A Certificate Based Authentication Control Model Using Smart Mobile Devices For Ubiquitous Computing Environments

Cavdar, Davut

01 September 2011

In this thesis work, a certificate based authentication model supported by mobile devices is provided for ubiquitous computing environments. The model primarily aims to create an infrastructure for controlling and regulating access requests through mobile devices to local resources and services. The model also allows users from different domains to use local resources and services within the scope of agreements between domains. In addition to conceptual description of the model, a real prototype implementation is developed and successful application of the model is demonstrated. Within the prototype implementation, a mobile application is developed for access requests and sensors are used as representative local resources. Sample cases applied on the prototype demonstrate applicability and feasibility of the model.

QA Computer Software 76.75-76.765

Electronic Access Control Systems: A New Approach

Janardhana Swamy, V C

09 1900

Security systems are gaining increasing importance in recent times to protect life and valuable resources. Many advanced methods of providing security have been developed and are in use in the last few decades. Of these, one important area is the security system required for military/strategic applications, which has advanced greatly. But, such systems being complex and expensive are useful in high-end applications only. However, with the recent progress in technology and the growing need for increased security in civilian and other applications, many low cost solutions for security systems have now emerged. As a result, many applications where only a simple intruder alarm was the means of providing security in earlier days are now able to associate with more advanced and foolproof access control techniques. And the field of Access Control Systems (ACSs) using modern approaches has become a major means of providing security in all applications, both military and civilian.

Computer Science

Cryptography

Computer Security

Access Control Systems (ACS)

System Design

Microcontrollers

Computers - Access Control

Hardware Design

Software Design

Refined Access Control in a Distributed Environment / Finkornig åtkomstkontroll i en distribuerad miljö

Boström, Erik

January 2002

<p>In the area of computer network security, standardization work has been conducted for several years. However, the sub area of access control and authorization has so far been left out of major standardizing. </p><p>This thesis explores the ongoing standardization for access control and authorization. In addition, areas and techniques supporting access control are investigated. Access control in its basic forms is described to point out the building blocks that always have to be considered when an access policy is formulated. For readers previously unfamiliar with network security a number of basic concepts are presented. An overview of access control in public networks introduces new conditions and points out standards related to access control. None of the found standards fulfills all of our requirements at current date. The overview includes a comparison between competing products, which meet most of the stated conditions. </p><p>In parallel with this report a prototype was developed. The purpose of the prototype was to depict how access control could be administered and to show the critical steps in formulating an access policy.</p>

Informationsteknik

access control

PKI

VPN

X.509

RBAC

role-based access control

computer security

cryptography

Informationsteknik

Information technology

Informationsteknik

Μηχανισμός πρόσβασης για υπηρεσίες ιστού (web services) για βιομηχανικές εφαρμογές

Κατσαρού, Κατερίνα

22 January 2009

Η διπλωματική εργασία ασχολείται με την ανάγκη για έναν προηγμένο μηχανισμό ασφάλειας που θα παρέχει προστασία πληροφοριών από τους μη εξουσιοδοτημένους χρήστες. Τα περισσότερα συστήματα σε εταιρικό και βιομηχανικό επίπεδο χρησιμοποιούν την απλή εξουσιοδότηση (simple authorization) ή all-or-nothing όπου έχουμε παραχώρηση πρόσβασης στους πόρους του συστήματος εάν ο χρήστης είναι εξουσιοδοτημένος ή εάν δεν είναι άρνηση πρόβλεψης χωρίς να έχει προβλεφθεί κάποια ενδιάμεση λύση. Στην περίπτωση του ελέγχου πρόσβασης για υπηρεσίες Ιστού (web services) –που είναι εφαρμογές που παρέχονται μέσω Διαδικτύου όπως φαίνεται και από το όνομά τους- δεν είναι ικανοποιητική η παραχώρηση πρόσβασης σε ολόκληρη την υπηρεσία Ιστού δηλαδή η πρόσβαση στο υψηλότερο επίπεδο (coarse-grained access control) αλλά απαιτείται και η πρόσβαση σε κάποια ή κάποιες από τις μεθόδους την υπηρεσίας Ιστού δηλαδή η διαβαθμισμένη πρόσβαση (fine-grained access control). Η πολιτική ελέγχου πρόσβασης που χρησιμοποιήσαμε είναι ο έλεγχος πρόσβασης βασισμένος σε ρόλους (Role-based Access Control) όπου οι χρήστες αποκτούν πρόσβαση στους προστατευόμενους πόρους (μια ολόκληρη υπηρεσία Ιστού ή μέθοδο) συνδεόμενοι με ρόλους με τις κατάλληλες άδειες πρόσβασης δηλαδή μόνο εξουσιοδοτημένοι χρήστες έχουν πρόσβαση στους προστατευόμενους πόρους. Τέλος υποθέσαμε μία βιομηχανική υποδομή που παρέχει σε πελάτες πρόσβαση μέσω ενός OPC XML-DA server όπου το OPC είναι ένα σύνολο από ανοικτά πρότυπα που παρέχουν δια-λειτουργικότητα (interoperability) και συνδεσιμότητα (connectivity) μεταξύ βιομηχανικού αυτοματισμού και επιχειρησιακών συστημάτων. / -

