Case 6:21-cv-01101-ADA Document 31-22 Filed 05/19/22 Page 1 of 7
`Case 6:21-cv-01101-ADA Document 31-22 Filed 05/19/22 Page 1 of 7
`
`EXHIBIT 22
`EXHIBIT 22
`
`

`

`Case 6:21-cv-01101-ADA Document 31-22 Filed 05/19/22 Page 2 of 7
`
`A Flexible, Privacy-Preserving Authentication Framework
`for Ubiquitous Computing Environments*
`
`Jalal Al-Muhtadi Anand Ranganathan Roy Campbell M. Dennis Mickunas
`Department of Computer Science,
`University of Illinois at Urbana-Champaign,
`(almuhtad, ranganat, rhe, mickunas}@uiuc.edu
`
`Abstract
`The proliferation of smart gadgets, appliances, mobile
`devices, PDAs and sensors has enabled the construction
`of ubiquitous computing environments, transforming
`regular physical spaces into ''Active Information Spaces
`augmented with intelligence and enhanced with semces.
`This new exciting computing paradigm promises to revo­
`lutionize the way m interact with computers, semces,
`and the surrounding physical spaces, yielding higher pro­
`ductivity and more seamless interaction between users
`and eomputing serviees. However, the deployment of this
`eomputing paradigm in real-life is hindered by poor secu­
`rity, particularly, the lack of proper authentieation and.
`access control techniques and privacy presemng proto­
`cols. We propose an authentication framework that ad­
`dresses this problem through the use of different wearable
`and embedded devices. These devices authenticate entities
`with varied levels of confidence, in a transparent, conven­
`ient, and private manner, allowing the framework to
`blend nicely into ubiquitous computing environments.
`Keywords
`Ubiquitous computing, security, authentication, context­
`awareness, privacy. Mist
`1. Introduction
`Ubiquitous computing or Active Information Spaces pro­
`mote the proliferation of embedded deviees, smart gadg­
`ets, sensors and actuators. We envision an Active Infor­
`mation Space to contain hundreds, or even thousands, of
`devices and sensors that will be everywhere, performing
`regular tasks, providing new functionality, bridging the
`virtual and physical worlds, and allowing people to com­
`municate more effectively and interact seamlessly with
`avail able computing resources and the surrounding physi­
`cal environment. This vision of Active Information Spaces
`is not far fetched; the Gaia project [1]|21131 at the De­
`partment of Computer Science, University of Illinois at
`Urbana-Champaign, attempts to develop a component­
`
`based, middleware system that provides support for build­
`ing, registering and managing applications tliat run in the
`context of Active Information Spaces. However, the reai-
`life deployment of Active Information Spaces is hindered
`by poor and inadequate security measures, partieularly,
`authentieation and access control techniques. Active In­
`formation Spaces promote the automation of some ser­
`vices (e.g. automatic adjustments of lighting and air con­
`ditioning), and the anytime, anywhere access to resources,
`in an attempt to enhance users' productivity and services'
`availability. However, these same features give enormous
`leverage to eyber-attaekers, haekers, and unauthorized
`intiiiders allowing them to inflict greater damage onee
`they break into the system. Also, Active Spaces encom­
`pass both the virtual and physical worlds; this makes them
`prone to more severe seeurity threats and vulnerabilities
`that could threaten people in the physical world besides
`threatening their data and programs in the virtual world.
`Most traditional authentication methods either do not
`scale well in massively distributed environments, with
`hundreds or thousands of embedded deviees like Aetive
`Spaces, or they are inconvenient for users roaming aiound
`within Active Space environments. Moreover, authentica­
`tion in Active Spaees eannot use a ''one-size-fits-aii" ap­
`proach, as authentication requirements differ greatly
`among different Active Spaces and different applications
`and contexts within the same Active Space,
`Different applications have highly varied authentica­
`tion requirements. Some like a weather serviee may be
`aeeessible by anybody. Other services, like eontrolling a
`power grid may require a person to be authenticated with
`a ''high-level" of ''confidence." This may require him to
`pass various checks like fingerprint recognition, retinal
`scan, face recognition, remembering a password, etc. We
`need a model that ean handle this range of authentieation
`requirements.
`In this paper we propose an authentication framework
`that provides a flexible and convenient authentication and
`
`This research is supported by a grant from the National Science Foundation, NSF CCR 0086094 ITR and NSF 99-72884 EQ.
