distributed access control policies for spectrum sharing

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks (2012)

Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.629

RESEARCH ARTICLE

Distributed access control policies for spectrum sharingGianmarco Baldini1*, Igor Nai Fovino2, Stefano Braghin3 and Alberto Trombetta4

1 IPSC, JRC, Ispra, Italy2 Global Cyber-Security Center, Viale Europa 175, Rome, Italy3 Nanyang Technological University, Singapore4 DiSTA Insubria University, Varese, Italy

ABSTRACT

Cognitive radio is a novel wireless communication technology that allows for adaptive configuration of the receptionparameters of a terminal, based on the information collected from the environment. Cognitive radio technology can be usedin innovative spectrum management approaches such as spectrum sharing, where radio frequency spectral bands can beshared among various users through a dynamic exclusive-use spectrum access model. Spectrum sharing can be appliedto various scenarios in the commercial, public safety and military domain. In some scenarios, spectrum sharing demandsa mechanism for expressing and enforcing access control policies for the allocation of resources including spectral bands.The access control polices should state what are the available resources (e.g., transmission/reception bandwidths), what arethe users that are allowed to access them and under what conditions. However, because of the intrinsically highly dynamicnature of specific scenarios (e.g., public safety, military), where parties with various levels of authority may suddenlyappear, it may be difficult to establish in advance what are the most suitable access control policies. Trust negotiation isa well-known approach for expressing and enforcing distributed access control policies that depend on two or more parties.In this work, we present a trust negotiation-based framework that allows for the definition of highly expressive and flexibledistributed access control policies for the allocation of spectrum resources. Copyright © 2012 John Wiley & Sons, Ltd.

KEYWORDS

cognitive radio; wireless communications; spectrum sharing; trust negotiation; access control policy

*Correspondence

Gianmarco Baldini, Joint Research Centre-European Commission, Ispra, Italy.E-mail: [email protected]

1. INTRODUCTION

The current management regime of command and control[1] separates the various radio communication services inspecific spectral bands. It is effective at protecting autho-rized users of radio spectrum from unwanted interferencefrom other radio communication services. As described in[2], the shortcoming of the command and control spectrummanagement approach or spectrum access model is the riskof poor spectrum utilization: some spectral bands may beunderused most of the time, whereas other bands may beoverused or congested. The increasing number of newwireless services and applications, requiring broadbandwireless connectivity, is the main drivers to identify newapproaches or technologies for improved spectrum utiliza-tion. In spectrum sharing, communication systems basedon cognitive radio (CR) nodes and terminals could effec-tively share the available spectrum resources and changedynamically the allocation of the spectral bands for thevarious communication services [3]. Note that there are

Copyright © 2012 John Wiley & Sons, Ltd.

different definitions of the term spectrum sharing, whichidentifies different spectrum access models. In this paper,we will use the term spectrum sharing to identify dynamicexclusive use of spectrum, where the allocation of spectralbands can change in time or space. If a specific band is notused, it can be dynamically reallocated to another user for aspecific amount of time, or in a specific geographical area.Additional details on spectrum access models and dynamicexclusive use of spectrum are provided in Section 2. In thisnew model, CR nodes would not be limited to use thespecific spectral bands defined in the design phase ofthe communication equipment but they could access allthe available spectrum resources within the constraintsdefined by spectrum regulators.

One of the application domains for the application of aspectrum sharing approach is public protection and disasterrelief or public safety, where first responders could dynam-ically increase the usage of the spectrum to address theneed for increased capacity during the time of an emer-gency crisis as described in [4]. New applications such as

†Note that such certification authorities are not involved in the actualexecution of negotiations.

Distributed access control policies for spectrum sharing G. Baldini et al.

mobile video surveillance, mobile biometric identificationand remote emergency health have increased the need forbroadband wireless connectivity in the public safetydomain. The report [5] describes the evolution ofpublic safety needs from voice-based communication todata-based communication to support a new range of appli-cations. Higher data throughput requires a wider allocationof spectrum to public safety, but this may not be possiblein the current spectrum regulation framework, whereavailable bands for public safety usage are scarce. Adynamic approach to spectrum usage could be moreefficient to address the peak of traffic capacity during anemergency crisis. Additional details on spectrum sharingin public safety are described in Section 2.

A major consequence of spectrum sharing is the need todefine suitable access policies, which describe the rules forsharing spectrum resources.

Various public safety organizations may participate tothe resolution of a major emergency including fire fighters,emergency health services, police, non-governmentalorganizations and military. Each organization may havedifferent priorities regarding the access and sharing ofresources depending on the operational context. Becauseemergency crises are usually unplanned events, the partic-ipating organizations may have little or no coordination inthe allocation of resources and the unexpected appearanceof a new organization on the crisis scenario may imposenew resources arrangements.

In this context, there is a need for a security mechanismto regulate access to spectrum resources by the variousparties. The deployment of spectrum sharing may have alarge number of operating dimensions including frequen-cies, waveforms, power levels and so forth. There is thusthe need to define an access control framework, whichallows benefit of spectrum sharing, while ensuring theconformance to regulatory policies and rules of conductamong public safety organizations.