Υπηρεσίες ιστού

005.8

Web services

Fine-grained access control

Role-based access control

Algorithmic Problems in Access Control

Mousavi, Nima

29 July 2014

Access control is used to provide regulated access to resources by principals. It is an important and foundational aspect of information security. Role-Based Access Control (RBAC) is a popular and widely-used access control model, that, as prior work argues, is ideally suited for enterprise settings. In this dissertation, we address two problems in the context of RBAC. One is the User Authorization Query (UAQ) problem, which relates to sessions that a user creates to exercise permissions. UAQ's objective is the identification of a set of roles that a user needs to activate such that the session is authorized to all permissions that the user wants to exercise in that session. The roles that are activated must respect a set of Separation of Duty constraints. Such constraints restrict the roles that can be activated together in a session. UAQ is known to be intractable (NP-hard). In this dissertation, we give a precise formulation of UAQ as a joint-optimization problem, and analyze it. We examine the manner in which each input parameter contributes to its intractability. We then propose an approach to mitigate its intractability based on our observation that a corresponding decision version of the problem is in NP. We efficiently reduce UAQ to Boolean satisfiability in conjunctive normal form (CNF-SAT), a well-known NP-complete problem for which solvers exist that are efficient for large classes of instances. We also present results for UAQ posed as an approximation problem; our results suggest that efficient approximation is not promising for UAQ. We discuss an open-source implementation of our approach and a corresponding empirical assessment that we have conducted. The other problem we consider in this dissertation regards an efficient data structure for distributed access enforcement. Access enforcement is the process of validating an access request to a resource. Distributed access enforcement has become important with the proliferation of data, which requires access control systems to scale to tens of thousands of resources and permissions. Prior work has shown the effectiveness of a data structure called the Cascade Bloom Filter (CBF) for this problem. In this dissertation, we study the construction of instances of the CBF. We formulate the problem of finding an optimal instance of a CBF, where optimality refers to the number of false positives incurred and the number of hash functions used. We prove that this problem is NP-hard, and a meaningful decision version is in NP. We then propose an approach to mitigate the intractability of the problem by reducing it to CNF-SAT, that allows us to use a SAT solver for instances that arise in practice. We discuss an open-source implementation of our approach and an empirical assessment based on it.

Network-layer reservation TDM for ad-hoc 802.11 networks

Duff, Kevin Craig

January 2008

Ad-Hoc mesh networks offer great promise. Low-cost ad-hoc mesh networks can be built using popular IEEE 802.11 equipment, but such networks are unable to guarantee each node a fair share of bandwidth. Furthermore, hidden node problems cause collisions which can cripple the throughput of a network. This research proposes a novel mechanism which is able to overcome hidden node problems and provide fair bandwidth sharing among nodes on ad-hoc 802.11 networks, and can be implemented on existing network devices. The scheme uses TDM (time division multiplexing) with slot reservation. A distributed beacon packet latency measurement mechanism is used to achieve node synchronisation. The distributed nature of the mechanism makes it applicable to ad-hoc 802.11 networks, which can either grow or fragment dynamically.

