Distributed access control policies for spectrum sharing

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2012) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.629

RESEARCH ARTICLE

Distributed access control policies for spectrum sharing Gianmarco Baldini1*, Igor Nai Fovino2, Stefano Braghin3 and Alberto Trombetta4 1 2 3 4

IPSC, JRC, Ispra, Italy Global Cyber-Security Center, Viale Europa 175, Rome, Italy Nanyang Technological University, Singapore DiSTA Insubria University, Varese, Italy

ABSTRACT Cognitive radio is a novel wireless communication technology that allows for adaptive configuration of the reception parameters of a terminal, based on the information collected from the environment. Cognitive radio technology can be used in innovative spectrum management approaches such as spectrum sharing, where radio frequency spectral bands can be shared among various users through a dynamic exclusive-use spectrum access model. Spectrum sharing can be applied to various scenarios in the commercial, public safety and military domain. In some scenarios, spectrum sharing demands a mechanism for expressing and enforcing access control policies for the allocation of resources including spectral bands. The access control polices should state what are the available resources (e.g., transmission/reception bandwidths), what are the users that are allowed to access them and under what conditions. However, because of the intrinsically highly dynamic nature of specific scenarios (e.g., public safety, military), where parties with various levels of authority may suddenly appear, it may be difficult to establish in advance what are the most suitable access control policies. Trust negotiation is a well-known approach for expressing and enforcing distributed access control policies that depend on two or more parties. In this work, we present a trust negotiation-based framework that allows for the definition of highly expressive and flexible distributed access control policies for the allocation of spectrum resources. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS cognitive radio; wireless communications; spectrum sharing; trust negotiation; access control policy *Correspondence Gianmarco Baldini, Joint Research Centre-European Commission, Ispra, Italy. E-mail: [email protected]

1. INTRODUCTION The current management regime of command and control [1] separates the various radio communication services in specific spectral bands. It is effective at protecting authorized users of radio spectrum from unwanted interference from other radio communication services. As described in [2], the shortcoming of the command and control spectrum management approach or spectrum access model is the risk of poor spectrum utilization: some spectral bands may be underused most of the time, whereas other bands may be overused or congested. The increasing number of new wireless services and applications, requiring broadband wireless connectivity, is the main drivers to identify new approaches or technologies for improved spectrum utilization. In spectrum sharing, communication systems based on cognitive radio (CR) nodes and terminals could effectively share the available spectrum resources and change dynamically the allocation of the spectral bands for the various communication services [3]. Note that there are Copyright © 2012 John Wiley & Sons, Ltd.

different definitions of the term spectrum sharing, which identifies different spectrum access models. In this paper, we will use the term spectrum sharing to identify dynamic exclusive use of spectrum, where the allocation of spectral bands can change in time or space. If a specific band is not used, it can be dynamically reallocated to another user for a specific amount of time, or in a specific geographical area. Additional details on spectrum access models and dynamic exclusive use of spectrum are provided in Section 2. In this new model, CR nodes would not be limited to use the specific spectral bands defined in the design phase of the communication equipment but they could access all the available spectrum resources within the constraints defined by spectrum regulators. One of the application domains for the application of a spectrum sharing approach is public protection and disaster relief or public safety, where first responders could dynamically increase the usage of the spectrum to address the need for increased capacity during the time of an emergency crisis as described in [4]. New applications such as

G. Baldini et al.

Distributed access control policies for spectrum sharing

mobile video surveillance, mobile biometric identification and remote emergency health have increased the need for broadband wireless connectivity in the public safety domain. The report [5] describes the evolution of public safety needs from voice-based communication to data-based communication to support a new range of applications. Higher data throughput requires a wider allocation of spectrum to public safety, but this may not be possible in the current spectrum regulation framework, where available bands for public safety usage are scarce. A dynamic approach to spectrum usage could be more efficient to address the peak of traffic capacity during an emergency crisis. Additional details on spectrum sharing in public safety are described in Section 2. A major consequence of spectrum sharing is the need to define suitable access policies, which describe the rules for sharing spectrum resources. Various public safety organizations may participate to the resolution of a major emergency including fire fighters, emergency health services, police, non-governmental organizations and military. Each organization may have different priorities regarding the access and sharing of resources depending on the operational context. Because emergency crises are usually unplanned events, the participating organizations may have little or no coordination in the allocation of resources and the unexpected appearance of a new organization on the crisis scenario may impose new resources arrangements. In this context, there is a need for a security mechanism to regulate access to spectrum resources by the various parties. The deployment of spectrum sharing may have a large number of operating dimensions including frequencies, waveforms, power levels and so forth. There is thus the need to define an access control framework, which allows benefit of spectrum sharing, while ensuring the conformance to regulatory policies and rules of conduct among public safety organizations. Mainstream approaches to access control do not seem to be suited for a complex environment such as the one sketched earlier. In fact, requesting entities’ access to resources is enforced by a centralized authority, given an a priori fixed set of rules describing what are the resources and under what conditions they can be accessed. Requesting entities are usually identified through a standard login password, online mechanism. Other more sophisticated offline authentication mechanisms require the presence of heavyweight, centralized and rather rigid infrastructures, such as public key infrastructures. A more flexible authentication mechanism is thus required in order to effectively manage access requests in highly distributed and dynamic environments. Trust negotiation [6,7] is an example of such an approach. Trust negotiations allow two—initially mutually untrusting— parties wishing to exchange resources, to establish a mutual trust relationship. Trust is established through an exchange of digital credentials. Credentials are digital statements of relevant properties of the parties and may be endorsed by trusted entities, such as certification