Mainstream approaches to access control do not seem tobe suited for a complex environment such as the onesketched earlier. In fact, requesting entities’ access toresources is enforced by a centralized authority, given ana priori fixed set of rules describing what are the resourcesand under what conditions they can be accessed. Request-ing entities are usually identified through a standard loginpassword, online mechanism. Other more sophisticatedoffline authentication mechanisms require the presence ofheavyweight, centralized and rather rigid infrastructures,such as public key infrastructures.

A more flexible authentication mechanism is thusrequired in order to effectively manage access requests inhighly distributed and dynamic environments. Trustnegotiation [6,7] is an example of such an approach. Trustnegotiations allow two—initially mutually untrusting—parties wishing to exchange resources, to establish amutual trust relationship. Trust is established through anexchange of digital credentials. Credentials are digitalstatements of relevant properties of the parties and maybe endorsed by trusted entities, such as certification

authorities, or other entities that are trusted by the negotiatingparties.† Relevant credentials for a trust negotiation areidentified on-the-fly during the negotiation process accordingto the specific negotiation’s goal. During a negotiation, eachparty decides which credential is willing to disclose to thecounterpart and under what conditions. Such conditions areexpressed by rules called disclosure policies (or policies forshort). Intrinsic and relevant features of any mechanismoperating in open, distributed environments are to provide(i) resilience to communication errors; and (ii) support inthe case of sudden changes (e.g., peers joining and/or leavingthe scenario may result to crashes). Such features, in particu-lar, are provided in the case of trust negotiations, as we willsee in the following discussions.

In recent years, trust negotiation has received significantattention from the access control research community [8–13].

In this paper, we propose a trust negotiation-basedframework for expressing and enforcing access controlpolicies in CR networks. Our approach allows for thedefinition of highly expressive disclosure policies,which—as we will see in the following sections—satisfythe security, flexibility and fault-tolerance requirementsdemanded by a highly dynamic and distributed scenario suchas a wireless network during the response phases of anemergency crisis, in which the operational requirements andconditions may suddenly change. To the best of ourknowledge, this is the first work that addresses such issuesin the context of CR networks. The paper is organized asfollows:

Section 2 provides an overview of the state of art for CRand related policy languages. Section 3 presents the opera-tional scenario and the system architecture. Section 4provides a description of the Trust-X framework. Section 5presents the performances of the Trust-X prototype. Finally,Section 6 is used for conclusions and an overview of futuredevelopments.

2. RELATED WORK

2.1. Cognitive radio

The design and deployment of CR have been investigatedin a number of papers and research studies starting fromthe seminal work of Joseph Mitola in [14], which is mainlyfocused on the radio knowledge representation language.The paper introduces also the concept that this type oflanguage can empower software radios to conduct expres-sive negotiations among peers about the use of radiospectrum resources in a region of space in the function oftime and users context. As described before, CR can enablenew spectrum management approaches. A survey ispresented in [15] that identifies the following spectrumaccess models:

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Distributed access control policies for spectrum sharingG. Baldini et al.

(1) Command and control: The conventional modelwhere the regulatory body explicitly lays down thedetailed rules for use of the spectrum and assignsit to an entity for use.

(2) Exclusive use: This model relies on the concept ofspectrum band license which entitles its ownerexclusive rights to use and reassign that spectrumunder certain rules.

(3) Secondary access of primary licensed spectrum: Inthis model, the spectrum owned by a licensee(also referred to as the primary user) is sharedby a non-license holder commonly referred toas a secondary user.

(4) Commons: This is an operating model whereinnobody can claim exclusive use of a sharedresource.

This paper is focused only on the specific spectrumaccess model called exclusive use and in particular thedynamic exclusive-use model, where spectrum right ofuse can be exchanged in time, space and frequency evenfor small quantities (e.g., the right to use a specific bandcan be reallocated to a user for few days or hours). Underthe dynamic exclusive-use mode, at any given point inspace and time, only one entity (operator) has exclusiverights to the spectrum but the identity of the owner andthe type of use can change. In this model, a fraction of apool of radio spectrum resources can be reassigned to aspecific user (e.g., a first responder organization) for a limitedamount of time or for a specific area (e.g., the disaster area).The advantage of the dynamic exclusive-use model incomparison with the secondary access or commons modelsis that the quality of service can be guaranteed, because noother radio communication service is present in the sameband. The assurance of a specific level of quality of serviceis an essential requirement for public safety organizations.

The application of CR to the public safety domain isinvestigated in the SDR Forum (now Wireless InnovationForum) Technical Report [16]. The document describes thebenefits and the related challenges of the deployment of thesenew technologies. A major challenge is to ensure that“spectrum sharing” can provide the same level of securityand reliability of conventional communication systems. In[17], the authors presented a framework for the use of CRin the public safety domain. The paper describes a workflowfor the dynamic allocation of the spectrum and a protocol forexchanging spectrum resources among the actors involved inthe scenario. In [18], the authors describe the technical andpsychological challenges for resources management andspectrum sharing across different public safety organizations.The paper highlights the importance of creating controlmechanisms and a trust framework to overcome thechallenges and improve the efficiency of spectrum utiliza-tion. The paper does not identify or describe a specific trustor policy framework but identifies the benefits of adoptingsuch framework.