Computer networks -- Access control

Computers -- Access control

Computer networks -- Management

Time division multiple access

Ad hoc networks (Computer networks)

Creating access control maps and defining a security policy for a healthcare communication system / Skapande av access control maps och säkerhetspolicy för ett kommunikationssystem inom sjukvården

Petersson Lantz, Robert, Alvarsson, Andreas

January 2015

This report handles the creation of an access control map and the dening of asecurity policy for a healthcare communication system. An access control mapis a graphical way to describe the access controls of the subjects and objects ina system. We use a three step method to produce a graphical overview of theparts in the system, the interactions between them and the permissions of thesubjects. Regarding the security policy we create a read up and read down policylike the so called Ring policy, but adapt a write sideways approach. We alsoapply a mandatory access control which has a centralized authority that denesthe permissions of the subjects. Attribute restrictions is also included to thesecurity levels, to set an under limit for reading permissions.

Access control map

Security policy

Risk analysis

Access control

Motivation matrix

Offering map

User policy cards

Computer Sciences

Datavetenskap (datalogi)

A study of South African computer usersʹ password usage habits and attitude towards password security

Friedman, Brandon

January 2014

The challenge of having to create and remember a secure password for each user account has become a problem for many computer users and can lead to bad password management practices. Simpler and less secure passwords are often selected and are regularly reused across multiple user accounts. Computer users within corporations and institutions are subject to password policies, policies which require users to create passwords of a specified length and composition and change passwords regularly. These policies often prevent users from reusing previous selected passwords. Security vendors and professionals have sought to improve or even replace password authentication. Technologies such as multi-factor authentication and single sign-on have been developed to complement or even replace password authentication. The objective of the study was to investigate the password habits of South African computer and internet users. The aim was to assess their attitudes toward password security, to determine whether password policies affect the manner in which they manage their passwords and to investigate their exposure to alternate authentication technologies. The results from the online survey demonstrated that password practices of the participants across their professional and personal contexts were generally insecure. Participants often used shorter, simpler and ultimately less secure passwords. Participants would try to memorise all of their passwords or reuse the same password on most of their accounts. Many participants had not received any security awareness training, and additional security technologies (such as multi-factor authentication or password managers) were seldom used or provided to them. The password policies encountered by the participants in their organisations did little towards encouraging the users to apply more secure password practices. Users lack the knowledge and understanding about password security as they had received little or no training pertaining to it.

Computer users -- Attitudes

Computers -- Access control -- Passwords

Internet -- Access control

Internet -- Security measures

Internet -- Management

Data protection

Semantic and Role-Based Access Control for Data Grid Systems

Muppavarapu, Vineela

11 December 2009

No description available.

Computer Science

Data Grid

role-based access control

semantic-based access control

Storage Resource Broker

Shibboleth

ontology

The effect of awareness at the medium access control layer of vehicular ad-hoc networks

Booysen, Marthinus J.

