . . . . . . . . . . . . . . 46 4.3.4 Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . 48 4.3.5 Security Architectures That Are Described in Virtual Organizations . . . . . . . . . . . . . . . . . . . . . . . 49 4.3.6 Security Access Control Architectures (ACAs) That Are Described in Past or Ongoing FedNet Projects. . . 51 4.4 Selection Criteria . . . . . . . . . . . . . . . . . . . . . . . . . 55 4.4.1 Use Case . . . . . . . . . . . . . . . . . . . . . . . . . 55 4.4.2 Assumptions . . . . . . . . . . . . . . . . . . . . . . . 55

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.