authorities, or other entities that are trusted by the negotiating parties.† Relevant credentials for a trust negotiation are identified on-the-fly during the negotiation process according to the specific negotiation’s goal. During a negotiation, each party decides which credential is willing to disclose to the counterpart and under what conditions. Such conditions are expressed by rules called disclosure policies (or policies for short). Intrinsic and relevant features of any mechanism operating in open, distributed environments are to provide (i) resilience to communication errors; and (ii) support in the case of sudden changes (e.g., peers joining and/or leaving the scenario may result to crashes). Such features, in particular, are provided in the case of trust negotiations, as we will see in the following discussions. In recent years, trust negotiation has received significant attention from the access control research community [8–13]. In this paper, we propose a trust negotiation-based framework for expressing and enforcing access control policies in CR networks. Our approach allows for the definition of highly expressive disclosure policies, which—as we will see in the following sections—satisfy the security, flexibility and fault-tolerance requirements demanded by a highly dynamic and distributed scenario such as a wireless network during the response phases of an emergency crisis, in which the operational requirements and conditions may suddenly change. To the best of our knowledge, this is the first work that addresses such issues in the context of CR networks. The paper is organized as follows: Section 2 provides an overview of the state of art for CR and related policy languages. Section 3 presents the operational scenario and the system architecture. Section 4 provides a description of the Trust-X framework. Section 5 presents the performances of the Trust-X prototype. Finally, Section 6 is used for conclusions and an overview of future developments.

2. RELATED WORK 2.1. Cognitive radio The design and deployment of CR have been investigated in a number of papers and research studies starting from the seminal work of Joseph Mitola in [14], which is mainly focused on the radio knowledge representation language. The paper introduces also the concept that this type of language can empower software radios to conduct expressive negotiations among peers about the use of radio spectrum resources in a region of space in the function of time and users context. As described before, CR can enable new spectrum management approaches. A survey is presented in [15] that identifies the following spectrum access models:

†

Note that such certification authorities are not involved in the actual execution of negotiations. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

G. Baldini et al.

(1) Command and control: The conventional model where the regulatory body explicitly lays down the detailed rules for use of the spectrum and assigns it to an entity for use. (2) Exclusive use: This model relies on the concept of spectrum band license which entitles its owner exclusive rights to use and reassign that spectrum under certain rules. (3) Secondary access of primary licensed spectrum: In this model, the spectrum owned by a licensee (also referred to as the primary user) is shared by a non-license holder commonly referred to as a secondary user. (4) Commons: This is an operating model wherein nobody can claim exclusive use of a shared resource. This paper is focused only on the specific spectrum access model called exclusive use and in particular the dynamic exclusive-use model, where spectrum right of use can be exchanged in time, space and frequency even for small quantities (e.g., the right to use a specific band can be reallocated to a user for few days or hours). Under the dynamic exclusive-use mode, at any given point in space and time, only one entity (operator) has exclusive rights to the spectrum but the identity of the owner and the type of use can change. In this model, a fraction of a pool of radio spectrum resources can be reassigned to a specific user (e.g., a first responder organization) for a limited amount of time or for a specific area (e.g., the disaster area). The advantage of the dynamic exclusive-use model in comparison with the secondary access or commons models is that the quality of service can be guaranteed, because no other radio communication service is present in the same band. The assurance of a specific level of quality of service is an essential requirement for public safety organizations. The application of CR to the public safety domain is investigated in the SDR Forum (now Wireless Innovation Forum) Technical Report [16]. The document describes the benefits and the related challenges of the deployment of these new technologies. A major challenge is to ensure that “spectrum sharing” can provide the same level of security and reliability of conventional communication systems. In [17], the authors presented a framework for the use of CR in the public safety domain. The paper describes a workflow for the dynamic allocation of the spectrum and a protocol for exchanging spectrum resources among the actors involved in the scenario. In [18], the authors describe the technical and psychological challenges for resources management and spectrum sharing across different public safety organizations. The paper highlights the importance of creating control mechanisms and a trust framework to overcome the challenges and improve the efficiency of spectrum utilization. The paper does not identify or describe a specific trust or policy framework but identifies the benefits of adopting such framework. The cooperative approach for spectrum sharing requires the definition of a policy language to regulate the sharing Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Distributed access control policies for spectrum sharing

