From Conventional to State-of-the-Art IoT Access Control Models

open access articleThe advent in Online Social Networks (OSN) and Internet of Things (IoT) has created a new world of collaboration and communication between people and devices. The domain of internet of things uses billions of devices (ranging from tiny sensors to macro scale devices) that continuously produce and exchange huge amounts of data with people and applications. Similarly, more than a billion people are connected through social networking sites to collaborate and share their knowledge. The applications of IoT such as smart health, smart city, social networking, video surveillance and vehicular communication are quickly evolving people’s daily lives. These applications provide accurate, information-rich and personalized services to the users. However, providing personalized information comes at the cost of accessing private information of users such as their location, social relationship details, health information and daily activities. When the information is accessible online, there is always a chance that it can be used maliciously by unauthorized entities. Therefore, an effective access control mechanism must be employed to ensure the security and privacy of entities using OSN and IoT services. Access control refers to a process which can restrict user’s access to data and resources. It enforces access rules to grant authorized users an access to resources and prevent others. This survey examines the increasing literature on access control for traditional models in general, and for OSN and IoT in specific. Challenges and problems related to access control mechanisms are explored to facilitate the adoption of access control solutions in OSN and IoT scenarios. The survey provides a review of the requirements for access control enforcement, discusses several security issues in access control, and elaborates underlying principles and limitations of famous access control models. We evaluate the feasibility of current access control models for OSN and IoT and provide the future development direction of access control for the sam

Ontology-based access control for social network systems

As the information flowing around in social network systems is mainly related or can be attributed to their users, controlling access to such information by individual users becomes a crucial requirement. The intricate semantic relations among data objects, different users, and between data objects and users further add to the complexity of access control needs. In this paper, we propose an access control model based on semantic web technologies that takes into account the above mentioned complex relations. The proposed model enables expressing much more fine-grained access control policies on a social network knowledge base than the existing models. We demonstrate the applicability of our approach by implementing a proof-of-concept prototype of the proposed access control framework and evaluating its performance

Authentication proxy: delegating authentication towards SPID, the italian Public Digital Identity System

SPID, il Sistema Pubblico di Identità Digitale, è la soluzione italiana nata a Marzo 2013 per fornire un accesso unificato tramite identità digitali ai servizi pubblici e privati, messo a disposizione per i cittadini italiani. È un esempio mondiale di una collaborazione vincente tra il settore pubblico e il privato, e viene riconosciuto per la natura open-source del progetto e per la forte adozione tra i cittadini. Lo scopo di questa tesi è di offrire una analisi completa sul sistema SPID, sia da un punto di vista tecnico, sia da un punto di vista applicativo, implementando un sistema di autenticazione in una applicazione web Java Spring per una azienda privata. Andremo a vedere le componenti principali del sistema, il processo di autenticazione, gli aspetti di sicurezza e privacy, e i principali problemi che il sistema deve affrontare.SPID, Public Digital Identity System, is the italian solution born in March 2013 in order to provide a single unified digital identity card, for the citizens, to access public and private services. It is a worldwide example of a successful public-private partnership, and it is recognised for the open-source nature of the project, it also recognised for strong adoption among citizens. The goal of this thesis is to provide a complete analysis of the SPID system, from the technical point of view, to the implementation in a Java Spring web application for a private company. We will see the main components of the system, the authentication process, the security and privacy aspects, and the main problems that the system has to face

Preserving Privacy in Social Networking Systems: Policy-Based Control and Anonymity

