Context-Dependent Authentication and Access Control

  • Michael Kirkpatrick
  • Elisa Bertino
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 309)


As mobile computing continues to rise, users are increasingly able to connect to remote services from a wide range of settings. To provide this flexibility, security policies must be adaptive to the user’s environment when the request is made. In our work, we define context to include the spatiotemporal aspects of the user request, in addition to quantifiable environmental factors determined by the server hosting the resource. We identify a number of key open problems in this field and propose potential solutions to some of the problems.


Access Control Access Control Policy Trust Platform Module Access Control Model Policy Decision Point 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Aich, S., Sural, S., Majumdar, A.K.: STARBAC: Spatiotemporal Role Based Access Control. In: OTM Conferences (2007)Google Scholar
  2. 2.
    Atallah, M.J., Bryant, E.D., Korb, J.T., Rice, J.R.: Binding Software to Specific Native Hardware in a VM Environment: The PUF Challenge and Opportunity. In: VMSEC 2008 (2008)Google Scholar
  3. 3.
    Atluri, V., Chun, S.: A Geotemporal Role-Based Authorisation System. International Journal of Information and Computer Security 1, 143–168 (2007)CrossRefGoogle Scholar
  4. 4.
    Aziz, B., Foley, S.N., Herbert, J., Swart, G.: Reconfiguring Role Based Access Control Policies Using Risk Semantics. Journal of High Speed Networks, Special issue on Security Policy Management 15(3), 261–273 (2006)Google Scholar
  5. 5.
    Bertino, E., Bettini, C., Samarati, P.: A Temporal Authorization Model. In: ACM Conference on Computer and Communications Security, CCS 1994 (1994)Google Scholar
  6. 6.
  7. 7.
    Chandran, S., Joshi, J.: LoT RBAC: A Location and Time-Based RBAC Model. In: Ngu, A.H.H., Kitsuregawa, M., Neuhold, E.J., Chung, J.-Y., Sheng, Q.Z. (eds.) WISE 2005. LNCS, vol. 3806, pp. 361–375. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Cheng, P.-C., Rohatgi, P., Keser, C.: Fuzzy MLS: An Experiment on Quantified Risk-Adaptive Access Control. In: DIMACS Workshop on Information Security Economics (2007)Google Scholar
  9. 9.
    Chinchani, R., Iyer, A., Ngo, H.Q., Upadhyaya, S.: Towards a Theory of Insider Threat Assessment. In: International Conference on Dependable Systems and Networks, DSN 2005 (2005)Google Scholar
  10. 10.
    Covington, M.J., Long, W., Srinivasan, S., Dev, A.K., Ahamad, M., Abowd, G.D.: Securing Context-Aware Applications Using Environment Roles. In: Proceedings of the 6th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 10–20 (2001)Google Scholar
  11. 11.
    CSO Magazine and CERT and United States Secret Service: 2004 E-Crime Watch Survey: Summary of Findings (2004),
  12. 12.
    Damiani, M.L., Bertino, E.: Access Control and Privacy in Location-Aware Services for Mobile Organizations. In: 7th Internation Conference on Mobile Data Management (2006)Google Scholar
  13. 13.
    Damiani, M.L., Bertino, E., Catania, B., Perlasca, P.: GEO-RBAC: A Spatially Aware RBAC. ACM Transactions on Information Systems and Security 10(1) (2007)Google Scholar
  14. 14.
    Diep, N.N., Hung, L.X., Zhung, Y., Lee, S., Lee, Y.-K., Lee, H.: Enforcing Access Control Using Risk Assessment. In: Proceedings of the Fourth European Conference on Universal Multiservice Networks (ECUMN), pp. 419–424 (2007)Google Scholar
  15. 15.
    Dimmock, N., Belokosztolszki, A., Eyers, D., Bacon, J., Moody, K.: Using Trust and Risk in Role-Based Access Control Policies. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, SACMAT (2004)Google Scholar
  16. 16.
    Dyer, J.G., Lindemann, M., Perez, R., Sailer, R., van Doorn, L., Smith, S.W., Weingart, S.: Building the IBM 4758 Secure Coprocessor. IEEE Computer 34(10), 57–66 (2001)CrossRefGoogle Scholar
  17. 17.
    Ferragut, E., Sheldon, F., Neergaard, M.: ITD (Insider Threat Detection) System. Oak Ridge National Laboratory (ORNL) Cyberspace Sciences & Information Intelligence Research (CSIIR) Group,
  18. 18.
    Gassend, B., Clarke, D., van Dijk, M., Devadas, S.: Controlled Physical Random Functions. In: Proceedings of the 18th Annual Computer Security Applications Conference, ACSAC (2002)Google Scholar
  19. 19.
  20. 20.
    Greitzer, F.L., Moore, A.P., Cappelli, D.M., Andrews, D.H., Carroll, L.A., Hull, T.D.: Combating the Insider Cyber Threat. IEEE Security and Privacy 6(1), 61–64 (2008)CrossRefGoogle Scholar
  21. 21.
    Guajardo, J., Kumar, S.S., Schrijen, G.-J., Tuyls, P.: FPGA Intrinsic PUFs and Their Use for IP Protection. In: Proceedings of the 9th Cryptographic Hardware and Embedded Systems Workshop (CHES), pp. 63–80 (2007)Google Scholar
  22. 22.