of the resources among the CR nodes. A policy framework for “spectrum sharing” has been defined in the DARPA XG program. The neXt Generation program (XG) is a technology development project sponsored by the US DARPA’s Strategic Technology Office, with the goals to develop both the enabling technologies and system concepts to dynamically redistribute allocated spectrum. XG uses a declarative policy engine that supports spectrum sharing while ensuring that radios will adhere to regulatory policies and is able to adapt to changes in policies, applications and radio technology. The policy engine is based on a declarative language called Cognitive Radio Language (CoRaL) for expressing spectrum sharing policies (see [19]). In CoRal, policy rules such as allow (permissive) and disallow (restrictive) are logical axioms that express under which conditions these predicates hold. The policy rules may consider the radios capability, current state, location, time and spectral environment for allowing a transmission. The design of a policy reasoner based on CoRaL is presented in [20]. The paper describes the demonstration of the XG technology, CoRaL and the policy reasoner in a testing scenario where CoRaL policies are used to change how XG radios access spectrum resources on the basis of the location of the radio, its operational mode and the sensed signal strengths. Reference [21] from Wireless Innovation Forum is one of the first documents, which identifies and describes a modeling language to negotiate and control the network resources in the public safety domain. The modeling language is called MetaLanguage for Mobility (MLM) and it is used to describe the functions, resource and roles of the elements and actors participating in the operational scenarios related to the public safety domain. The reference presents a specific scenario for spectrum sharing. MLM is based on Web ontology language, and the use cases are described using Unified Modeling Language. The language does not have security elements to define various levels of authority or trust among the actors as the sharing of network resources can be based on a pre-defined agreement among organizations. The shortcoming of the previous papers is that the presented policy languages are not specifically designed to describe operational contexts where users have different priorities and capabilities, when deploying spectrum resources. Public safety operational scenarios are characterized by many organizations with different levels of authority for the access to the available resources in the scenario (i.e., energy, water or communications). Generally, military organizations have the highest authority, then police and volunteers organizations. The priority depends on the operational scenario, as well. A suitable policy language should have—among other things—the capability of describing the different levels of priority in using the spectrum resources on the basis of the type of operational organization and the type of operational scenario. One of the first papers to address the challenge of defining a Dynamic Spectrum Access (DSA) model in a context with multiple organizations with various levels of authority

Distributed access control policies for spectrum sharing

is [22]. The paper presents a multi-organizational policy management system for DSA based on the fine-grained control of delegation of authority between communities of users. The contribution is identified as an extension of the XG policy engine but with a clear focus on the management of different levels of authority. Reference [23] addresses the management of DSA in a holistic manner. The paper describes a meta-policy framework that includes the definition of the hierarchical structures of the organizations involved in DSA scenarios. However, the issue of defining and enforcing access policies to network resources— given the aforementioned hierarchies—is not addressed.

2.2. Trust negotiation Trust management, and trust negotiation in particular, has been an active field of research in the last years. In the following paragraph will be presented a brief overview of the main work developed. Up to now, the best-known trust management system is KeyNote [24]. KeyNote was designed to work for a variety of large-scale and small-scale Internet-based applications. It provides a single language for both local policies and credentials. KeyNote credentials, called assertions, contain predicates describing delegations in terms of actions that are relevant to a given application. As a result, KeyNote policies do not handle credentials as a mean to establish trust because of the intended use of the language for delegation. Therefore, it has several shortcomings with respect to trust negotiations. The prototype trust negotiation system for the TrustBuilder Project is being designed and developed at the Internet Security Research Lab at Brigham Young University, under Prof. Seamons. The implementations utilize the IBM Trust Establishment (TE) system to create X.509v3 certificates. The TE system supports Extensible Markup Language (XML) role-based access control policies that TrustBuilder uses to govern access to sensitive credentials, policies and services. The TE runtime system includes a compliance checker that TrustBuilder uses to verify whether a set of certificates satisfies an access control policy and to determine which credentials satisfy a policy. The TrustBuilder prototype has been extended into TrustBuilder2 [25]. TrustBuilder2 leverages a plug-in based architecture, extensible data type hierarchy and flexible communication protocol to provide a framework within which numerous trust negotiation protocols and system configurations can be quantitatively analyzed. Another interesting proposal in the trust negotiation research area is Traust [11]. Traust is a third-party authorization service that leverages the strengths of existing prototype trust negotiation systems. Traust acts as an authorization broker that issues access tokens for resources in an open system after entities use trust negotiation to satisfy the appropriate resource access policies. The Traust architecture was designed to allow Traust to be integrated either directly with newer trust-aware applications or indirectly with existing legacy applications.

G. Baldini et al.

To the best of our knowledge, there is no work on deployment of trust negotiation techniques in frequency spectrum management or in the CR environment.