The cooperative approach for spectrum sharing requiresthe definition of a policy language to regulate the sharing


of the resources among the CR nodes. A policy frameworkfor “spectrum sharing” has been defined in the DARPAXG program. The neXt Generation program (XG) is atechnology development project sponsored by the USDARPA’s Strategic Technology Office, with the goals todevelop both the enabling technologies and systemconcepts to dynamically redistribute allocated spectrum.XG uses a declarative policy engine that supports spectrumsharing while ensuring that radios will adhere to regulatorypolicies and is able to adapt to changes in policies, applica-tions and radio technology. The policy engine is based on adeclarative language called Cognitive Radio Language(CoRaL) for expressing spectrum sharing policies (see[19]). In CoRal, policy rules such as allow (permissive)and disallow (restrictive) are logical axioms that expressunder which conditions these predicates hold. The policyrules may consider the radios capability, current state,location, time and spectral environment for allowing atransmission. The design of a policy reasoner based onCoRaL is presented in [20]. The paper describes thedemonstration of the XG technology, CoRaL and thepolicy reasoner in a testing scenario where CoRaL policiesare used to change how XG radios access spectrumresources on the basis of the location of the radio, itsoperational mode and the sensed signal strengths.

Reference [21] from Wireless Innovation Forum is oneof the first documents, which identifies and describes amodeling language to negotiate and control the networkresources in the public safety domain. The modelinglanguage is called MetaLanguage for Mobility (MLM)and it is used to describe the functions, resource and rolesof the elements and actors participating in the operationalscenarios related to the public safety domain. Thereference presents a specific scenario for spectrum sharing.MLM is based on Web ontology language, and the usecases are described using Unified Modeling Language.The language does not have security elements to definevarious levels of authority or trust among the actors as thesharing of network resources can be based on a pre-definedagreement among organizations.

The shortcoming of the previous papers is that thepresented policy languages are not specifically designedto describe operational contexts where users have differentpriorities and capabilities, when deploying spectrumresources. Public safety operational scenarios are charac-terized by many organizations with different levels ofauthority for the access to the available resources in thescenario (i.e., energy, water or communications). Generally,military organizations have the highest authority, then policeand volunteers organizations. The priority depends on theoperational scenario, as well. A suitable policy languageshould have—among other things—the capability ofdescribing the different levels of priority in using thespectrum resources on the basis of the type of operationalorganization and the type of operational scenario.

One of the first papers to address the challenge of defininga Dynamic Spectrum Access (DSA) model in a contextwith multiple organizations with various levels of authority


is [22]. The paper presents a multi-organizational policymanagement system for DSA based on the fine-grained con-trol of delegation of authority between communities of users.The contribution is identified as an extension of the XG pol-icy engine but with a clear focus on the management of dif-ferent levels of authority. Reference [23] addresses themanagement of DSA in a holistic manner. The paperdescribes a meta-policy framework that includes the defi-nition of the hierarchical structures of the organizationsinvolved in DSA scenarios. However, the issue of defin-ing and enforcing access policies to network resources—given the aforementioned hierarchies—is not addressed.

2.2. Trust negotiation

Trust management, and trust negotiation in particular, hasbeen an active field of research in the last years. In thefollowing paragraph will be presented a brief overview ofthe main work developed.

Up to now, the best-known trust management system isKeyNote [24]. KeyNote was designed to work for a varietyof large-scale and small-scale Internet-based applications.It provides a single language for both local policies andcredentials. KeyNote credentials, called assertions, containpredicates describing delegations in terms of actions thatare relevant to a given application. As a result, KeyNotepolicies do not handle credentials as a mean to establishtrust because of the intended use of the language for dele-gation. Therefore, it has several shortcomings with respectto trust negotiations. The prototype trust negotiationsystem for the TrustBuilder Project is being designed anddeveloped at the Internet Security Research Lab atBrigham Young University, under Prof. Seamons. Theimplementations utilize the IBM Trust Establishment(TE) system to create X.509v3 certificates. The TE systemsupports Extensible Markup Language (XML) role-basedaccess control policies that TrustBuilder uses to governaccess to sensitive credentials, policies and services. TheTE runtime system includes a compliance checker thatTrustBuilder uses to verify whether a set of certificatessatisfies an access control policy and to determine whichcredentials satisfy a policy. The TrustBuilder prototypehas been extended into TrustBuilder2 [25]. TrustBuilder2leverages a plug-in based architecture, extensible data typehierarchy and flexible communication protocol to providea framework within which numerous trust negotiationprotocols and system configurations can be quantitativelyanalyzed. Another interesting proposal in the trust negotia-tion research area is Traust [11]. Traust is a third-partyauthorization service that leverages the strengths of existingprototype trust negotiation systems. Traust acts as anauthorization broker that issues access tokens for resourcesin an open system after entities use trust negotiation tosatisfy the appropriate resource access policies. The Traustarchitecture was designed to allow Traust to be integratedeither directly with newer trust-aware applications orindirectly with existing legacy applications.

To the best of our knowledge, there is no work ondeployment of trust negotiation techniques in frequencyspectrum management or in the CR environment.

3. OPERATIONAL SCENARIO ANDSYSTEM ARCHITECTURE

An example of operational scenario where spectrumsharing and access policies could be applied is the LondonUnderground bombing of July 2005 and the subsequentlydeployed resolution efforts [26]. We have chosen thisspecific operational scenario because it illustrates thesignificant challenges in resolving an emergency crisis inan urban environment. The existing communicationresources were particularly strained because of the highvolume of traffic due to panic conditions by the civilpopulation and the degradation of some network infra-structures due to the bombing. Because the traffic demandon the network largely exceeded the capacity of thenetwork, access control mechanisms were used to denyaccess to some users, including first time responders,who did not have priority access. The consequence wasthat some responders could not access the needed commu-nication services to collaborate with the other public safetyorganizations in the area.

