With the proliferation of smart gadgets, appliances, mobile devices, PDAs and sensors, ubiquitous computing environments may be constructed, which consist of interconnected devices and services, promising seamless integration of digital infrastructure into our everyday lives. The inevitable trend is ever increasing ubiquitous communications as the users have the freedom to choose the access network technologies, applications, and services. There are methods as well that enhance the usage of mobile devices, by making them available throughout the physical environment, and effectively invisible to the users.
Before ubiquitous computing being commercially and widely adopted and deployed, there are several security and privacy challenges it must overcome. Generic security requirements of ubiquitous computing consist of authentication and authorization etc. Authorization simply means the act of determining if a particular right, such as access to some resource, can be granted to the presenter of a particular credential. Logically, authorization is preceded by authentication which is on top of confidentiality, integrity, and non-repudiation. Authentication ensures that a user is who he or she claims to be while authorization allows the user access to various services based on the user's identity.
As a classical research realm, authorization has been well studied in the academia. However, resulted solutions to authorization do not take privacy protection into consideration. For example, traditional authorizations may issue one credential to a user for certain access rights. The user can therefore present this credential to a service so as to use the service according to the rights he/she has been granted. Such kind of authorization solution could raise severe privacy concern in ubiquitous computing environment due to the fact that one credential is presented multiple times to the service and the fact that the rights a user holds have to be presented as a whole to the service.
For example, a traveler roams to a city and tries to enjoy shopping service, hotel service, traffic service, etc., provided by the city's tourism portal. The traveler may pay to the tourism portal for one-day access right on shopping service and hotel service. Suppose the tourism portal issues one credential to the traveler stating that the traveler is authorized to access shopping service and hotel service on Jan. 1, 2006 only. When the traveler presents this credential to the shopping service multiple times, his/her activities could be easily correlated because of the single credential in use and the user's behavior pattern may be modeled. And it will be effortless for the shopping service to learn that the traveler has hotel service right. In any case, these are considered privacy invasion since e.g. advertisement, direct marketing may arise.
As privacy protection is such as important task for ubiquitous computing to address, a desirable privacy respected authorization is expected to satisfy the following requirements.
1) Unlinkable authorized access. It's computationally infeasible for a ubiquitous service, or multiple ubiquitous services together, to correlate activities of its authorized user. In other words, one ubiquitous user could remain anonymous no matter how many times he/she has accessed one or more services that the user is authorized.
2) Selective minimal rights. It's computationally infeasible for a ubiquitous service or multiple ubiquitous services together, to learn any right of an authorized user other than that he/she has presented to the service/services for verification. In other words, for each admitted session, what the service learned is rights of the user that are exactly required by the session. The service can learn neither user rights on the service that are however unnecessary to the session, nor user rights on other services.
It's not hard to imagine a central authorization server that the ubiquitous user as well as the ubiquitous service needs to consult for each access. One of such approach is, for example, proposed by C. Y. Yeun, E. K. Lua, J. Crowcroft, Security for Emerging Ubiquitous Networks, IEEE 62nd Vehicular Technology Conference, 2005. By this approach, for each access attempt of a user, the service needs to consult the central authorization server in terms of what rights a user has on the service. Obviously, by this approach user privacy is somehow protected because the user never directly presents his full access rights to the service.
However, with respect to ubiquitous computing, it's not a good idea to ask ubiquitous user as well service to consult central authorization server for each access. Such approach has many problems.
For example, the users will not always have persisted connections to the central point of authorization. Weak network connection is the most advocated reason for this case. Nevertheless, there are other reasons for users not to keep persisted connections to the central point of authorization, be it long round-trip time toward central point of authorization, extra expense in money terms, or additional overhead on battery energy.
In addition, central point of authorization is not able to face the challenge of huge number of ubiquitous users. As aforementioned, if each user only has one authorization credential from the central point of authorization, such authorization credential effectively help the service to correlate activities of the users. Thus, to fulfill requirements on privacy protection, central point of authorization has to be prepared for requests from its huge number of users for each session he/she access a service. Scalability is therefore becoming a severe issue.
There are other solutions that don't need to consult central authorization server for each user access. One solution is Simple Public-Key Infrastructure (SPKI), proposed by IETF as RFC 2693. SPKI can provide authorization certificate that relies upon the uniqueness of the combination of a pseudonym and a public-key. SPKI authorization certificates can authorize actions, give permissions, and grant capabilities to or for a public-key holder. The paper entitled A First Approach to Provide Anonymity in AttributeCertificates in Proc. PKC 2004 by V. Benjumea et al. presents another solution for a user to get anonymous attribute certificate so as to anonymously access a service based on the attribute certificate.
However, in terms of SPKI, by which the user and service are free from consulting central server for each access, the certificate authority has to explicitly issue all the authorization certificates for all its users. The same analysis applies to the idea presented by V. Benjumea, because in their scheme, for each pseudonym a user acquires from the trusted third party, there is one and only one attribute certificate being generated. Therefore, to get multiple attribute certificates implies to get multiple pseudonyms from the trusted third party.
SPKI and Benjumea's approach have drawback in that when one certificate is presented to a service more than one times, the user's activities could be easily correlated. Hence, to access a service multiple times without being correlated, the user has to acquire multiple certificates. It's obvious that such schemes could not scale well in large-scale ubiquitous computing environment.
SPKI and Benjumea' approach have another drawback in that roughly speaking, the computational cost for a user to present N attributes is N times larger than that of presenting one attribute. Albeit it's possible to incorporate N attributes in one certificate so as to overcome the computation cost issue. Then, it's impossible for the user to present only a portion of N attributes without revealing the other portion of attributes which is of significant privacy concern.