3. OPERATIONAL SCENARIO AND SYSTEM ARCHITECTURE An example of operational scenario where spectrum sharing and access policies could be applied is the London Underground bombing of July 2005 and the subsequently deployed resolution efforts [26]. We have chosen this specific operational scenario because it illustrates the significant challenges in resolving an emergency crisis in an urban environment. The existing communication resources were particularly strained because of the high volume of traffic due to panic conditions by the civil population and the degradation of some network infrastructures due to the bombing. Because the traffic demand on the network largely exceeded the capacity of the network, access control mechanisms were used to deny access to some users, including first time responders, who did not have priority access. The consequence was that some responders could not access the needed communication services to collaborate with the other public safety organizations in the area. The agencies that responded to the emergency included the Metropolitan Police, the British Transport Police, the London Fire Brigade and the London Ambulance; each organization had its own specific feature and level of authority. In the real scenario, each organization had its own communication system, which used a specific spectral band allocated by spectrum regulations. In a future scenario, where spectrum sharing, based on dynamic exclusive-use model, is applied to balance the traffic demands, each public safety organizations could access a common “pool” of spectral resources on the basis of its need and level of authority. At each moment and for specific geographical areas, a public safety organization can request the right to use a specific spectral band from the common pool. Figure 1 describes the overall architecture. Each public safety organization can request a specific allocation of the spectrum for its wireless network on the basis of the traffic demand. The wireless nodes (e.g., terminals and base stations) exchange the requests, credentials and spectrum management policies through a common control channel (CCC). Many spectrum sharing solutions, either centralized or distributed, assume a CCC for spectrum sharing [27,28]. CCC is responsible for distributing the cognitive control messages, which may include information on the spectrum environment detected by each CR node and any information which could support the spectrum analysis function and finally the assigned bands and communication parameters defined by the spectrum decision function. In this paper, the CCC is also used to support the Trust- X framework. The CCC can be classified in two categories: in-band CCC and out-band CCC. The in-band CCC implementation can Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

G. Baldini et al.

Distributed access control policies for spectrum sharing

Figure 1. System architecture.

be defined as the CCC implementation in which CCC information is being transmitted along with user data via the same radio interface (RI). A good example can be a cellular network (e.g., universal mobile telecommunications system). In this case CCC would actually become a sort of a logical channel sharing the resources with user data/voice transmission. The key disadvantage of the solution is the fact that the device is still required to conduct the scanning procedure in order to acquire knowledge about the RI where CCC is located. In order to implement the in-band CCC, a special mechanism that would allow dissemination of CCC information through the related networks must be developed. The out-band CCC can be defined as the CCC implementation in which one of the radio interfaces is exclusively used for dissemination of CCC information, where the cognitive channel uses a spectral band and channel definition specifically designed for the CR network. The key advantage of the out-band approach is the easier implementation [29], as any CCC compliant terminal can retrieve the information of the CCC no matter what access technology it operates in. On the other hand, in order to implement out-band CCC, each device needs to be employed with an additional standardized radio interface allowing the reception of the CCC signal. In this paper, we will use an out-band CCC that uses a pre-allocated spectral band and a pre-defined standardized radio interface known to all the CR nodes in the networks. As described in the introduction, the allocation of the spectrum resources is regulated by the Trust-X framework, which is described in detail in Section 4. Once the allocation of the spectral band is completed, the band is used by the wireless network related to the specific public safety organization. Obviously, this future scenario requires multi-band or CR nodes, which are able to transmit in various spectral bands. Other resource management schemes can be used to regulate the access to the spectrum resources. Reference Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

[30] proposes a resource management scheme for CR ad hoc networks based on a Weighted Priority M/G/1 Model, where the spectrum allocations requests are classified and dispatched depending on their priorities, available resources and traffic engineering considerations (e.g., type and coverage of the network). Future developments of this paper can combine the Trust- X framework with a resource management scheme such as the Weighted Priority M/G/1 Model. Operational and technical requirements [31], already defined in the current public safety scenarios, will also apply to the scenario presented in this paper. In relation to spectrum sharing, these requirements include the following: • The allocation of spectral bands must be completed within specific time constraints. • The framework must be resilient to address changes in the network topology due to destroyed nodes (e.g., because of the underlying cause of the disaster) or nodes which are not under coverage (e.g., lack of coverage). • The framework should be robust against communication errors. • The framework should be scalable. In the London bombing scenario, hundreds of public safety officers were involved. The performance of the framework against these technical requirements will be discussed in Section 5.

4. THE TRUST-X FRAMEWORK Trust-X is a comprehensive framework for defining and managing trust negotiations [32]. It is based upon a peer-to-peer architecture and a rule-based policy language called X -TNL [33].

