LoT is a framework to provide necessary security requirements involving mul- tiple domains, a pervasive environment for instance. It can also be used to
2
In this dissertation, the term authentication is mainly used for user authentication if no specific meaning is given.
advantage in conventional environments (i.e. distributed system, mobile com- puting). However, the focal interest of my work is pervasive environments, as pervasive computing is the richest case of security over multiple domains. The LoT framework intends to investigate the security problems over multiple do- mains from the two logical ends, authentication and authorisation, due to the inevitable difference with the single domain case for the nature of bootstrap- ping trust. In a conventional meaning, authentication is to determine “who is speaking?” or, “who is making statements?” and authorisation is usually about “who is trusted?” or, “the statements made by whom are trusted” [1]. Generally speaking, authentication is mainly used to bootstrap access control. In this dissertation, by means of authentication, I mean this generic meaning of bootstrapping access control. I do not (just) mean conventional ID-based authentication. Thus, access control is essential and authentication is not primary.
In the rest of this dissertation, it will be noticed that most statements in LoT are heavily towards access control, or trust establishment. This is because, firstly, bootstrapping trust naturally requires something different; secondly, it is a harder problem to establish trust with variations. Last, authentication (the generic term) is essentially the minimal level of access control. Consequently, I focus more upon the access control problem, and the LoT framework will be “deliberately” presented in a more access-control-like style and expressions for the discussion.
The LoT framework is delivered as a result of acknowledging the signifi- cance of the local domain’s knowledge. It is based upon a systematic policy of localising trust. As matter of principle, each domain in the LoT frame- work intends to deal only with their own security policy explicitly, rather than messing around with that of other domains. Most currently existing security systems tend to force a user to understand other domains’ policies when he/she intends to access some resources in those domains. From security’s viewpoint,
it is difficult and, I will argue, unnecessary to do so. Therefore, I would like to provide an alternative in this dissertation and propose the LoT framework. LoT is based upon the localising the trust security design principle, which en- courages domains (precisely, domain servers or administrative authorities) to get involved with their local users’ communication. In LoT,
• A user may be a human, a computer, a portable computerised device, a program, or a process, etc.
• A domain is very flexible depending upon the context and its own policy. A user can set up one domain or several domains for different security purposes and fitting into different environments.
Figure 3.1 gives an overview for the LoT framework. This infrastructure is designed to minimise trust assumptions, and provide desirable security services in an effective and efficient way.
Security Policy Threat
Countermeasures / Mechanisms
Talking to the wrong strangers
Localising the Trust
Two Channels Authentication
Encryption-based
Access Control Guests Access Strangers Access
Figure 3.1: The LoT framework overview
1. Threat: In pervasive environments, we intend to talk to strange users frequently in a dynamic and spontaneous manner. Generally speak- ing, the main threat for pervasive environments is to talk to incor- rect strangers. Those strangers are usually from many different do- mains. They may be a strange user from a friendly domain, or a friendly
user from a strange domain. Amongst them, most likely, secure pre- knowledge (e.g. crypto-key information) or trust relationships have not been established. For solving this, conventionally, an infrastructure, such as Kerberos [122], PKI, etc. is introduced to help users to determine correct strangers usually by verifying their IDs, names, long-term public keys, or roles. The trusted infrastructure has its required assumptions. Thus, inevitably, users have to set up their own assumptions and secu- rity policy in accordance with those of the infrastructure. However, the semantics of the threat model will be different due to the nature of appli- cations, particularly in pervasive environments. The threat is specific to the requirements from different pervasive applications and assumptions which will not be known to the infrastructure. As a consequence, it must not let infrastructure decide local policy.
2. Security Policy: the main security design guideline in security policy is localising trust principle. It is difficult to establish trust in a pervasive environment, if users have to struggle to understand a foreign domain’s policy and precise semantics of security mechanisms. Thus, we have to seek significant assistance from external TTPs. However, it becomes a harder problem as soon as a user has to trust any arbitrary external authorities. In LoT, by localising the trust, a user is able to put trusting things in his/her own domain, or some places that the user already has stable connection with.
3. Countermeasures/Mechanisms: Unlike most security frameworks that usually propose a static set of countermeasures, arguably, LoT em- ploys a tool-kit, which contains several countermeasures for different con- texts. I suggest three main examples that are used to target the threats and contexts considered in this dissertation. Consider the unique prop- erty of pervasive environments, namely, positive human context, that is,
human users have clear intention about what they are doing. I reason that it would be extremely efficient and effective, if the security frame- work allows users to choose a suitable mechanism from a tool set with respect to their own assumptions and the changing environments that they are facing.