Computer Science Department
School of Computer Science, Carnegie Mellon University
Access Control to Information in
This thesis presents a distributed access-control architecture for pervasive computing that supports complex and derived information and confidential context-sensitive constraints. Namely, the thesis makes the following contributions: First, I introduce a distributed access-control architecture, in which a client proves to a service that the client is authorized to access the requested information. Second, I incorporate the semantics of complex information as a first-class citizen into this architecture, based on information relationships. Third, I propose derivation-constrained access control, which reduces the in- fluence of intruders into a service by making the service prove that it is accessing information on behalf of an authorized client. Fourth, I study the kinds of information leaks that confidential context-sensitive constraints can cause, and I introduce access-rights graphs and hidden constraints to address these leaks. Fifth, I present obscured proof-of-access descriptions, which allow a service to inform a client of the required proof of access without leaking confidential information being part of this description. Sixth, as an alternative approach, I introduce an encryption-based access-control architecture for pervasive computing, in which a service gives information to any client, but only in an encrypted form.