Distributed access control policies for spectrum sharing

A Trust-X negotiation is an interactive process between two parties—called Requester and Controller—having the goal to establish mutual trust in order to release a given resource. We assume that the resource description is encoded into a credential, that is, a list of the relevant attributes of the resource, along with the corresponding values. We further assume that a resource is protected by a disclosure policy (held by the Controller), which details what conditions are to be satisfied by the Requester before Controller releases the resource. Typically, the Requester’s conditions are encoded into predicates about credentials, which are to be disclosed themselves to the Controller, in order to check whether they satisfy the disclosure policy. It may be well the case that such credentials contain sensitive information and, hence, they may be protected by another disclosure policy (held this time by the Requester). Henceforth, a negotiation between Requester and Controller composed of interleaved, mutual credentials’ requests (expressed as disclosure policies) ensues. The negotiation successfully ends in the case both parties agree on a set of credentials that can be unconditionally disclosed. The negotiation process is divided into three distinct phases: • Introductory phase: the parties identify the resource R to be released; • Policy evaluation phase: the parties iteratively exchange disclosure policies, in order to possibly agree upon a set of credentials to be exchanged for the release of R; • Credential exchange phase: the parties actually exchange the credentials according to the disclosure policies, agreed in the previous phase. The phases of negotiation process described above have been extended in several ways to provide different features. In [10], the initial phase of the Trust-X framework has been extended to support the re-negotiation of resources. This extension consists in the fact that if the initially requested resource R is a so-called composite resource‡ and if the disclosure policy associated to such resource is non-satisfiable from the Requester, then it will be possible for the Requester to rebate to the Controller a less demanding disclosure policy. In turn, the Controller may offer a subset of the smaller resources composing the composite resource R, which it considers appropriate for the suggested disclosure policy. Of course, the Requester may choose to accept/refuse the offer or, on the other hand, offer a more or less demanding disclosure policy in order to obtain the desired resource.

‡ We define a composite resource as a resource composed by smaller resources. An example of composite resource is an XML document where the children elements of the root element are the smaller resources

G. Baldini et al.

Moreover, given a negotiation successfully terminated for some parts of a composite resource, the protocol allows to obtain the remaining parts by means of another trust negotiation [34]. Such negotiation will evaluate the disclosure policies protecting the original resource but keeping in mind that such policies have been already partially satisfied in the previous negotiation. Furthermore, both the policy evaluation and the credential exchange phases support the recovery of crashed negotiation [9]. Briefly, the framework provides a way for saving the state of the ongoing trust negotiation from time to time. If the negotiation is interrupted because of a communication failure—e.g., a loss of connectivity of one of the negotiating parties—then it will be possible, once the communication has been restored, to recover the interrupted negotiation. The frequency of when the state is saved has not been agreed between the parties, thus each party may define a time interval between the creation of a negotiation state according to its own preferences. The Trust- X framework will take care of the reconciliation of the saved states. Such feature had been further enhanced to allow the negotiating parties to voluntarily suspend a negotiation [8]. This is useful if one of negotiating parties is required to provide a certain credential that is not currently available, but will be shortly. The feature is achieved creating a saving state at an instant agreement between the negotiating parties and, eventually, resuming the negotiation from such common state. To further improve the flexibility of the protocol, Trust-X also provides a protocol for securely exchange one of the negotiating parties with another, delegated entity [35]. Such protocol takes advantage of the suspension feature adding verification mechanisms so that the negotiation state can be transferred to another party. Such party will, in turn, authenticate itself as delegated from the original party and, after that, the negotiation will be resumed as usual. Note that in the present work we use the basic negotiation process; nevertheless, it is trivial to take advantage of more advanced features provided by the Trust-X framework. 4.1. The Trust Negotiation Language X -TNL We now precisely define the concepts presented so far with the introduction of the trust negotiation language X -TNL. We start with the necessary building blocks for defining credentials and expressing properties and disclosure policies upon them. We assume the existence of a set CN of credential names, a set AN of attribute names and—for every attribute name Att—a corresponding set V Att of values. A credential is an expression of the form CredName(AttlList), where CredName is a credential name and AttList a tuple of pairs (Att, val), where Att and val are respectively from the set of attribute names and the corresponding set of values, and denote Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

G. Baldini et al.

Distributed access control policies for spectrum sharing

the fact that the credential CredName in attribute Att has value val. A term T is an expression of the form CredName (PredList), where CredName a credential name and PredList is a (possibly empty) tuple of (infix-form) predicates (Att pred val), where Att is an attribute name, val is a value from a proper domain and pred is a binary predicate from the set {≥,≤,=,6¼}. As an example, the string ParamedicID(Hospital = “ Queen0 sHospital ”, ReleaseYear > 1996) is a term that matches a credential named ParamedicID which contains an attribute Hospital with value Queen’s Hospital and an attribute ReleaseYear with value greater than 1996. A disclosure policy is an expression of the form Cred T1conn1T2conn2 . . . connu  1Tu, where Cred is a credential name, Ti are terms and Conni are Boolean connectives from {∧,∨}. As an example, consider the following disclosure policy: 0




I AN Map Location ¼ “King sCross” MilitaryIDðCountry ¼ “UK”Þ∨PoliceIDðCountry ¼ “UK”Þ

(1) Such disclosure policy states that in order to access the credential containing the map of the IAN of the location identified as “King’sCross” the requester must prove it belongs to the United Kingdom military or to the police. Finally a trust negotiation is a finite sequence of disclosure policies interactively exchanged among the negotiating parties. Such process is carried out in order to identify a set of credentials, belonging each to one of the two negotiating parties, which have to be exchanged in order to establish the trust level required to obtain the originally requested resource. Figure 2 provides an example of negotiation: (1) A fireman (F) asks to access a credential containing the positions of the gas pipes (GasBluePrint) which belongs to the LondonGasSociety (LGS). (2) LGS replies with the disclosure policy GasBluePrint ID (Country = UK) ∧ FiremanID ∧ FireBrigateID. (3) All the required credentials are available but the credentials FiremanID and BrigateID are considered sensitive credentials. Hence, they are protected by disclosure policies too. Therefore, F sends the disclosure policies FiremanID ID(Country = UK) and FireBrigateID ID(Country = UK). (4) LGS owns a credential attesting its identity and is freely available. It sends it to F . (5) F , upon the verification of the validity of the credential received, sends the required credentials ID, FiremanID and FireBrigateID to LGS. (6) Finally, F is able to access the credential GasBluePrint disclosed by LGS. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Figure 2. An example of trust negotiation.

