Skip to main content
SpringerLink
Log in

Personal Trusted Devices for Web Services: Revisiting Multilevel Security

  • Published:
Mobile Networks and Applications Aims and scope Submit manuscript

Abstract

In this paper we revisit the concept of mandatory access control and investigate its potential with personal digital assistants (PDA). Only if applications are clearly separated and Trojans cannot leak personal information can these PDAs become personal trusted devices. Limited processing power and memory can be overcome by using Web services instead of full-fledged applications – a trend also in non-mobile computing. Web services, however, introduce additional security risks, some of them specific for mobile users. We propose an identification scheme that can be effectively used to protect privacy and show how this system builds upon a light-weight version of mandatory access control.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. P. Agrawal and C.J. Sreenan, Get wireless: A mobile technology spectrum, IEEE IT Pro (July/August 1999) 18–23.

  2. D.E. Bell and L.J. LaPadula, Secure computer system: Unified exposition and multics interpretation, Technical report MTR-2997, MITRE Corp., Bedford, MA (1976).

    Google Scholar 

  3. K.J. Biba, Integrity considerations for secure computer systems, ESDTR-76-372, USAF Electronic Systems Division (1977).

  4. B. Brumitt, B. Meyers, J. Krumm, A. Kern and S. Shafter, EasyLiving: Technologies for intelligent environments, in: Handheld and Ubiquitous Computing, 2nd International Symposium, Bristol, UK (September 2000) pp. 12–29.

  5. C. Dalton and T.H. Choo, An operating system approach to securing eservices, Communications of the ACM 44(2) (February 2001) 58–64.

    Google Scholar 

  6. A.K. Dey, Understanding and using context, Personal and Ubiquitous Computing 5(1) (2001) 4–7.

    Google Scholar 

  7. C. Eckert, Mobile devices in eBusiness ‐ New opportunities and new risks, in: Proc. Fachtagung Sicherheit in Informationssystemen (SIS), Zürich, Switzerland (5‐6 October 2000).

  8. W. Essmayr and E. Weippl, Identity mapping: An approach to unravel enterprise security management policies, in: Information Security for Global Information Infrastructures, Proc. of the IFIP World Computer Congress (Kluwer Academic, Beijing, August 2000).

    Google Scholar 

  9. L. Gong, M. Mueller, H. Prafullchandra and R. Schemers, Going beyond the sandbox: An overview of the security architecture in the Java Development Kit 1.2, in: Proc. of the USENIX Symposium on Internet Technologies and Systems, Montery, CA (December 1997).

  10. B.D.J. Joshi, W.G. Aref, A. Ghafoor and H.E. Spafford, Security models for Web-based applications, Communications of the ACM 44(2) (February 2001) 38–44.

    Google Scholar 

  11. W.H. Mangione-Smith, Mobile computing and smart spaces, IEEE Concurrency (October‐December 1998) 5–7.

  12. MapBlast, http: //www.mapblast.com

  13. MapQuest, http: //www.mapquest.com

  14. C. Perkins (ed.), IP mobility support, RFC 2002, Proposed standard, IETF Mobile IP Working Group (October 1996).

  15. A. Pfitzmann, B. Pfitzmann, M. Schunter and M. Waidner, Trusting mobile user devices and security modules, IEEE Computer (February 1997) 61–68.

  16. B. Pfitzmann, J. Riordan, C. Stüble, M. Waidner and A. Weber, The PERSEUS system, Research report RZ 3335 (#93381) 04/09/01 (2001) http://www.semper.org/sirene/lit/sirene. lit.html

  17. R.S. Sandhu and S. Jajodia, Honest databases that can keep secrets, in: Proc. of the 14th NIST-NCSC National Computer Security Conference (1991).

  18. P.F. Syverson, M.G. Reed and D.M. Goldschlag, Onion routing access configurations, in: DISCEX 2000: Proceedings of the DARPA Information Survivability Conference and Exposition, Vol. 1, Hilton Head, SC (IEEE CS Press, January 2000) pp. 34–40.

    Google Scholar 

  19. US Department of Defense, DoD Trusted Computer System evaluation criteria (The Orange Book) DOD 5200.28-STD (1985).

  20. J. Viega, T. Kohno and B. Potter, Trust and mistrust in secure applications, Communications of the ACM 44(2) (February 2001) 31–36.

    Google Scholar 

  21. G.U. Wilhelm, S.M. Staamann and L. Buttyan, A pessimistic approach to trust in mobile agent platforms, IEEE Internet Computing (September/October 2000) 40–48.

  22. J. Zao, S. Kent, J. Gahm, G. Troxel, M. Condell, P. Helinek, N. Yuan and I. Castineyra, A public-key based secure Mobile IP, Wireless Networks 5(5) (1999) 373–390.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Software Competence Center Hagenberg, Hauptstr. 99, A-4232, Hagenberg, Austria

    Edgar Weippl & Wolfgang Essmayr

Authors
  1. Edgar Weippl
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wolfgang Essmayr
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Weippl, E., Essmayr, W. Personal Trusted Devices for Web Services: Revisiting Multilevel Security. Mobile Networks and Applications 8, 151–157 (2003). https://doi.org/10.1023/A:1022237215026

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/A:1022237215026

Search

Navigation