The agencies that responded to the emergency includedthe Metropolitan Police, the British Transport Police, theLondon Fire Brigade and the London Ambulance; eachorganization had its own specific feature and level ofauthority. In the real scenario, each organization had itsown communication system, which used a specific spectralband allocated by spectrum regulations.

In a future scenario, where spectrum sharing, based ondynamic exclusive-use model, is applied to balance thetraffic demands, each public safety organizations couldaccess a common “pool” of spectral resources on the basisof its need and level of authority. At each moment and forspecific geographical areas, a public safety organizationcan request the right to use a specific spectral band fromthe common pool.

Figure 1 describes the overall architecture. Each publicsafety organization can request a specific allocation of thespectrum for its wireless network on the basis of the trafficdemand. The wireless nodes (e.g., terminals and basestations) exchange the requests, credentials and spectrummanagement policies through a common control channel(CCC). Many spectrum sharing solutions, either centralizedor distributed, assume a CCC for spectrum sharing [27,28].CCC is responsible for distributing the cognitive controlmessages, which may include information on the spectrumenvironment detected by each CR node and any informationwhich could support the spectrum analysis function andfinally the assigned bands and communication parametersdefined by the spectrum decision function. In this paper,the CCC is also used to support the Trust-X framework.The CCC can be classified in two categories: in-band CCCand out-band CCC. The in-band CCC implementation can


Figure 1. System architecture.


be defined as the CCC implementation in which CCC infor-mation is being transmitted along with user data via the sameradio interface (RI). A good example can be a cellularnetwork (e.g., universal mobile telecommunications system).In this case CCC would actually become a sort of a logicalchannel sharing the resources with user data/voice transmis-sion. The key disadvantage of the solution is the fact that thedevice is still required to conduct the scanning procedure inorder to acquire knowledge about the RI where CCC islocated. In order to implement the in-band CCC, a specialmechanism that would allow dissemination of CCC informa-tion through the related networks must be developed.

The out-band CCC can be defined as the CCCimplementation in which one of the radio interfaces isexclusively used for dissemination of CCC information,where the cognitive channel uses a spectral band andchannel definition specifically designed for the CRnetwork. The key advantage of the out-band approachis the easier implementation [29], as any CCC compliantterminal can retrieve the information of the CCC nomatter what access technology it operates in. On the otherhand, in order to implement out-band CCC, each deviceneeds to be employed with an additional standardizedradio interface allowing the reception of the CCC signal.In this paper, we will use an out-band CCC that uses apre-allocated spectral band and a pre-defined standardizedradio interface known to all the CR nodes in the networks.

As described in the introduction, the allocation of thespectrum resources is regulated by the Trust-X framework,which is described in detail in Section 4. Once the allocationof the spectral band is completed, the band is used by thewireless network related to the specific public safetyorganization. Obviously, this future scenario requiresmulti-band or CR nodes, which are able to transmit invarious spectral bands.

Other resource management schemes can be used toregulate the access to the spectrum resources. Reference


[30] proposes a resource management scheme for CR adhoc networks based on a Weighted Priority M/G/1 Model,where the spectrum allocations requests are classified anddispatched depending on their priorities, availableresources and traffic engineering considerations (e.g., typeand coverage of the network). Future developments of thispaper can combine the Trust- X framework with aresource management scheme such as the WeightedPriority M/G/1 Model.

Operational and technical requirements [31], alreadydefined in the current public safety scenarios, will alsoapply to the scenario presented in this paper. In relation tospectrum sharing, these requirements include the following:

• The allocation of spectral bands must be completedwithin specific time constraints.

• The framework must be resilient to addresschanges in the network topology due to destroyednodes (e.g., because of the underlying cause ofthe disaster) or nodes which are not under coverage(e.g., lack of coverage).

• The framework should be robust against communi-cation errors.

• The framework should be scalable. In the Londonbombing scenario, hundreds of public safety officerswere involved.

The performance of the framework against these technicalrequirements will be discussed in Section 5.

4. THE TRUST-X FRAMEWORK

Trust-X is a comprehensive framework for defining andmanaging trust negotiations [32]. It is based upon apeer-to-peer architecture and a rule-based policy languagecalled X -TNL [33].


A Trust-X negotiation is an interactive process betweentwo parties—called Requester and Controller—having thegoal to establish mutual trust in order to release a givenresource. We assume that the resource description isencoded into a credential, that is, a list of the relevantattributes of the resource, along with the correspondingvalues. We further assume that a resource is protectedby a disclosure policy (held by the Controller), whichdetails what conditions are to be satisfied by theRequester before Controller releases the resource.Typically, the Requester’s conditions are encoded intopredicates about credentials, which are to be disclosedthemselves to the Controller, in order to check whetherthey satisfy the disclosure policy. It may be well thecase that such credentials contain sensitive informationand, hence, they may be protected by another disclosurepolicy (held this time by the Requester). Henceforth, anegotiation between Requester and Controller composed ofinterleaved, mutual credentials’ requests (expressed asdisclosure policies) ensues. The negotiation successfullyends in the case both parties agree on a set of credentials thatcan be unconditionally disclosed.