4.2. The Spectrum Management Language The trust negotiation language presented does not suffice for expressing all the complex setup procedures required by parties communicating over a CR networks. Towards this end, we extend our negotiation language illustrating how to include a spectrum management language largely inspired by the CoRaL language [19] into our framework. A condition term CT is an expression of the form Condition(PredList) where Condition denotes a condition type, such as Time, Location, DeviceCapability and NodeIdentity, and PredList is the same list of tuples defined earlier. Note that the possible attributes in the PredList of a condition term depend on the type of condition represented. Examples of condition terms are Location(Latitude = “ 51.30 N ”, Longitude = “ 0.30W ”) and Time(localtime ≥ 10 : 00, localTime ≤ 17 : 00). A frequency list is an ordered list of frequencies, such as {3847, 3990, 4375 MHz}. A spectrum management policy is an expression of the form freqList CT1 ∧ CT2 . . . ∧ TCv where freqList is a frequency list and CTi are condition terms. Moreover, we classify the spectrum management policies in two categories: permissive policies and restrictive policies. In each instant, the frequencies used by a terminal are determined as follows: (1) Identify all the allowed frequencies, which entails the identification of the permissive policies whose right side is true; (2) Identify all the prohibited frequencies, which entails the identification of the restrictive policies whose right side is true; (3) Finally, a terminal is allowed to transmit on the difference between allowed frequencies and prohibited frequencies. For example, using the following permissive policy {5132 MHz, 231.2250 MHz} Location(City = London) ∧ Time(hour ≥ 08) and the following restrictive policy {5132 MHz} Time(hour ≥ 22), at 11:00 PM, a terminal located in London will be allowed to transmit on the frequency of 231.2250 MHz.

Distributed access control policies for spectrum sharing

The spectrum management policy language described earlier is an example. It is possible to extend the language to achieve the same expressive power of [19,20] but is behind the objective of the current work.

5. EXPERIMENTAL RESULTS We performed some experiments to evaluate the proposed approach. We developed a prototype of the Trust-X framework using Java 6. To run our experiments, we used a network of two computers with the following configurations: (a) Linux, kernel 2.6.30, CPU 2.20 GHz and (b) Macbook, OS 10.6, CPU 2.53 GHz. In order to have a more realistic feedback from our experiments, we run them using two different lightweight database management systems (DBMSs), namely SQLite and MySQL. Such DBMSs are deployed for the storage of credentials and disclosure policies. First of all, we evaluated the time required by a new device to authenticate itself in the IAN with respect to the number of credentials that have to be exchanged. Figure 3 shows how Trust-X performances are linear to the number of both policies and credentials exchanged. More precisely, its performance depends on the structure of the disclosure policies exchanged. The simpler negotiation, which involved the exchange of two credentials, represented by a negotiation of the form A B, required in average 226 ms, with a lower bound of 188 ms. On the other hand, to negotiate and exchange 50 credentials, Trust-X required 3859 ms. According to the presented results, the negotiation illustrated in Section 4 required in average 265 ms. With respect to the performances tests described in [21], we performed a series of tests in order to evaluate the scalability of our prototype with respect to the number of nodes simultaneously authenticating themselves.

Figure 3. Time required to authenticate with respect to the number of credentials involved.

G. Baldini et al.

To be able to compare the results, we performed an increasing number of simultaneous authentications. Each authentication involves the same disclosure polices and, therefore, the same credentials. As shown in Figure 4, the time required is linear to the number of concurrent negotiations. In another group of simulations, we evaluated the performance of the negotiation protocol in different environments characterized by various sizes of the population of CR nodes and various levels of dynamicity. Note that with the term dynamicity, we mean the rate of status changes of the CR network due to a number of causes such as CR nodes appearing or disappearing from the network, internal faults or topological alterations. Dynamicity is at the heart of wireless networking and is due to the mobility of the terminals. CR nodes may lose connectivity with the rest of the network because they moved outside the maximum range of the wireless link, or because they moved behind an obstacle that blocks the signal. Therefore, dynamicity is an important parameter which evaluates the performance of a CR network. Public safety operational scenarios may be characterized by an high degree of dynamicity as new public safety organizations appear or disappear from the context, radio links are degraded by natural or man-made obstacles or because one or more CR nodes suffer from technical failure of power exhaustion. Considering that the operational requirements impose specific timing constraints on the access and activation of communications services, the negotiation protocol should not introduce large delays in presence of high dynamicity of the CR network. Hence, we evaluated the negotiation protocol against different populations of CR nodes, with sizes ranging from 100 to 500 nodes. Figure 5 shows that the time required is linear to the cardinality of the CR nodes in the network. The overall time used by the negotiation protocol is still limited to few seconds even for networks of large size (500 nodes). Such values are comparable with the timing constraints defined by public safety operational requirements as in [31]. Figure 5 shows different levels of dynamicity but the divergence of the lines is small in comparison with the overall time. Therefore, another graph was created to

