|Current Web Page|
For my Ph.D. Thesis, I investigated access control to information available in ubicomp environments in the context of Carnegie Mellon's Aura project. While access control has been researched extensively for filesystems or databases, additional challenges arise for ubicomp environments. For example, there are many sources of personal information, which makes it impractical for a single person to make decisions about and issue access rights to every available information item about her. I have developed techniques to reduce the number of access rights that individuals have to define. A central statement of my research is that it is possible to make relationships between information first-class citizens in access control. Information relationships simplify management of access rights and easily support concepts such as granularity-aware access control and access control to complex information. I have examined the types of information relationships important for ubicomp environments and formalized their establishment and usage in access control. In addition, I have implemented the proposed access control framework and evaluated its performance and complexity. Details are in this paper.
I have also examined approaches for distributing access control load. In distributed access control, a client needs to prove to an information source that it is authorized to access the requested information. However, conventional applications of proof-based access control can fail in a ubicomp environment. In particular, if access control is based on the semantics of information that a client is requesting, the client will not know how the required proof of access should look like. I have applied cryptographic primitives (i.e., hierarchical identity-based encryption) to overcome this problem. Details are in this paper.
Access rights to information can be constrained, that is, an access right is valid only if some conditions are satisfied. In ubicomp environments, these conditions can involve confidential information, such as a person's location. Therefore, being granted access and learning that a condition is fulfilled can lead to information leaks. I have developed techniques that enable (distributed) access control to take constraints on access rights into account, without leaking information. (Paper under submission.)
While my research has concentrated on distributed, proof-based access control, I have also investigated alternative approaches. Namely, I have explored encryption-based access control, where an information source encrypts information and gives the ciphertext to any client. Only authorized clients can decrypt the ciphertext. To study the feasibility of encryption-based access control, I have extended existing cryptographic primitives to fit the needs of a ubicomp environment. Details are in this paper.
In previous research, I examined security issues that arise if people can learn about each other's location. Moreover, I designed, implemented, and evaluated a secure people location system. Details are in this paper.