The negotiation process is divided into three distinctphases:

• Introductory phase: the parties identify the resource Rto be released;

• Policy evaluation phase: the parties iterativelyexchange disclosure policies, in order to possiblyagree upon a set of credentials to be exchanged forthe release of R;

• Credential exchange phase: the parties actuallyexchange the credentials according to the disclosurepolicies, agreed in the previous phase.

The phases of negotiation process described abovehave been extended in several ways to provide differentfeatures.

In [10], the initial phase of the Trust-X framework hasbeen extended to support the re-negotiation of resources.This extension consists in the fact that if the initiallyrequested resource R is a so-called composite resource‡

and if the disclosure policy associated to such resource isnon-satisfiable from the Requester, then it will be possiblefor the Requester to rebate to the Controller a lessdemanding disclosure policy. In turn, the Controllermay offer a subset of the smaller resources composingthe composite resource R, which it considers appropriatefor the suggested disclosure policy. Of course, theRequester may choose to accept/refuse the offer or, onthe other hand, offer a more or less demanding disclosurepolicy in order to obtain the desired resource.

‡We define a composite resource as a resource composed by smallerresources. An example of composite resource is an XML documentwhere the children elements of the root element are the smallerresources

Moreover, given a negotiation successfully terminatedfor some parts of a composite resource, the protocolallows to obtain the remaining parts by means ofanother trust negotiation [34]. Such negotiation willevaluate the disclosure policies protecting the originalresource but keeping in mind that such policies havebeen already partially satisfied in the previous negotiation.

Furthermore, both the policy evaluation and thecredential exchange phases support the recovery ofcrashed negotiation [9]. Briefly, the framework providesa way for saving the state of the ongoing trust negotia-tion from time to time. If the negotiation is interruptedbecause of a communication failure—e.g., a loss ofconnectivity of one of the negotiating parties—then itwill be possible, once the communication has beenrestored, to recover the interrupted negotiation. Thefrequency of when the state is saved has not beenagreed between the parties, thus each party may definea time interval between the creation of a negotiationstate according to its own preferences. The Trust-Xframework will take care of the reconciliation of thesaved states.

Such feature had been further enhanced to allow the nego-tiating parties to voluntarily suspend a negotiation [8].This is useful if one of negotiating parties is requiredto provide a certain credential that is not currentlyavailable, but will be shortly. The feature is achievedcreating a saving state at an instant agreement betweenthe negotiating parties and, eventually, resuming thenegotiation from such common state.

To further improve the flexibility of the protocol, Trust-Xalso provides a protocol for securely exchange one ofthe negotiating parties with another, delegated entity[35]. Such protocol takes advantage of the suspensionfeature adding verification mechanisms so that thenegotiation state can be transferred to another party.Such party will, in turn, authenticate itself as delegatedfrom the original party and, after that, the negotiationwill be resumed as usual.

Note that in the present work we use the basic negotiationprocess; nevertheless, it is trivial to take advantage of moreadvanced features provided by the Trust-X framework.

4.1. The Trust Negotiation Language X -TNL

We now precisely define the concepts presented so far withthe introduction of the trust negotiation language X -TNL.We start with the necessary building blocks for definingcredentials and expressing properties and disclosurepolicies upon them. We assume the existence of a setCN of credential names, a set AN of attribute namesand—for every attribute name Att—a correspondingset VAtt of values. A credential is an expression of theform CredName(AttlList), where CredName is a creden-tial name and AttList a tuple of pairs (Att, val), whereAtt and val are respectively from the set of attributenames and the corresponding set of values, and denote


Figure 2. An example of trust negotiation.


the fact that the credential CredName in attribute Atthas value val.

A term T is an expression of the form CredName(PredList), where CredName a credential name andPredList is a (possibly empty) tuple of (infix-form)predicates (Att pred val), where Att is an attribute name,val is a value from a proper domain and pred is a binarypredicate from the set {≥,≤,=, 6¼}. As an example,the string ParamedicID(Hospital = “Queen0sHospital ”,ReleaseYear> 1996) is a term that matches a credentialnamed ParamedicID which contains an attribute Hospitalwith value Queen’s Hospital and an attribute ReleaseYearwith value greater than 1996.

A disclosure policy is an expression of the formCred T1conn1T2conn2 . . . connu� 1Tu, where Cred isa credential name, Ti are terms and Conni are Booleanconnectives from {∧,∨}. As an example, consider thefollowing disclosure policy:

I ANMap Location ¼ “King0sCross”

� � MilitaryID Country ¼ “UK”ð Þ∨PoliceID Country ¼ “UK”ð Þ

(1)

Such disclosure policy states that in order to accessthe credential containing the map of the IAN of thelocation identified as “King’sCross” the requester mustprove it belongs to the United Kingdom military or tothe police.

Finally a trust negotiation is a finite sequence ofdisclosure policies interactively exchanged among thenegotiating parties. Such process is carried out in orderto identify a set of credentials, belonging each to one ofthe two negotiating parties, which have to beexchanged in order to establish the trust level requiredto obtain the originally requested resource.