Figure 4. Scalability of the prototype with respect to the number of simultaneous authentications. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

G. Baldini et al.

highlight the time difference for various levels of dynamicity from the best case of a complete static CR network. The result is presented in Figure 6 where the x-axis represents the static case, whereas the curves represent increasing levels of dynamicity. From the figure, it is possible to see that even for high levels of dynamicity (50 CR nodes per second) the difference from the static case is only of few hundred milliseconds and only for small networks. For large sizes of the CR network, the results of all the performed experiments are converging to the same value, as the percentage of the CR nodes moving in or out of the network is small in comparison with the overall size of the CR network. Note that the levels of dynamicity used in the simulation are much higher than the ones usually appearing in real-world scenarios as described in [26]. Normally only 5–10% of the total number of wireless terminals may join or leave the scenario because of the mobility of the public safety responders involved in the crisis. We can conclude that the dynamicity of CR network does not heavily influence the performance of the negotiation protocol. Finally, we executed other simulations where we introduced delays and communication failures to simulate disturbances to the wireless links. Like any other wireless communication systems, the CR network is subject to propagation errors due to obstacles (e.g., buildings) or

Distributed access control policies for spectrum sharing

presence of wireless interferences, which translates to lower data rates and consequent communication delays or communication failures. Figure 7 shows the results of the negotiation time in relationship with the introduction of different communication delays. Not surprisingly, the simulations showed that the number of the devices operating in the network has a greater impact on the performance of the network in comparison with delays. Regarding the robustness of the proposed framework, Figure 8 shows the results of the simulation in which we introduced a communication error. More precisely the different series represents the probability that a message is lost. Thus we introduce in the communication a random delay defined by the time required to identify that a message is missing and by the time required by the retransmission of such missing message. As for the experimental results shown in Figure 7, the simulation showed that the number of devices operating in the networks is the key factor with respect to communication performances.

Figure 7. Negotiation time in relation to the communication delays.

Figure 5. Scalability of the prototype with respect to dynamicity.

Figure 6. Stability of the prototype with respect to dynamicity. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Figure 8. Negotiation time in relation to the communication errors.

Distributed access control policies for spectrum sharing

6. CONCLUSIONS In this work, we presented an approach for managing access in CR networks, when deployed in scenarios having conflicting requirements such as (a) security needs and (b) high flexibility in managing dynamic reconfigurations. The proposed solution builds on the concept of trust negotiation, a well-known and accepted approach in the access control research area. We have defined a negotiation language for managing access control in a CR network and we applied it to a real-world critical scenario. Finally, we reported promising experimental results, showing the effectiveness of our approach even in presence of high dynamicity of the CR network. Future development may include the combination of the trust negotiation with classical resource management schemes for CR networks based on the preemptive priority M/G/1 models for distributed networks.

REFERENCES 1. Bazelon C. Licensed or unlicensed: the economic considerations in incremental spectrum allocations. IEEE Communications Magazine March 2009; 47(3): 110–116. 2. Stine JA, Portigal DL. Spectrum 101. An Introduction to Spectrum Management, MITRE, Technical Report MTR 04W0000048, 2004. 3. Peha JM. Sharing spectrum through spectrum policy reform and cognitive radio. Proceedings of the IEEE 2009; 97: 708–719. 4. Lehr W, Jesuale N. Spectrum pooling for next generation public safety radio systems. New Frontiers in Dynamic Spectrum Access Networks. 2008. DySPAN 2008. 3rd IEEE Symposium on Oct. 2008; 1–23, 14–17 . 5. Mason A. Public safety mobile broadband and spectrum needs. Final Report, March 2010, 16395–94 http://www. tetra-association.com. Last accessed. 24 May 2011. 6. Blaze M, Feigenbaum J, Lacy J. Decentralized trust management. SP ’96: Proceedings of the 1996 IEEE Symposium on Security and Privacy 1996. 7. Winslett M. An introduction to trust negotiation 2003. Proceedings of Trust Management 2003; LNCS 2692: 275–283. 8. Squicciarini AC, Trombetta A, Bertino E, Braghin S. Identity-based long running negotiations. Digital Identity Management 2008; 97–106. DOI:10.1145/ 1456424.1456440. 9. Squicciarini AC, Trombetta A, Bertino E. Supporting robust and secure interactions in open domains through recovery of trust negotiations. 27th International Conference on Distributed Computing Systems (ICDCS ‘07) 2007; 57–69. DOI:10.1109/ICDCS.2007.144.