`
`Computer
`Proceedings of the 22 nd Internationa! Conference on Distributed Comp니ting Systems Workshops (!CDCSW'O2)
`SOCIETY
`0-7695-1588-6/02 $17.00 © 2002 IEEE
`A니thorized licensed use limited to: University of Texas at Austin. Downloaded on March 01,2022 at 05:10:55 UTC from IEEE Xplore. Restrictions apply.
`DEF-AIRE-EXTRINSICOOO00091
`
`

`

`Case 6:21-cv-01101-ADA Document 31-22 Filed 05/19/22 Page 3 of 7
`
`access control services for Active Spaces. The frame-
`work^s flexibility is demonstrated tlirough its ability to
`support multiple authentication devices and methods,
`while allowing new authentication technologies to be in-
`eorporated dynamically. The framework enables the use
`of different wearable and embedded devices to authenti-
`eate entities with different levels of eonfidenee. However,
`the use of wearable devices and aetive badges eould se­
`verely violate the loeation privaey of users. Without care­
`ful design, sueh a system ean become an effective surveil­
`lance system. We employ Gaia^s Mi이 communication
`protocol [5] [6] to authenticate users while preserving their
`location privacy.
`This framework is capable of scaling to massively
`distributed systems, while supporting the dynamism and
`tlexibiiity that Aetive Spaees promote, and being eustom-
`izable enough to adapt to different privacy and authentiea-
`tion requirements of different Active Spaces and different
`contexts within a siR이e Active Space.
`The remainder of this paper is divided as follows.
`Section 2 talks about the various authentication devices
`that we use in out authentication framework. Section 3
`shows how our system uses confidence values to provide
`greater flexibility. Section 4 illustrates our authentication
`protocol. Section 5 briefly mentions how context-sensitive
`information is incorporated into our framework.
`2. Authentication Devices
`In this section, we briefly deseribe the authentieation de-
`viees that are ineorporated in our Active Information
`spaces. We examine their capabilities and reliability.
`2.1 Active Badges
`In our environment, each person has an RF-based active
`badge that can transmit identification information [9].
`This identification information is in the form of a 32 byte
`string. This 이ring can be written into tiie badge. The
`transmitted ID is received by base stations that are posi­
`tioned in different locations. The base stations can detect
`badges within a range of 3-20 ft. This range can be set
`aeeording to the requirements of the system. Badges ean
`thus give the loeation of a person in terms of which room
`he is in (although the RF signals can penetrate walls some­
`times and give wrong information). Badges can also give
`the loeation at a sub-room granularity if there are a num­
`ber of base stations in different pails of the room and their
`ranges are set appropriately. On their own, these badges
`are not a very reliable means of authentication. This is
`because tiie badges transmit the identification number in
`plaintext and this can be easily captured and replayed by
`someone else. Aiso badges can be lost, stolen or ieft be­
`hind somewhere. Further, these active badges have limited
`processing and storage capabilities. However, the usage of
`active badges does not require any sort of intervention on
`the part of the user since they keep transmitting all the
`
`time and can, hence, be continuously detected. So, we use
`active badges as a way of finding out where exactly a user
`is inside a room.
`2.2 Smart Jewelry
`Jewelry can be worn at all times, is harder to steal and
`does not require a user to carry additional gear. Therefore,
`computerized jewelry can provide a convenient way for
`authentication. We use the iButton® [7] as a prototype for
`this kind of devices. The iButton is a 16mm computer
`chip armored in a stainless steel ean. It allows up-to-date
`information to travel with a person or object. The steel
`button is rugged enough to witiistand harsh outdoor envi­
`ronments. The Java powered iButton has a microprocessor
`with a JVM running inside it. It aiso has support for per­
`forming cryptographic operations. Special ports allow a
`user to plug his ring into them. The iButton can then ex­
`change information with a computer. If each user has a
`ring, it can function as a means of authentication. The ring
`can store a users name and password encrypted with a key
`only known to the authentication server.
`23 Smart Watches
`Another wearable deviee that is worn by people almost in
`daily basis is wristwatches. A “smart” watch can be used
`as an interactive wearable device, providing a higher de­
`gree of secure authentication. In contrast to the iButton, a
`smart watch stores more information, packs more process­
`ing power, features a display, and enables a user to inter-
`aet with the deviee. These eapabilities make a smart
`watch a more secure authentication device.