Social Networking Systems (SNSs), such as Facebook, are complex information systems involving a huge number of active entities that provide and consume enormous amounts of information. Such information can be mainly attributed to the users of SNSs and hence, can be considered privacy-sensitive. Therefore, in contrast to traditional systems where access control is governed by system policies, enabling individual users to specify their privacy control policies becomes a natural requirement. The intricate semantic relationships among data objects, users, and between data objects and users further add to the complexity of privacy control needs. Moreover, there is immense interest in studying social network data that is collected by SNSs for various research purposes. Anonymization is a solution to preserve user privacy in this case. However, anonymizing social network datasets effectively and efficiently is a much more challenging task than anonymizing tabular datasets due to the connectedness of the users in a social network graph. In this dissertation, we propose approaches and methods that facilitate preserving user privacy in terms of providing both fine-grained control of information and utility-preserving anonymization. In particular, we propose an ontology-based privacy control framework that enables fine-grained specification and enforcement of privacy control policies by both users and SNS providers. Our framework allows an SNS provider to determine privacy control policy authorities for SNS information, and allows users to specify advanced policies, that in addition to fine-grained policy specification, enables sharing of authority over protected resources. Based on such an ontology-based foundation, we also propose a framework to support novel privacy policy analysis tasks in SNSs. Furthermore, we propose a framework to enhance anonymization algorithms for social network datasets in terms of preserving their structural properties without sacrificing privacy requirements set for the algorithms. The proposed approaches direct the behavior of anonymization algorithms based on concepts in social network theory. We evaluate our proposed methods and approaches by implementing a prototype of the privacy control framework, carrying out a policy analysis case study for a real-world SNS, and performing an extensive set of experiments on improving social network anonymization in terms of preserving data utility

An Event Driven Hybrid Identity Management Approach to Privacy Enhanced e-Health

Credential-based authorization offers interesting advantages for ubiquitous scenarios involving limited devices such as sensors and personal mobile equipment: the verification can be done locally; it offers a more reduced computational cost than its competitors for issuing, storing, and verification; and it naturally supports rights delegation. The main drawback is the revocation of rights. Revocation requires handling potentially large revocation lists, or using protocols to check the revocation status, bringing extra communication costs not acceptable for sensors and other limited devices. Moreover, the effective revocation consent—considered as a privacy rule in sensitive scenarios—has not been fully addressed.This paper proposes an event-based mechanism empowering a new concept, the sleepyhead credentials, which allows to substitute time constraints and explicit revocation by activating and deactivating authorization rights according to events. Our approach is to integrate this concept in IdM systems in a hybrid model supporting delegation, which can be an interesting alternative for scenarios where revocation of consent and user privacy are critical. The delegation includes a SAML compliant protocol, which we have validated through a proof-of-concept implementation. This article also explains the mathematical model describing the event-based model and offers estimations of the overhead introduced by the system. The paper focus on health care scenarios, where we show the flexibility of the proposed event-based user consent revocation mechanism.This work was partially founded by the Spanish Ministry of Science and Innovation under the project TEC2010-20572-C02-01 (CONSEQUENCE) and by the State of Madrid (Spain) under the contract number S2009/TIC-1650 (e-Madrid). Moreover, the authors would like to thank to the anonymous referees for comments and recommendations for the paper improvement

Me, Myself and I: Aggregated and Disaggregated Identities on Social Networking Services

In this article I explore some of the legal issues arising from the transformation of SNS operators to providers of digital identity. I consider the implications of the involvement of private sector entities in the field of identity management and discuss some of the privacy implications, as well as the prospects for conciliation between online anonymity and pseudonymity, on the one hand, and the need for identifiability and accountability on the other hand.

Policy-aware Distributed and Dynamic Trust based Access Control Scheme for Internet of Things

 The use of smart devices is driving the Internet of Things (IoT) trend today. Day by day IoT helps to support more services like car services, healthcare services, home automation, and security services, weather prediction services, etc, to ease user’s life. Integration of heterogeneous IoT devices and social resources sometimes creates many problems like the privacy of data. To avoid privacy issues, an appropriate access control mechanism is required to check authorized and trusted devices, so that only valid devices can access the data which is only required.  In the sequel, this paper presents implementation of distributed and dynamic trust based access control mechanism (DDTAC) for secure machine to machine communication or distributed IoT environment. Novelty of this mechanism is that, it uses trust calculation and device classification for dynamic access control. The proposed scheme is implemented, tested and deployed on Node MCU and same mechanism is also simulated on NS-2 for large number of nodes. This access control model support Scalability, Heterogeneity, Privacy, Trust, Selective disclosure, Principle of least privileges, and lightweight calculation features. Results of this models proves that it gives good performance as compared to existing scheme in terms of scalability, throughput and delay. As number of devices increase it does not degrade performance. This mechanism is also protected against the Man-in-the-Middle attack, Sniffing attack, Session Hijacking attacks and Injection attacks. It required less time to detect and resist those attacks

Certificate discovery using SPKI/SDSI 2.0 certificates

Thesis (M.Eng.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1998.Includes bibliographical references (leaves 67-68).by Jean-Emile Elien.M.Eng