PACCo: Privacy-friendly Access Control with Context

Andreas Put, Bart De Decker


We propose a secure and privacy friendly way to strengthen authentication mechanisms of online services by taking context into account. The use of context, however, is often of a personal nature (e.g. location) and introduces privacy risks. Furthermore, some context sources can be spoofed, and hence, the level of trust of a verifier in a context source can vary. In this paper, a policy language to express contextual constraints is proposed. In addition, a set of protocols to gather, verify and use contextual information in access control decisions is described. The system protects user privacy as service providers do not learn precise context information, and avoids linkabilities. Finally, we have implemented this system and our experimental evaluation shows that it is practical to use.


  1. Abe, M. and Okamoto, T. (2000). Provably secure partially blind signatures. In Advances in CryptologyCRYPTO 2000, pages 271-286. Springer.
  2. Abowd, G. D., Dey, A. K., Brown, P. J., Davies, N., Smith, M., and Steggles, P. (1999). Towards a better understanding of context and context-awareness. In Handheld and ubiquitous computing, pages 304-307. Springer.
  3. Adams, A. and Sasse, M. A. (1999). Users are not the enemy. Communications of the ACM, 42(12):40-46.
  4. Ardagna, C. A., Di Vimercati, S. D. C., Foresti, S., Grandison, T. W., Jajodia, S., and Samarati, P. (2010). Access control for smarter healthcare using policy spaces. Computers & Security, 29(8):848-858.
  5. Atluri, V. and Chun, S. A. (2007). A geotemporal rolebased authorisation system. International Journal of Information and Computer Security, 1(1-2):143-168.
  6. Bhatti, R., Bertino, E., and Ghafoor, A. (2005). A trust-based context-aware access control model for web-services. Distributed and Parallel Databases, 18(1):83-105.
  7. Brands, S. and Chaum, D. (1993). Distance-bounding protocols. In Advances in CryptologyEUROCRYPT93, pages 344-359. Springer.
  8. Camenisch, J. and Lysyanskaya, A. (2003). A signature scheme with efficient protocols. In Security in communication networks, pages 268-289. Springer.
  9. Camenisch, J., Stadler, M., Camenisch, J., and Camenisch, J. (1997). Proof systems for general statements about discrete logarithms. Citeseer.
  10. Camenisch, J. and Van Herreweghen, E. (2002). Design and implementation of the idemix anonymous credential system. In Proceedings of the 9th ACM Conference on Computer and Communications Security. ACM.
  11. Groopman, J. (2015). Consumer perceptions of privacy in the internet of things. Altimeter Group.
  12. Hayashi, E., Das, S., Amini, S., Hong, J., and Oakley, I. (2013). Casa: Context-aware scalable authentication. In Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 7813, pages 3:1-3:10, New York, NY, USA. ACM.
  13. Hintze, D., Findling, R. D., Muaaz, M., Koch, E., and Mayrhofer, R. (2015). Cormorant: Towards continuous risk-aware multi-modal cross-device authentication. UbiComp/ISWC'15 Adjunct.
  14. Housley, R., Polk, W., Ford, W., and Solo, D. (2002). Internet x. 509 public key infrastructure certificate and certificate revocation list (crl) profile.
  15. Hu, J. and Weaver, A. C. (2004). A dynamic, context-aware security infrastructure for distributed healthcare applications. In Proceedings of the first workshop on pervasive privacy security, privacy, and trust, pages 1-8. Citeseer.
  16. Hulsebosch, R., Salden, A., Bargh, M., Ebben, P., and Reitsma, J. (2005). Context sensitive access control. In Proceedings of the tenth ACM symposium on Access control models and technologies, pages 111-119. ACM.
  17. Jafarian, J. H. and Amini, M. (2015). Camac: A contextaware mandatory access control model. The ISC International Journal of Information Security, 1(1).
  18. Jin, X., Krishnan, R., and Sandhu, R. S. (2012). A unified attribute-based access control model covering dac, mac and rbac. DBSec, 12:41-55.
  19. Kulkarni, D. and Tripathi, A. (2008). Context-aware rolebased access control in pervasive computing systems. In Proceedings of the 13th ACM symposium on Access control models and technologies, pages 113-122. ACM.
  20. Matheus, A. and Herrmann, J. (2008). Geospatial extensible access control markup language (geoxacml). Open Geospatial Consortium Inc. OGC.
  21. Milutinovic, M., Dacosta, I., Put, A., and Decker, B. D. (2015). ucentive: An efficient, anonymous and unlinkable incentives scheme. In Trustcom/BigDataSE/ISPA, 2015 IEEE, volume 1, pages 588-595. IEEE.
  22. Paquin, C. and Zaverucha, G. (2011). U-prove cryptographic specification v1. 1. Technical report, Microsoft Technical Report, http://connect. microsoft. com/site1188.
  23. Put, A., Dacosta, I., Milutinovic, M., and De Decker, B. (2014). Priman: Facilitating the development of secure and privacy-preserving applications. In SEC, pages 403-416. Springer.
  24. Ray, I. and Toahchoodee, M. (2007). A spatio-temporal role-based access control model. In Data and Applications Security XXI, pages 211-226. Springer.
  25. Rissanen, E. et al. (2013). extensible access control markup language (xacml) version 3.0.
  26. Riva, O., Qin, C., Strauss, K., and Lymberopoulos, D. (2012). Progressive authentication: Deciding when to authenticate on mobile phones. In USENIX Security, pages 301-316.
  27. Sabouri, A., Krontiris, I., and Rannenberg, K. (2012). Attribute-based credentials for Trust (ABC4Trust). Springer.
  28. Shebaro, B., Oluwatimi, O., and Bertino, E. (2015). Context-based access control systems for mobile devices. Dependable and Secure Computing, IEEE Transactions on, 12(2):150-163.
  29. Singelee, D. and Preneel, B. (2005). Location verification using secure distance bounding protocols. In Mobile Adhoc and Sensor Systems Conference, 2005. IEEE International Conference on, pages 7-pp. IEEE.
  30. Vimercati, S. D. C. D., Foresti, S., Jajodia, S., Paraboschi, S., Psaila, G., and Samarati, P. (2012). Integrating trust management and access control in data-intensive web applications. ACM Transactions on the Web (TWEB), 6(2):6.
  31. Yuan, E. and Tong, J. (2005). Attributed based access control (abac) for web services. In 2005 IEEE International Conference on Web Services. IEEE.

Paper Citation

in Harvard Style

Put A. and De Decker B. (2016). PACCo: Privacy-friendly Access Control with Context . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 159-170. DOI: 10.5220/0005969501590170

in Bibtex Style

author={Andreas Put and Bart De Decker},
title={PACCo: Privacy-friendly Access Control with Context},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},

in EndNote Style

JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - PACCo: Privacy-friendly Access Control with Context
SN - 978-989-758-196-0
AU - Put A.
AU - De Decker B.
PY - 2016
SP - 159
EP - 170
DO - 10.5220/0005969501590170