`For our system we use the Matsucom^s OnHand™
`PC wristwatch [8] which packs a 16-bit microcontroiler
`running at 3.64 MHz, 2 MB of flash memory, 128 KB
`RAM, and an LCD.
`2.4 PDAs
`In addition to the wearable gadgets, larger PDAs are also
`used for authentication purposes. These inelude J2ME-
`enabled mobile phones, whieh run a lightweight version of
`Java (J2ME), Compaq iPAQs and HP Jornadas which nm
`Windows CE™. These devices feature mueh more proe-
`essing power (ranging from 16 MHz to 206 MHz) and
`storage capacity. While PDAs can be lost or stolen more
`easily than wearable gadgets, their processing, storage and
`
`Figure 1; Some Authentication Gadgets
`
`Computer
`Proceedings of the 22 nd Internationa! Conference on Distributed Comp니ting Systems Workshops (!CDCSW'O2)
`SOCIETY
`0-7695-1588-6/02 $17.00 © 2002 IEEE
`A니thorized licensed use limited to: University of Texas at Austin. Downloaded on March 01,2022 at 05:10:55 UTC from IEEE Xplore. Restrictions apply.
`DEF-AIRE-EXTRINSICOOO00092
`
`

`

`Case 6:21-cv-01101-ADA Document 31-22 Filed 05/19/22 Page 4 of 7
`
`interactive displays can be utilized to provide better au­
`thentication.
`2.5 Passwords
`Traditional authentication through username and pass­
`word pairs can be handy when a user does not have access
`to other authentication devices, or as an additional autlien-
`tication mechanism that can leverage other authentication
`mechanisms by drawing on the target's knowledge of
`some secret information. However, to meet our privacy
`goals, instead of using an actual username and password
`pail*, we use a pseudonym and password pair. This pre­
`vents the client machines from positively identifying the
`user. Only the authentication server knows the actual
`mapping between the pseudonym and the aetual username.
`Users can change their pseudonyms for increased privacy.
`2.6 Biometrics
`Biometrics can be used as an effective mean of authentica­
`tion. They authenticate users based on their unique physi-
`eal eharacteristies, so that users are identified based on
`“what they ar巳''This may include fingerprints, retina, and
`voice or face recognition.
`3. Multiple Levels of Authentieation
`with “Confidence” values
`In a ubiquitous computing environment, users can, as we
`have just seen, authenticate themselves to the system using
`a variety of means. In such a scenario, some means of
`authentication are more reiiabie than others. For example,
`it is not difficult to steal someone eise^s badge and walk
`into different rooms with it. Passwords can also be
`cracked by simple guessing or using brute force algo­
`rithms. Fingerprint identification is a fairly good means of
`authentication. Therefore, we need a model that captures
`the fact that not all authentication methods are
`indistinguishable; rather, some may provide significantly
`stronger autlientication than others.
`A person in a ubiquitous computing environment can
`choose to authenticate himself using any one of the avail­
`able means. He could even use multiple means of authen­
`tication. To capture all this, our system assigns different
`confidence values to different authentication methods.
`These confidence values give a measure of how “confi­
`dent” the system is that the person, who has just authenti­
`cated himself using some partieuiar means, is indeed who
`he claims himself to be. For example, we have given a
`confidence value of 0.6 to authentication using an active
`badge. This means that when a person, say Bob, has au­
`thenticated himself using an active badge, then the sys-
`tenf s ''confidence level" that the person is really Bob is
`0.6. It is possible that someone else has stolen or repro­
`duced Bob's badge, or that Bob has left his badge in his
`office and his authentication has taken place in the wrong
`room. Authentication using fingerprints has been given a
`
`confidence value of 0.95. This also implies that finger­
`print authentication is more secure than authentication
`using an active badge.
`When a person uses more than one authentieation
`method, then the overall level of eonfidenee inereases. In
`this case, we introduee a confidence-builder module. This
`module employs some algorithm for combining multiple
`confidence values in some manner, and producing a net
`eonfidenee value. We implement this as a module to en­
`able us to plug-in different 시 gorithms for combining and
`“reasoning” about the confidence values. In our current
`implementation, we employ a simple probability-based
`formula for calculating the net confidence value:
`Cnet ~ 1 — (1-Ci)(1-C2)...(1~G;)
`Where ＜膈 is the net eonfidenee value of a person
`who has authenticated himself using n methods whose
`individual eonfidenee values are Ci,住.”瞞.The intuition
`behind this is that (1-g) represents the “probability” that
`the person was incorrectly authenticated by method i. The
`product of all (1-g) terms gives the probability that the
`person was incorrectly authenticated by all the methods he
`used. So, finally ぐ顔 gives tlie “probability” that this did
`not happen. For example, if a person authenticated himseif
`using a bad영e and his fingerprint, then the net eonfidenee
`value is 1 - (1-0.6) (1-0.95) or 0.98. We plan to investi­
`gate the use of other algorithms for combining confidence
`values, like Bayesian probability or fuzzy logic.