Figure 2 provides an example of negotiation:

(1) A fireman (F) asks to access a credential containingthe positions of the gas pipes (GasBluePrint) whichbelongs to the LondonGasSociety (LGS).

(2) LGS replies with the disclosure policy GasBlue-Print ID(Country=UK) ∧FiremanID ∧FireBrigateID.

(3) All the required credentials are available but thecredentials FiremanID and BrigateID are consid-ered sensitive credentials. Hence, they are protectedby disclosure policies too. Therefore, F sends thedisclosure policies FiremanID ID(Country =UK)and FireBrigateID ID(Country=UK).

(4) LGS owns a credential attesting its identity and isfreely available. It sends it to F .

(5) F , upon the verification of the validity of thecredential received, sends the required credentialsID, FiremanID and FireBrigateID to LGS.

(6) Finally, F is able to access the credential GasBlue-Print disclosed by LGS.


4.2. The Spectrum Management Language

The trust negotiation language presented does not sufficefor expressing all the complex setup procedures requiredby parties communicating over a CR networks. Towardsthis end, we extend our negotiation language illustratinghow to include a spectrum management language largelyinspired by the CoRaL language [19] into our framework.

A condition term CT is an expression of the formCondition(PredList) where Condition denotes a conditiontype, such as Time, Location, DeviceCapability andNodeIdentity, and PredList is the same list of tuples definedearlier. Note that the possible attributes in the PredList of acondition term depend on the type of condition represented.Examples of condition terms are Location(Latitude= “ 51.30N ”,Longitude= “ 0.30W ”) and Time(localtime≥ 10 : 00,localTime≤ 17 : 00). A frequency list is an ordered list offrequencies, such as {3847, 3990, 4375 MHz}.

A spectrum management policy is an expression of theform freqList CT1 ∧CT2 . . . ∧TCv where freqList is afrequency list and CTi are condition terms. Moreover, weclassify the spectrummanagement policies in two categories:permissive policies and restrictive policies.

In each instant, the frequencies used by a terminal aredetermined as follows:

(1) Identify all the allowed frequencies, which entailsthe identification of the permissive policies whoseright side is true;

(2) Identify all the prohibited frequencies, which entailsthe identification of the restrictive policies whoseright side is true;

(3) Finally, a terminal is allowed to transmit on the dif-ference between allowed frequencies and prohibitedfrequencies.

For example, using the following permissive policy{5132 MHz, 231.2250 MHz} Location(City=London)∧Time(hour≥ 08) and the following restrictive policy{5132MHz} Time(hour≥ 22), at 11:00 PM, a terminal lo-cated in London will be allowed to transmit on the frequencyof 231.2250MHz.


The spectrum management policy language describedearlier is an example. It is possible to extend the languageto achieve the same expressive power of [19,20] but isbehind the objective of the current work.

5. EXPERIMENTAL RESULTS

We performed some experiments to evaluate the proposedapproach. We developed a prototype of the Trust-X frame-work using Java 6. To run our experiments, we used anetwork of two computers with the following configurations:(a) Linux, kernel 2.6.30, CPU 2.20GHz and (b) Macbook,OS 10.6, CPU 2.53GHz.

In order to have a more realistic feedback from ourexperiments, we run them using two different lightweightdatabase management systems (DBMSs), namely SQLiteand MySQL. Such DBMSs are deployed for the storageof credentials and disclosure policies.

First of all, we evaluated the time required by a newdevice to authenticate itself in the IAN with respect tothe number of credentials that have to be exchanged.

Figure 3 shows how Trust-X performances are linear tothe number of both policies and credentials exchanged.More precisely, its performance depends on the structureof the disclosure policies exchanged. The simpler negotia-tion, which involved the exchange of two credentials,represented by a negotiation of the form A B, requiredin average 226ms, with a lower bound of 188ms. On theother hand, to negotiate and exchange 50 credentials,Trust-X required 3859ms.

According to the presented results, the negotiationillustrated in Section 4 required in average 265ms.

With respect to the performances tests described in [21],we performed a series of tests in order to evaluate thescalability of our prototype with respect to the number ofnodes simultaneously authenticating themselves.

Figure 3. Time required to authenticate with respect to thenumber of credentials involved.

To be able to compare the results, we performed anincreasing number of simultaneous authentications. Eachauthentication involves the same disclosure polices and,therefore, the same credentials.

As shown in Figure 4, the time required is linear to thenumber of concurrent negotiations.

In another group of simulations, we evaluated theperformance of the negotiation protocol in differentenvironments characterized by various sizes of thepopulation of CR nodes and various levels of dynamicity.Note that with the term dynamicity, we mean the rateof status changes of the CR network due to a numberof causes such as CR nodes appearing or disappearingfrom the network, internal faults or topological altera-tions. Dynamicity is at the heart of wireless networkingand is due to the mobility of the terminals. CR nodesmay lose connectivity with the rest of the networkbecause they moved outside the maximum range ofthe wireless link, or because they moved behind anobstacle that blocks the signal. Therefore, dynamicityis an important parameter which evaluates the performanceof a CR network.

Public safety operational scenarios may be characterizedby an high degree of dynamicity as new public safetyorganizations appear or disappear from the context, radiolinks are degraded by natural or man-made obstacles orbecause one or more CR nodes suffer from technical failureof power exhaustion. Considering that the operationalrequirements impose specific timing constraints on theaccess and activation of communications services, the nego-tiation protocol should not introduce large delays in presenceof high dynamicity of the CR network. Hence, we evaluatedthe negotiation protocol against different populations of CRnodes, with sizes ranging from 100 to 500 nodes.