G. Baldini et al.

10. Braghin S, Fovino IN, Trombetta A. Advanced trust negotiation in critical infrastructures. International Conference on Infrastructure Systems 2008. 11. Lee AJ, Winslett M, Basney J, Welch V. The Traust authorization service. ACM Trans. Inf. Syst. Secur 2008; 11: 1–14. 12. Li N, Mitchell JC, Winsborough WH. Design of a role-based trust-management framework. IEEE Symposium on Security and Privacy 2002; 114–130. 13. Nejdl W, Olmedilla D, Winslett M. PeerTrust: automated trust negotiation for peers on the semantic web, Technical Report, October 2003. 14. Mitola J III, Maguire GQ. Cognitive radio: making software radios more personal. IEEE Personal Communications 1999; 4:1318. 15. Buddhikot. MM. Understanding dynamic spectrum access: models, taxonomy and challenges. New Frontiers in Dynamic Spectrum Access Networks, 2007. DySPAN 2007. 2nd IEEE International Symposium on April 2007; 649–663, 17–20 . 16. Software defined radio technology for public safety SDRF-06-P-0001-V1.0.0 (Formerly Approved Document SDRF-06-A-0001-V0.00). 17. Wang W, Gao W, Bai X, Peng T, Chuai G, Wang W. A framework of wireless emergency communications based on relaying and cognitive radio. IEEE 18th International Symposium on Personal, Indoor and Mobile Radio Communications 2007. 18. Bernthal B, Jesuale N. Smart radios and collaborative public safety communications. 3rd IEEE Symposium on New Frontiers in Dynamic Spectrum Access Networks, DySPAN 2008 2008: 1–20. 19. Denker G, Elenius D, Senanayake R, Stehr M, Wilkins D. A policy engine for spectrum sharing. 2nd IEEE Symposium on New Frontiers in Dynamic Spectrum Access Networks, DySPAN 2007 2007; 55–65. 20. Elenius D, Denker G, Stehr MO, Senanayake R, Talcott C, Wilkins D. CoRaL—policy language and reasoning techniques for spectrum policies. 8th IEEE International Workshop on Policies for Distributed Systems and Networks, POLICY ’07 2007; 261–265. 21. Use cases for MLM language in modern wireless networks. SDRF-08-P-0009-V1.0.0 22. Feeney K, Lewis D, Argyroudis P, Nolan K, O’Sullivan D. Grouping abstraction and authority control in policy-based spectrum management. 2nd IEEE Symposium on New Frontiers in Dynamic Spectrum Access Networks, DySPAN 2007 2007; 363–371. 23. Feeney K, Lewis D, Argyroudis P, Nolan K, O’Sullivan D. Integrating the policy dialectic into dynamic spectrum management. 2nd IEEE Symposium on New Frontiers in Dynamic Spectrum Access Networks, DySPAN 2007 2007; 390–398. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

G. Baldini et al.

24. Blaze M, Feigenbaum J, Ioannidis J, Keromytis AD. The KeyNote trust-management system version 2. RFC 2704, September 1999. 25. Lee A, Winslett M, Perano KJ, TrustBuilder2: a reconfigurable framework for trust negotiation, Proceedings of the Third IFIP WG 11.11 International Conference on Trust Management (IFIPTM 2009) June 2009; 176–195. 26. Greater London Authority, Report of the 7 July Review Committee, June 2006. 27. Ma X, Han C, Shen C. Dynamic open spectrum sharing MAC protocol for wireless ad hoc network. 1st IEEE International Symposium on New Frontiers in Dynamic Spectrum Access Networks DySPAN 2005 2005; 203–213. 28. Brik V, Rozner E, Banarjee S, Bahl P. DSAP: a protocol for coordinated spectrum access. 1st IEEE International Symposium on New Frontiers in Dynamic Spectrum Access Networks DySPAN 2005 2005; 611614. 29. Chuan Han C, Wang J, Yang Y, Li S. Addressing the control channel design problem: OFDM-based transform domain communication system in cognitive radio, Computer Networks 2008; 52: 795–815.

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Distributed access control policies for spectrum sharing

30. Wang S, Zheng H, A resource management design for cognitive radio ad hoc networks. Military Communications Conference, 2009. MILCOM 2009. IEEE Oct. 2009; 1–7, 18–21. 31. SAFECOM, US communications program of the Department of Homeland Security. Public safety statements of requirements for communications and interoperability v I and II 2004. 32. Bertino E, Ferrari E, Squicciarini AC. Trust-: a peerto-peer framework for trust establishment. IEEE Transactions on Knowledge and Data Engineering 2004; 16(7): 827–842. 33. Bertino E, Ferrari E, Squicciarini AC. -TNL: an XML language for trust negotiations. 4th IEEE Workshop on Policies for Distributed Systems and Networks, Como, Italy 2003; 81–84. 34. Braghin S, Fovino IN, Trombetta A. Advanced trust negotiation in critical infrastructures. International Journal on Critical Infrastructure 2010; 6(3): 225–245. 35. Squicciarini AC, Bertino E, Trombetta A, Braghin S. A flexible approach to multisession trust negotiations. IEEE Transactions on Dependable and Secure Computing 2012; 9(1): 16–29.