`This notion of different confidence levels of authenti­
`eation can be used by applieations or services in access
`control decisions. Certain highly-secure services can
`choose to only serve those clients who are authenticated
`with a relatively high confidence. For example, starting or
`stopping certain core services like the discovery and nam­
`ing services in Gaia, or tlie printing service so that the
`correct person is billed. However, a jukebox application
`might decide to be accessible to users with lower confi­
`dence values. Aeeordingly, if a person wishes to use some
`not-so-eritieal applieations he ean authentieate using just
`his badge. However, if he wants to aeeess more seeure
`applieations, he needs to authenticate himself using differ­
`ent methods.
`4. Authentication Protocol
`4.1 Limitations of Existing Protocols
`While Kerberos [4] was a success in meeting autlientica-
`tion challenges in eaily distributed systems, it has serious
`limitations that hinder its effectiveness in ubiquitous com­
`puting envii'onments. Fir이, it is mainly based on pass­
`words, and as such is prone to password-guessing attacks.
`Second, Kerberos assumes that every user in the system
`accesses services through a designated workstation. In
`other words, a user has to log into some workstation on
`the network and only from that workstation the user can
`access the distributed seivices. On the contrary, in a ubiq-
`
`Computer
`Proceedings of the 22 nd Internationa! Conference on Distributed Comp니ting Systems Workshops (iCDCSW'O2)
`SOCIETY
`0-7695-1588-6/02$17.00 ©2002 IEEE
`A니thorized licensed use limited to: University of Texas at Austin. Downloaded on March 01,2022 at 05:10:55 UTC from IEEE Xplore. Restrictions apply.
`DEF-AIRE-EXTRINSICOOO00093
`
`

`

`Case 6:21-cv-01101-ADA Document 31-22 Filed 05/19/22 Page 5 of 7
`
`Lighthouse
`
`Portal
`
`Campus
`Mist Router
`
`CS Building's
`Mist Router
`
`Alice s **
`Lighthouse
`
`3rd Floor's
`Mist Router
`
`uitous computing environment there is no notion of
`a “sm이e machine” that the user uses to aeeess the
`available serviees. Instead, the user ean aeeess the
`serviees through any of the hundreds of machines
`that populate the Aetive Spaee. Further, Kerberos
`assumes that the elient maehines are trustworthy,
`allowing them to store and use userstickets. Obvi­
`ously, Kerberos was never designed to take user
`privaey into eonsideration. To meet the ehallenges
`of authentication in a ubiquitous computing envi­
`ronment, we propose an authentication framework
`that resembles Kerberos, but avoids its limitations
`and scales to physical spaces while taking context
`and location information into account.
`4.2 Privacy Concerns
`The use of wearable deviees and cioth arti시es to
`detect users and authenticate them provides flexibil­
`ity and convenience; however, the location privacy
`of users is severely violated. Without careful design,
`such a system can become an effective surveillance
`system. To avoid this, some approaches [11] em­
`ploy a different method for location detection, in
`which the Aetive Spaee broadeasts loeation infor­
`mation that clients can receive and determine their
`iocation with. Although this approach does not re­
`quire users to reveal their loeation or identity, such a
`system greatly limits the actions users ean do with
`the acquired iocation information if they do not
`transmit anytiiing to the environment. We envision
`an Active Space to be able to actively deteet the presenee
`of users and objects, and exchange information with them
`for authentication purposes. We consider these features
`necessary to make spaces active and enable context-based
`applications. Therefore, we need a method that allows
`users to authenticate themselves to the surrounding envi­
`ronment while preserving tiieir privacy.