Figure 5 shows that the time required is linear to thecardinality of the CR nodes in the network. The overall timeused by the negotiation protocol is still limited to fewseconds even for networks of large size (500 nodes). Suchvalues are comparable with the timing constraints definedby public safety operational requirements as in [31].

Figure 5 shows different levels of dynamicity but thedivergence of the lines is small in comparison with theoverall time. Therefore, another graph was created to

Figure 4. Scalability of the prototype with respect to the num-ber of simultaneous authentications.



highlight the time difference for various levels of dynamicityfrom the best case of a complete static CR network. Theresult is presented in Figure 6 where the x-axis representsthe static case, whereas the curves represent increasing levelsof dynamicity. From the figure, it is possible to see that evenfor high levels of dynamicity (50 CR nodes per second) thedifference from the static case is only of few hundredmilliseconds and only for small networks.

For large sizes of the CR network, the results of all theperformed experiments are converging to the same value,as the percentage of the CR nodes moving in or out ofthe network is small in comparison with the overall sizeof the CR network. Note that the levels of dynamicity usedin the simulation are much higher than the ones usuallyappearing in real-world scenarios as described in [26].Normally only 5–10% of the total number of wirelessterminals may join or leave the scenario because of themobility of the public safety responders involved in thecrisis. We can conclude that the dynamicity of CRnetwork does not heavily influence the performance ofthe negotiation protocol.

Finally, we executed other simulations where weintroduced delays and communication failures to simulatedisturbances to the wireless links. Like any other wirelesscommunication systems, the CR network is subject topropagation errors due to obstacles (e.g., buildings) or

Figure 5. Scalability of the prototype with respect to dynamicity.

Figure 6. Stability of the prototype with respect to dynamicity.


presence of wireless interferences, which translates tolower data rates and consequent communication delays orcommunication failures.

Figure 7 shows the results of the negotiation time inrelationship with the introduction of different communica-tion delays. Not surprisingly, the simulations showed thatthe number of the devices operating in the network has agreater impact on the performance of the network incomparison with delays.

Regarding the robustness of the proposed framework,Figure 8 shows the results of the simulation in which weintroduced a communication error. More precisely thedifferent series represents the probability that a messageis lost. Thus we introduce in the communication a randomdelay defined by the time required to identify that amessage is missing and by the time required by the retrans-mission of such missing message. As for the experimentalresults shown in Figure 7, the simulation showed that thenumber of devices operating in the networks is the keyfactor with respect to communication performances.

Figure 8. Negotiation time in relation to the communication errors.

Figure 7. Negotiation time in relation to the communication delays.


6. CONCLUSIONS

In this work, we presented an approach for managingaccess in CR networks, when deployed in scenarios havingconflicting requirements such as (a) security needs and (b)high flexibility in managing dynamic reconfigurations. Theproposed solution builds on the concept of trust negotia-tion, a well-known and accepted approach in the accesscontrol research area. We have defined a negotiationlanguage for managing access control in a CR networkand we applied it to a real-world critical scenario. Finally,we reported promising experimental results, showing theeffectiveness of our approach even in presence of highdynamicity of the CR network.

Future development may include the combination of thetrust negotiation with classical resource managementschemes for CR networks based on the preemptive priorityM/G/1 models for distributed networks.

REFERENCES

1. Bazelon C. Licensed or unlicensed: the economicconsiderations in incremental spectrum allocations.IEEE Communications Magazine March 2009; 47(3):110–116.

2. Stine JA, Portigal DL. Spectrum 101. An Introductionto Spectrum Management, MITRE, Technical ReportMTR 04W0000048, 2004.

3. Peha JM. Sharing spectrum through spectrum policyreform and cognitive radio. Proceedings of the IEEE2009; 97: 708–719.

4. Lehr W, Jesuale N. Spectrum pooling for nextgeneration public safety radio systems. New Frontiersin Dynamic Spectrum Access Networks. 2008.DySPAN 2008. 3rd IEEE Symposium on Oct.2008; 1–23, 14–17 .

5. Mason A. Public safety mobile broadband and spectrumneeds. Final Report, March 2010, 16395–94 http://www.tetra-association.com. Last accessed. 24 May 2011.

6. Blaze M, Feigenbaum J, Lacy J. Decentralized trustmanagement. SP ’96: Proceedings of the 1996 IEEESymposium on Security and Privacy 1996.

7. Winslett M. An introduction to trust negotiation 2003.Proceedings of Trust Management 2003; LNCS 2692:275–283.

8. Squicciarini AC, Trombetta A, Bertino E, Braghin S.Identity-based long running negotiations. DigitalIdentity Management 2008; 97–106. DOI:10.1145/1456424.1456440.

9. Squicciarini AC, Trombetta A, Bertino E. Supportingrobust and secure interactions in open domains throughrecovery of trust negotiations. 27th InternationalConference on Distributed Computing Systems (ICDCS‘07) 2007; 57–69. DOI:10.1109/ICDCS.2007.144.

10. Braghin S, Fovino IN, Trombetta A. Advanced trustnegotiation in critical infrastructures. InternationalConference on Infrastructure Systems 2008.

