Enforcing policies in pervasive environments

摘要

This work presents an architecture and a proof of concept implementation of a security infrastructure for mobile devices in an infrastructure based pervasive environment. The security infrastructure primarily consists of two parts, the policy engine and the policy enforcement mechanism. Each mobile device within a pervasive environment is equipped with its own policy enforcement mechanism and is responsible for protecting its resources. A mobile device consults the nearest policy server, notifies its current state including its present user, network presence, other accessible devices and location information if available. Using this information the policy server queries the "Rei" engine to dynamically create a policy certificate and issues it to the requesting device. The system wide policy is described in a semantic language "Rei", a lightweight and extensible language which is able to express comprehensive policies using domain specific information. The "Rei" policy engine is able to dynamically decide what rights, prohibitions, obligations, dispensations an actor has on the domain actions. A policy certificate is created and issued to the device. The policy certificate contains a set of granted permissions and a validity period and scope within which the permissions are valid. The policy certificate can be revoked by the policy enforcer based on expiration of the validity period or a combination of timeout, loss of contact with an assigned network. X.509 based public key infrastructure is used to provide identification and authentication.