`In Gaia, we introduced Mist [5] [이 a communication
`infrastructure that preserves location privacy in ubiquitous
`computing environments, while allowing entities to be
`authenticated at the same time. Here, we just give a brief
`overview on how Mist works. Mist consists of a privacy­
`preserving hierarchy of Mist Routers that form an overlay
`network. This overlay network allows users to communi­
`cate privately. The Mist Routers route eommunieation
`paekets using a hop-by-hop, handle-based routing proto­
`col with limited public-key cryptography, thus, making
`communication unti*aceable by eavesdroppers and un-
`tiiisted middleboxes. Mist introduces "'Portal^' that are
`installed in Active Spaces. Portals are devices capable of
`detecting the presence of people and objects through the
`use of base stations or sensors; however, they are ineapa-
`bie of positively identifying the users. For example, the
`portals ean be made unaware of the user-badge ID as­
`signments. The positive identification and actual authenti-
`
`□£■
`
`Active
`Space 1
`
`Active
`Space 2
`
`Active
`Space 3
`
`Active
`Space 4
`
`cation of a user take place at a ''higher level’’ in the hier­
`archy, high enough not to be able to deduce the aetual
`physieal loeation of the user. More speeifieally, it takes
`plaee at a special Mist Router referred to as a ''Light-
`housed 〇이y a Lighthouse is able to positively identify
`and successfully authenticate the user. However, the
`Lighthouse is kept in the “dark” about the actual physical
`location of the user (thanks to the hop-by-hop routing pro­
`tocol). The term Lighthouse is coined, because this spe­
`cial Mist Router somewhat resembles a conventional
`“lighthouse'' that sends out signals to aid in marine navi­
`gation, particularly in “foggy” nights. To illusti*ate, in
`Figure 2, Alice, who is in Active Space 3, is detected by
`the Portal in that space. The Port시 only detects Alice^s
`badge ID (or other information embedded into other de­
`vices that Alice is eanying or wearing) however, this in­
`formation alone is insuffieient to indieate that this is aetu-
`ally Aliee. The CS Building Mist Router is designated as
`Alice's Lighthouse. A seeure ehaniiel between Aliee de-
`viees and her Lighthouse is established, going through the
`Portal, node 1, node 2, and finally node 3. Encryption is
`employed to prevent private information from leaking.
`Instead of having a traceable source and destination ad­
`dresses, packets over this secure link are routed through
`the use of handles that are valid only over a single hop.
`The intermediate nodes translate an incoming handle to an
`
`Computer
`Proceedings of the 22 nd Internationa! Conference on Distributed Comp니ting Systems Workshops (!CDCSW'O2)
`SOCIETY
`0-7695-1588-6/02 $17.00 © 2002 IEEE
`A니thorized licensed use limited to: University of Texas at Austin. Downloaded on March 01,2022 at 05:10:55 UTC from IEEE Xplore. Restrictions apply.
`DEF-AIRE-EXTRINSICOOO00094
`
`

`

`Case 6:21-cv-01101-ADA Document 31-22 Filed 05/19/22 Page 6 of 7
`
`outgoing one. Thus, intermediate Mist
`Routers can only route to the next hop
`correctly, but do not know the actual des­
`tination or source. 〇이y if aii intermedi­
`ate Mist Routers collude, ean the true
`loeation of Aliee be found. Note that in
`the example, Alice's Lighthouse ean only
`infer that Aliee is located somewhere
`within the CS building.
`43 Authentication Protocol
`Our autlientication protocol extends Ker­
`beros to support user devices and utilize
`the loeation privacy that Mist provides.
`The protocol is illustrated in Figure 3.
`We give a brief overview of the protocol
`due to space limitations. Within every
`Active Space, we assume the existence of
`one or more “Space Authentication Por­
`tal^' (SAPs). These are special types of
`Active Space
`Portals that can be located at the entrance
`Figure 3: Active Space Authentication Protoeol
`of an Active Space, or other convenient
`physically present, e.g. a printer that only allows people in
`places. The SAP wiii feature a coliection of wireless and
`wired base stations and device readers that enable users to
`same space to print.
`authentieate with the Aetive Spaee using any authentica­
`In step 2, tlie user moves suffieiently elose to one of
`tion devices they are carrying or wearing.
`the available SAPs for authentieation purposes. Some
`authentieation devices may require the intervention of the
`An Active Space Security Server exists for every Ac­
`tive Domain. An Active Domain is a collection of Active
`user, e.g. inserting the iButton into its designated reeeptor.