11. Lee AJ, Winslett M, Basney J, Welch V. The Traustauthorization service. ACM Trans. Inf. Syst. Secur2008; 11: 1–14.

12. Li N, Mitchell JC, Winsborough WH. Design of arole-based trust-management framework. IEEE Sym-posium on Security and Privacy 2002; 114–130.

13. Nejdl W, Olmedilla D, Winslett M. PeerTrust: auto-mated trust negotiation for peers on the semanticweb, Technical Report, October 2003.

14. Mitola J III, Maguire GQ. Cognitive radio: makingsoftware radios more personal. IEEE PersonalCommunications 1999; 4:1318.

15. Buddhikot. MM. Understanding dynamic spectrumaccess: models, taxonomy and challenges. NewFrontiers in Dynamic Spectrum Access Networks,2007. DySPAN 2007. 2nd IEEE International Sympo-sium on April 2007; 649–663, 17–20 .

16. Software defined radio technology for public safetySDRF-06-P-0001-V1.0.0 (Formerly Approved Docu-ment SDRF-06-A-0001-V0.00).

17. Wang W, Gao W, Bai X, Peng T, Chuai G, Wang W.A framework of wireless emergency communicationsbased on relaying and cognitive radio. IEEE 18thInternational Symposium on Personal, Indoor andMobile Radio Communications 2007.

18. Bernthal B, Jesuale N. Smart radios and collaborativepublic safety communications. 3rd IEEE Symposiumon New Frontiers in Dynamic Spectrum AccessNetworks, DySPAN 2008 2008: 1–20.

19. Denker G, Elenius D, Senanayake R, Stehr M, WilkinsD. A policy engine for spectrum sharing. 2nd IEEESymposium on New Frontiers in Dynamic SpectrumAccess Networks, DySPAN 2007 2007; 55–65.

20. Elenius D, Denker G, Stehr MO, Senanayake R,Talcott C, Wilkins D. CoRaL—policy language andreasoning techniques for spectrum policies. 8th IEEEInternational Workshop on Policies for DistributedSystems and Networks, POLICY ’07 2007; 261–265.

21. Use cases for MLM language in modern wirelessnetworks. SDRF-08-P-0009-V1.0.0

22. FeeneyK, Lewis D, Argyroudis P, NolanK, O’SullivanD.Grouping abstraction and authority control in policy-basedspectrum management. 2nd IEEE Symposium on NewFrontiers in Dynamic Spectrum Access Networks,DySPAN 2007 2007; 363–371.

23. FeeneyK, Lewis D, Argyroudis P, NolanK, O’SullivanD.Integrating the policy dialectic into dynamic spectrummanagement. 2nd IEEE Symposium on New Frontiers inDynamic Spectrum Access Networks, DySPAN 20072007; 390–398.


http://www.tetra-association.com

http://www.tetra-association.com


24. Blaze M, Feigenbaum J, Ioannidis J, Keromytis AD.The KeyNote trust-management system version 2.RFC 2704, September 1999.

25. Lee A, Winslett M, Perano KJ, TrustBuilder2: a recon-figurable framework for trust negotiation, Proceedingsof the Third IFIP WG 11.11 International Conferenceon Trust Management (IFIPTM 2009) June 2009;176–195.

26. Greater London Authority, Report of the 7 July ReviewCommittee, June 2006.

27. Ma X, Han C, Shen C. Dynamic open spectrumsharing MAC protocol for wireless ad hoc network.1st IEEE International Symposium on New Frontiersin Dynamic Spectrum Access Networks DySPAN2005 2005; 203–213.

28. Brik V, Rozner E, Banarjee S, Bahl P. DSAP: a protocolfor coordinated spectrum access. 1st IEEE InternationalSymposium on New Frontiers in Dynamic SpectrumAccess Networks DySPAN 2005 2005; 611614.

29. Chuan Han C, Wang J, Yang Y, Li S. Addressing thecontrol channel design problem: OFDM-based trans-form domain communication system in cognitive radio,Computer Networks 2008; 52: 795–815.


30. Wang S, Zheng H, A resource management design forcognitive radio ad hoc networks. Military Communica-tions Conference, 2009. MILCOM 2009. IEEE Oct.2009; 1–7, 18–21.

31. SAFECOM, US communications program of theDepartment of Homeland Security. Public safetystatements of requirements for communications andinteroperability v I and II 2004.

32. Bertino E, Ferrari E, Squicciarini AC. Trust-: a peer-to-peer framework for trust establishment. IEEETransactions on Knowledge and Data Engineering2004; 16(7): 827–842.

33. Bertino E, Ferrari E, Squicciarini AC. -TNL: an XMLlanguage for trust negotiations. 4th IEEE Workshop onPolicies for Distributed Systems and Networks, Como,Italy 2003; 81–84.

34. Braghin S, Fovino IN, Trombetta A. Advanced trust ne-gotiation in critical infrastructures. International Jour-nal on Critical Infrastructure 2010; 6(3): 225–245.

35. Squicciarini AC, Bertino E, Trombetta A, Braghin S. Aflexible approach to multisession trust negotiations.IEEE Transactions on Dependable and Secure Comput-ing 2012; 9(1): 16–29.

distributed access control policies for spectrum sharing

Documents