More Privacy in Context-aware Platforms: User Controlled Access Right Delegation using Kerberos

摘要

In this paper we propose a distributed Kerberos architecture in which each mobile client runs her own Kerberos ticket granting server. Each of these individual TGS may provide tickets only for data that is owned by the mobile (user) on behalf of which it is executed. In addition the initial authentication phase can be done by the standard Kerberos approach as well as based on PKI using certificate chains. So our architecture gives the user back control over her personal data and it provides better scalability to the context aware platform. It also opens up the Kerberos approach for environments in which the mobile client discovers new services, which are not registered at its platform, i.e. at the Kerberos server. Our measurements indicate that running a ticket granting server on the mobile device does not inhibit a real burden. Compiling a ticket is done in about 100ms at 238 MHz and the client application size of our Java implementation is less than 50kByte.