    Guajardo, J., Kumar, S.S., Schrijen, G.-J., Tuyls, P.: Physical Unclonable Functions and Public-Key Crypto for FPGA IP Protection. In: International Conference on Field Programmable Logic and Applications, pp. 189–195 (2007)Google Scholar
  23. 23.
    Han, K., Kim, K.: Enhancing Privacy and Authentication for Location Based Service using Trusted Authority. In: 2nd Joint Workshop on Information Security (2007)Google Scholar
  24. 24.
    Hansen, F., Oleschuk, V.: SRBAC: A Spatial Role-Based Access Control Model for Mobile Systems. In: Proceedings of the 8th Nordic Workshop on Secure IT Systems (NORDSEC 2003), pp. 129–141 (2003)Google Scholar
  25. 25.
    Hoang, L.N., Laitinen, P., Asokan, N.: Secure Roaming with Identity Metasystems. In: IDtrust 2008 (2008)Google Scholar
  26. 26.
    Hulsebosch, R.J., Salden, A.H., Bargh, M.S., Ebben, P.W.G., Reitsma, J.: Context Sensitive Access Control. In: Proceedings of the 10th Symposium on Access Control Models and Technologies (SACMAT), pp. 111–119 (2005)Google Scholar
  27. 27.
    INFOSEC Research Council (IRC): “Hard Problem List.” Department of Homeland Security Cyber Security Research & Development Center (2005)Google Scholar
  28. 28.
    Kirkpatrick, M., Bertino, E.: Physically Restricted Authentication with Trusted Hardware. In: The 4th Annual Workshop on Scalable Trusted Computing (2009)Google Scholar
  29. 29.
    Kirkpatrick, M., Bertino, E.: An Architecture for Spatially-Aware RBAC with Continuity of Usage (Under submission) (2009)Google Scholar
  30. 30.
    Kulkarni, D., Tripathi, A.: Context-Aware Role-based Access Control in Pervasive Computing Systems. In: Proceedings of the 13th Symposium on Access Control Models and Technologies, SACMAT (2008)Google Scholar
  31. 31.
    NFC Forum Tag Type Technical Specifications,
  32. 32.
    Nokia 6131 NFC SDK Programmer’s GuideGoogle Scholar
  33. 33.
    Organization for the Advancement of Structured Information Standards (OASIS): eXtensible Access Control Markup Language (XACML),
  34. 34.
    Park, J., Sandhu, R.: The UCONABC Usage Control Model. ACM Transactions on Information and System Security 7(1), 128–174 (2004)CrossRefGoogle Scholar
  35. 35.
    Predd, J., Pfleeger, S.L., Hunker, J., Bulford, C.: Insiders Behaving Badly. IEEE Security and Privacy 6(4), 66–70 (2008)CrossRefGoogle Scholar
  36. 36.
    Ray, I., Kumar, M., Yu, L.: LRBAC: A Location-Aware Role-Based Access Control Model. In: Proceedings of Internation Conference on Information Systems Security (ICISS), vol. 147, pp. 147–161 (2006)Google Scholar
  37. 37.
    Sailer, R., Jaeger, T., Zhang, X., van Doorn, L.: Attestation-based Policy Enforcement for Remote Access. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), pp. 308–317 (2004)Google Scholar
  38. 38.
    Sandhu, R., Ranganathan, K., Zhang, X.: Secure Information Sharing Enabled by Trusted Computing and PEI Models. In: ASIACCS 2006: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, pp. 2–12 (2006)Google Scholar
  39. 39.
    Schellekens, D., Wyseur, B., Preneel, B.: Remote Attestation on Legacy Operating Systems With Trusted Platform Modules. Science of Computer Programming, 13–22 (2008)Google Scholar
  40. 40.
    Sentz, K., Ferson, S.: Combination of Evidence in Dempster-Shafer Theory. Technical Report, Sandia National Laboratories, SAND 2002-0835 (2002)Google Scholar
  41. 41.
    Squicciarini, A., Bhargav-Spantzel, A., Bertino, E., Czeksis, A.B.: Auth-SL – A System for the Specification and Enforcement of Quality-Based Authentication Policies. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 386–397. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  42. 42.
    Trusted Computing Group: Trusted Platform Module Main Specification (2003),
  43. 43.
    United States Secret Service and CERT Coordination Center: Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector (2004),
  44. 44.
    Wei, Q., Crampton, J., Beznosov, K., Ripeanu, M.: Authorization Recycling in RBAC Systems. In: Proceedings of the 13th ACM Symposium on Access Control Models and Technologies, SACMAT (2008)Google Scholar
  45. 45.
    Zhang, X., Nakae, M., Covington, M.J., Sandhu, R.: A Usage-based Authorization Framework for Collaborative Computing Systems. In: Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT), pp. 180–189 (2006)Google Scholar
  46. 46.
    Zhang, X., Park, J., Parisi-Presicce, F., Sandhu, R.: A Logical Specification for Usage Control. In: Proceedings of the 9th ACM Symposium on Access Control Models and Technologies, SACMAT (2004)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  • Michael Kirkpatrick
    • 1
  • Elisa Bertino
    • 1
  1. 1.Department of Computer Science and CERIASPurdue UniversityWest LafayetteUSA

Personalised recommendations