Trust-enhanced Security in Location-based Adaptive Authentication

We propose trust to enhance security in adaptive and non-intrusive user authentication in controlled and pervasive environments. In addition to who a user is (e.g., via biometrics) and what a user knows (e.g., a password, a PIN), recent authentication solutions evaluate what a user has. The user's identity is then derived from what detectable accredited items (e.g., badges, RFIDs) and personal devices (e.g., smart-phones, PDAs) the user shows when authenticating. The level of security of the access is set consequently. Position information is also considered in authentication; only those users carrying authorised items in proximity of certain places can benefit from available resources at those places. Unfortunately, items such as badges, mobile phones, smart phones, RFID-ed cards can be stolen, forgotten, or lost with a consequent risk of identity theft and intrusion. In controlled environment like buildings, where sensors can detect a wide range of different types of items, the security of authentication can be improved by evaluating the amount of trust that can be reposed on the user standing in the area from where he tries to access a resource. This piece of information can be calculated from the positions of all the items linkable to the requester as sensed along time by the different sensors available. Sensors are seen as recommenders that give opinions on a user being in a requested position depending on what they have perceived in the environment. We apply Subjective Logics to model recommendations that originate from different types of location detectors and to combine them into a trust value. Our solution has been tested to improve authentication in an intelligent coffee corner of our research institute. A user at the coffee corner can see, displayed on a wall screen, the position of his colleagues depending on the level of authentication he obtains. The user authentication level depends on the number and on the quality of tokens he provides when authenticating. We comment how the use of a location-based trust (on the requester standing at the coffee corner) improves the adaptability, the non-intrusiveness, and the security of the authentication process. We validate our proposal with a simulation that shows how location-based trust changes when a user device moves away from the coffee corner.

[1]  Gabriele Lenzini,et al.  Context-aware Trust Evaluation Functions for Dynamic Reconfigurable Systems , 2006, MTW.

[2]  Audun Jøsang,et al.  Semantic Constraints for Trust Transitivity , 2005, APCCM.

[3]  Alfons H. Salden,et al.  Context sensitive access control , 2005, SACMAT '05.

[4]  Roy H. Campbell,et al.  Reasoning about Uncertain Contexts in Pervasive Computing Environments , 2004, IEEE Pervasive Comput..

[5]  Joan Feigenbaum,et al.  KeyNote: Trust Management for Public-Key Infrastructures (Position Paper) , 1998, Security Protocols Workshop.

[6]  P. Samarati,et al.  Access control: principle and practice , 1994, IEEE Communications Magazine.

[7]  Lalana Kagal,et al.  A Semantic Context-Aware Access Control Framework for Secure Collaborations in Pervasive Computing Environments , 2006, SEMWEB.

[8]  Mel Siegel,et al.  Sensor fusion using Dempster-Shafer theory II: static weighting and Kalman filter-like dynamic weighting , 2003, Proceedings of the 20th IEEE Instrumentation Technology Conference (Cat. No.03CH37412).

[9]  Audun Jøsang,et al.  Trust network analysis with subjective logic , 2006, ACSC.

[10]  Jerry den Hartog,et al.  Audit-based compliance control , 2007, International Journal of Information Security.

[11]  Butler W. Lampson,et al.  Authentication in distributed systems , 1993 .

[12]  Adam L. Berger,et al.  A Maximum Entropy Approach to Natural Language Processing , 1996, CL.

[13]  Audun Jøsang,et al.  A Logic for Uncertain Probabilities , 2001, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[14]  Andrew W. Appel,et al.  Proof-carrying authentication , 1999, CCS '99.

[15]  Elisa Bertino,et al.  A Trust-Based Context-Aware Access Control Model for Web-Services , 2004, Proceedings. IEEE International Conference on Web Services, 2004..

[16]  Jie Yang,et al.  Sensor Fusion Using Dempster-Shafer Theory , 2002 .

[17]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[18]  Karl Krukow,et al.  Towards a Theory of Trust for the Global Ubiquitous Computer , 2006 .

[19]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  Jürgen Bohn,et al.  Robust Probabilistic Positioning based on High-Level Sensor-Fusion and Map Knowledge , 2003 .

[21]  J.M. Bradshaw,et al.  Context-based security management for multi-agent systems , 2005, IEEE 2nd Symposium on Multi-Agent Security and Survivability, 2005..

[22]  Audun Jøsang,et al.  A Subjective Metric of Authentication , 1998, ESORICS.

[23]  Jie Yang,et al.  Sensor fusion using Dempster-Shafer theory [for context-aware HCI] , 2002, IMTC/2002. Proceedings of the 19th IEEE Instrumentation and Measurement Technology Conference (IEEE Cat. No.00CH37276).