`Spaces, and the interconnecting networks, which are man­
`To aehieve privaey, the SAP itself does not have suf-
`aged by a single administrative autliority. These domains
`fieient information to authenticate users. However, it has a
`resemble Kerberos “Realms." Like Kerberos, the Security
`Lighthouse through whieh it ean eommunieate with the
`Server consists of three components. The first component
`Security Server (step 3). Mist eommunieation is used here
`is the AS (Authentication Server), which provides a single
`to prevent the Seeurity Server from pinpointing the exact
`sign-on point for the Active Domain, using any devices
`physical location of the autlienticated user. Through its
`and gadgets the user currently possesses. The TGS (Ticket
`Lighthouse, the SAP contacts the Security Server with a
`Granting Server) issues “tickers” that can be used by the
`set of authentication requests, each representing a differ­
`user to access available services in that space. These tick­
`ent authentication device. Upon successful authentication,
`ets are signed, as a protection against tampering, using the
`the AS, like Kerberos, issues a ticket granting ticket
`private key of the TGS. Finally, a database is maintained
`(TGT) for that user (step 4). Reeaii that in Mist, every
`that contains necessary information for the authentication
`user has a Lighthouse that stores his relevant information.
`of ail users within the Active Domain, as well as their
`The TGT issued for a user will be stored in his Light­
`privileges and security attributes.
`house. The TGT in our system is a cryptographic data
`We assume all users own active badges. More infor­
`structure that incoiporates a confidence level that is ealeu-
`lated based upon the metliod(s) used for authentication.
`mation about these active badges has been given in Sec­
`The AS remembers whieh methods the person has used so
`tion 2.1. Here, we assume that a user badge is pro­
`grammed to have a unique ID number (by whieh the AS
`far to authenticate himself and can, hence, calculate the
`ean identify the user), and an ID to identify the Lighthouse
`net confidence of the person being tliere. Every time a
`of that user. Note that information embedded in these
`new TGT is issued, the eorreet net eontidenee is eaieu-
`lated and stored within the TGT. The TGT will also have
`badges ean be updated. Thus, for inereased seeurity, the
`an expiration time. Because different authentication meth­
`unique IDs identifying users can be changed periodieally
`by the AS and updated into the badges. The badge itself
`ods may have different time-out values, the net eontidenee
`may ehange with time. Therefore, if a TGT expires, the
`will aet as a handle that links the holder to his acquired
`users Lighthouse may request another TGT from the AS
`tickets. Entrances to the Active Space can contain a base
`station for detecting entering badges (step 1 in Figure 3).
`on behalf of the user. If one authentieation method fails
`(for example, if someone used an invalid iButton or en-
`This can be usefiil for services that require users to be
`
`Computer
`Proceedings of the 22 nd Internationa! Conference on Distributed Comp니ting Systems Workshops (iCDCSW'O2)
`SOCIETY
`0-7695-1588-6/02 $17.00 © 2002 IEEE
`A니thorized licensed use limited to: University of Texas at Austin. Downloaded on March 01,2022 at 05:10:55 UTC from IEEE Xplore. Restrictions apply.
`DEF-AIRE-EXTRINSICOOO00095
`
`

`

`Case 6:21-cv-01101-ADA Document 31-22 Filed 05/19/22 Page 7 of 7
`
`tered a wrong password), then the authentication server
`does not take any action 一 it does not send a new TGT and
`the eonfidenee levels of people being in the room are un­
`ehanged.
`Now, users can access services available in the space
`without the need to use a “fixed” workstation. Instead,
`they ean interaet with the services directly using any ca­
`pable device (step 5). Upon accessing a secure service, the
`service will check the usef s badge and get the usef s ID
`and the ID of his Lighthouse. The Lighthouse of the user
`is tlien contacted by the service. This comniunication
`takes place using tlie Mist protocol to prevent tlie Light­
`house from deducing the usef s location (step 6). In step
`7, using the TGT stored at the Lighthouse for the target
`user, tlie Lighthouse can communicate with the TGS re­
`questing tickets to access the required serviee. The TGS
`issues the neeessary eryptographie tiekets. These tiekets
`do not contain any references to the real name or identity
`of the owner; they just incorporate an unforgeable pseu­
`donym. Further, these tickets contain the security privi­
`leges of the owner, and the net confidence level. Using the
`information in these tickets along with the net eonfidenee
`eontained within, the serviee ean make a deeision whether
`to authorize the badge holder or not (step 8). Onee a user
`leaves the room the badge reader at the exits ean detect
`that, automatieally logging off the user and destroying tlie
`tiekets stored in his Lighthouse that are associated with his
`badge.
