A Security Architecture Based on Trust Management for Pervasive Computing Systems Lalana Kagal Jeffrey Undercoffer Filip Perich Anupam Joshi Tim Finin Computer Science and Electrical Engineering Department University of Baltimore County INTRODUCTION Ordinary Computing and Pervasive Computing What is pervasive computing Solution based on distributed trust management create security policies assign credentials revoking it and even reasoning them Solution complements PKI and RBAC Smart Spaces NIST Sponsored Project Many other attempts were already made but none used distributed trust as a way to secure the system and the policies Attempts 1 Smart Homes by Unisys uses WAP and PDA 2 Centaurus infrastructure system 3 UCB s Ninja and its problem 4 Policy Maker The proposed solution drew good points from all the above systems and uses PKI to enforce policies and security features Policy in this context contains what Or what exactly does it mean about rules and rights What do they actually propose or what does it have Vigil is the proposed system Can be used in wireless and wired main point is that security has to be dynamic Vigil uses PKI and RBAC but not totally like RBAC which uses only role heirarchies Uses its own set of properties and constraints expressed in a XML based language There are six components Service Manager Communication Manager Certificate Controller Security Agent Role Assignment Manager and Clients users and services Service Manager broker between clients and services Communication Manager communication gateway between the service managers and the different spaces Certificate Controller responsible for generating x 509 digital certificates 5 for entities in the system and for responding to certificate validation queries Role Assignment Manager maintains a role list for known entities in the system and a set of rules for role assignment It responds to initial requests for role assignment in a particular Space Security Agent manages the trust in the Space receives information about new access rights that are conferred on a user and rights that are revoked and reasons about the current rights of a user Clients services and users All messages between the various entities in the Vigil system are in Centaurus Capability Markup Language Service Manager The Service Manager acts as a mediator between the Services and the users All clients of the system whether they are services or users have to register with a Service Manager in the SmartSpace The Service Manager is responsible for processing Client Registration DeRegistration requests responding to registered Client requests for a listing of available services for brokering Subscribe Un Subscribe and Command requests from users to services and for sending service updates to all subscribed users whenever the state of a particular service is modified Service Managers are arranged in a tree like hierarchy and messages are routed through to other SM s through this tree This tree like structure forms the core of the vigil system Each client establishes trust with its SM and SM s across the hierarchy establish trust among them hence trust now is a concept that is transparent between all clients in the system CLIENT During registration the client transmits its digital certificate a list of roles which can access it Client Flag Visibility Concept A service can inform SM about the requested security level The SM updates its knowledge by querying the Security Agent The client and SM exchange certificates with the SA as the coordinator and hence a trust web is formed Client then gets roles and associated rights from the RAM and receives a list of services that it can access Client requests for service from another space through the SM which in turn receives help from the SA CERTIFICATE CONTROLLER To get a certificate an entity sends a certificate request to the Certificate Controller The entity is sent back a x 509 certificate signed by the Certificate Controller and the Certificate Controller s self signed certificate which is used to validate other entities certificates These certificates are stored and protected on a client s smartcard An entity could enter a Space with a certificate from another Certificate Authority ROLE ASSIGNMENT MANAGER The Role Assignment Manager maintains a list of roles associating entities with roles and a set of rules for role assignment These rules specify the credentials required to be in a certain role When queried with the certificate of an entity the Role Assignment Manager checks the access control list and the rules for assignment to find the roles of the entity An entity could have more than one role at a time For example an entity could be both a graduate student and a research assistant The role of an entity could change over time Its access rights could also change without any change in role through the delegations of rights When the Role Assignment Manager is initialized it reads its x 509 digital certificate and its PKCS 11 11 wrapped private key from a secure file and stores it into local memory It also reads and indexes the ACL file which contains the roles of all entities within the system and stores the time stamp of the file When the Role Assignment Manager receives a query for an entity s role it compares the current time stamp on the capability file with the time stamp of the last file read if they are not equal it re reads the ACL file This feature allows roles of entities to change continuously and dynamically SECURITY AGENT The Security Agent uses a knowledge base and sophisticated reasoning techniques for security On initialization it reads the policy and stores it in a Prolog knowledge base All requests are translated into Prolog and the knowledge base is queried The policy contains permissions which are access rights associated with roles and prohibitions which are interpreted as negative access rights A positive or negative result is produced When a user needs to access a service that it does not have the right to access it requests another user who has the right or the service itself for the permission to access the Service If the entity requested does have the permission to delegate the access to the Service the entity sends a delegate message signed by its own private key along with its certificate to the Security Agent and the requester The Security Agent checks the roles of the delegator and the delegatee and ensures that the delegator has the right to delegate and that