12 1900

Thesis (PhD)-- Stellenbosch University, 2013. / ENGLISH ABSTRACT: The hidden terminal problem, coupled with high node mobility apparent in vehicular networks, present challenges to e cient communication between vehicles at the Medium Access Control (MAC) layer. Both of these challenges are fundamentally problems of lack of awareness, and manifest most prominently in the broadcasting of safety messages in infrastructure-free vehicle-to-vehicle communications. The design of existing contention-free and contention-based MAC approaches generally assumes that nodes that are in range of one another can take steps to coordinate communications at the MAC layer to overcome the hidden terminal problem and node mobility. Unicasting with the existing MAC standard, IEEE 802.11p, implicitly assumes an awareness range of twice the transmission range (a 1-hop awareness range) at most, since handshaking is used. For broadcasting, the assumption implies an awareness range that is at most equal to the transmission range, since only carrier sensing is used. Existing alternative contention-free approaches make the same assumption, with some protocols explicitly using a 1-hop awareness range to avoid packet collisions. This dissertation challenges the convention of assuming that a 1-hop awareness range is su cient for networks with high mobility, such as VANETs. In this dissertation, the impact of awareness range and management of the awareness information on MAC performance is researched. The impact of the number of slots that is required to support the awareness range is also evaluated. Three contention-free MAC protocols are introduced to support the research. The rst is an improved version of an existing MAC method, which is used to demonstrate the e ects on performance of changes to awareness management. The second MAC uses three competing processes to manage awareness information. The second MAC is designed for a con gurable awareness range and con gurable number of slots, and is used to evaluate the e ects of awareness range and number of slots on MAC performance. The third MAC is random access based and is used to evaluate the impact on performance of removing awareness completely. An analytical model is developed to support the simulated results. The simulation results demonstrate that awareness range, awareness information management, and number of slots used are key design parameters that signi cantly impact on MAC performance. The results further show that optimal awareness-related design parameters exist for given scenarios. Finally, the proposed contention-free and random access MAC methods are simulated and performance compared with IEEE 802.11p. All three outperform the contentionbased standard IEEE 802.11p. / AFRIKAANSE OPSOMMING: Die versteekte-nodus-probleem, gekoppel met die hoë vlakke van nodusbeweging teenwoordig in voertuignetwerke, bied uitdagings vir doeltre ende kommunikasie tussen voertuie in die medium-toegangbeheer- (MAC) vlak. Beide van hierdie probleme spruit uit beperkte bewustheid, en manifesteer veral in die uitsaai van veiligheidsboodskappe in infrastruktuurvrye voertuig-na-voertuig-kommunikasie. Die ontwerp van bestaande wedywerende en nie-wedywerende MAC benaderings neem aan dat nodusse wat binne bereik van mekaar is, stappe kan neem om kommunikasie op die MAC-vlak te koördineer, ten einde probleme met versteekte nodusse en mobiliteit te oorkom. Vir punt-tot-puntkommunikasie met IEEE 802.11p, impliseer dié aanname 'n bewustheidstrekking van hoogstens twee keer die radiobereik (1-hop bewustheidstrekking), aangesien bladskud gebruik word. In die geval van uitsaai, impliseer die aanname 'n bewustheidstrekking hoogstens gelyk is aan die radiobereik, aangesien slegs draeropsporing gebruik word. Nie-wedywerende metodes maak dieselfde aanname, met sommiges wat eksplisiet 1-hop-bewustheidstrekking gebruik om pakkieverliese te voorkom. Hierdie verhandeling wys dat hierdie aanname nie geld vir netwerke met hoë mobiliteit nie, soos wat die geval is vir VANET. In hierdie verhandeling word die impak van bewustheidstrekking en bestuur van die bewustheidsinligting in die MAC-vlak ondersoek. Die impak van die aantal tydgleuwe wat nodig is om die bewustheidstrekking te ondersteun word ook ondersoek. Drie nie-wedywerende metodes word bekendgestel om die navorsing te ondersteun. Die eerste is 'n verbeterde weergawe van 'n bestaande MAC, wat gebruik word om die e ekte van bewustheidsbestuur op MAC-werkverrigting te beoordeel. Die tweede MAC is ontwerp om veranderbare bewustheidstrekking en hoeveelheid tydgleuwe te ondersteun, en word gebruik om die e ekte van bewustheidstrekking en hoeveelheid tydgleuwe op MAC werkverrigting aan te beoordeel. Die derde MAC is ewetoeganklik (onbewus van omliggende nodusse) en word gebruik om die impak van die verwydering van bewustheid op werkverrigting te ondersoek. 'n Analitiese model is ontwikkel om die simulasieresultate te ondersteun. Die simulasieresultate dui aan dat bewustheidstrekking, bestuur van bewustheidsinligting, en hoeveelheid tydsgleuwe sleutel-ontwerpsveranderlikes is wat 'n beduidende impak het op MAC werkverrigting. Die resultate wys verder dat optimale ontwerpsveranderlikes, in terme van bewustheid, bestaan vir gegewe scenario's. Laastens, word die nie-wedywerende en ewetoeganklike MAC-metodes wat gesimuleer word se werkverrigting vergelyk met IEEE 802.11p. Al drie MAC metodes vaar beter as die wedywerende standaard, IEEE 802.11p.

Medium Access Control (MAC)

Neighbour awareness

Mobile communication systems