`5. Context-Sensitive Authentication
`The eonfidenee values associated with authentieations can
`be eombined with available context information allowing
`more flexible access policies to be specified. For example,
`if a person is alone in a room, then access to the Power­
`Point service (which allows a user to display PowerPoint
`slides on a variety of displays) is allowed even with a low
`confidence authentication. However, if a meeting is taking
`place in the room, then only the person scheduled to make
`the presentation is allowed to use the PowerPoint service
`and this person has to be authenticated with a relatively
`high confidence.
`This context-aware access control makes use of the
`context framework we have developed for Gaia [10]. The
`context framework includes a variety of sensors that sense
`the current situation in a physical spaee. Sensors send
`events whenever they detect a ehange in context. Appliea-
`tions ean listen to such eontext events to capture the cur­
`rent context. They can also query the sensors for specific
`information. We also have mechanisms to infer more ab­
`stract contexts from basic contexts that are sensed. So, it
`is possible to infer that a meeting is going on in a room if
`the number of people in the room is greater than, say 5,
`
`and the schedule for the room indicates that a meeting is
`planned in the room.
`6. Conclusion
`We have presented an authentication framework that
`builds over Kerberos and introduces new enhancements
`that allow it to blend nicely into ubiquitous computing
`environments. The authentication framework enables sin­
`gle sign-on using any devices tlie user may be earrying or
`wearing at any time. It allows the deeoupling of users
`from devices and captures some of the dynamism and
`programmability of Active Spaces by assigning confi­
`dence levels to different authentication methods and in­
`corporating context sensitive information. The framework
`also preserves location privacy for authenticated users.
`We have employed this authentieation framework in the
`Gaia research projeet.
`7. References
`[1 ] The Gaia Homepage,
`http://ehoices.es.uiue.edu/ActiveSpaees/index.html
`[2] Renato Cerqueira, Christopher K. Hess, Manuel Roman,
`Roy H. Camphell, "Gaia: A Development Infrastructure for
`Active Spaces," Workshop on Application Models and
`Programming Tools for Ubiquitous Computing (held in
`conjunction with the UBICOMP 2001), September 2001,
`Atlanta, USA.
`[3] M. Roman and R. Campbell, "GAIA: Enabling Active
`Spaces," 9th ACM SIGOPS European Workshop, Septem­
`ber 17th-20th, 2000, Kolding, Denmark.
`[4] B. Neumann and T. Tぐ〇, "Kerberos: An Authentication
`Service for Computer Networks,^^ IEEE Communications
`Magazine, 32(9): 33-38, September 1994.
`[5] J. Ai-Muhtadi, R. Campbell, A, Kapadia, M. D. Mickunas,
`and S. Yi, “Routing through the Mist: Privaey Preserving
`Communication in Ubiquitous Computing Environments,"
`to appear in the Proceedings of ICDCS '02.
`[6] J, Al-Muhtadi, R. Campbell, A. Kapadia, M. D. Mickunas,
`and S. 'Yi, ''Routing through The Mist: Design and Imple­
`mentation?' UIUC Technical Report UIUCDCS-R-2002-
`2267.
`[7] iButton: http: // www J Button. com
`[8] On Hand PC Homepage, http://matsucornusa.com/
`[9] Active Badges:
`http://www.rfideasxom/Solutions/Developers/Dev. Kit/Lon
`
`g. Rang§ /long rang& .litml
`[1 〇] Anand Ranganathan, Roy Campbell, "A clausal model of
`eontext and an infrastiiicture for eontext-aware ubiquitous
`computing," Submitted to Pervasive Computing 2002.
`[11] N. Priyantha, Anit Chakraborty, and Hari Balakrishnan,
`"The Cricket Loeation-Support System,*' Proceedings of
`[he Sixth Annual International Conference on Mobile
`Computing and Networking (ACM MOBICOM), Boston,
`MA, August 200〇.
`
`Computer
`Proceedings of the 22 nd Internationa! Conference on Distributed Comp니ting Systems Workshops (!CDCSW'O2)
`SOCIETY
`0-7695-1588-6/02 $17.00 © 2002 IEEE
`A니thorized licensed use limited to: University of Texas at Austin. Downloaded on March 01,2022 at 05:10:55 UTC from IEEE Xplore. Restrictions apply.
`DEF-AIRE-EXTRINSICOOO00096
`
`