Delegable Access Control with NFC-enabled Smartphones

Delegable Access Control with NFC-enabled Smartphones

In this project, we develop a general purpose access control system called SmartTokens which allows delegation of access rights from one to another entity. The access rights are issued by a central authority in a form of an electronic access control token. Further, the token can be delegated by the entity received the token to another entity.

We use SmartToken system in an application scenario where access control tokens replace traditional keys from the enterprise building. The SmartTokens system allows an enterprise to distribute and manage the digital access control tokens of its employees in an efficient and controlled way. Tokens can be issued and revoked remotely, delegated to other employers or visiting guests, and support context-aware and time-limited access control policies. These policies may, e.g., deny access to office rooms during weekends and holidays, or specify whether tokens can be delegated to other users. Electronic door locks can provide access logs for auditing, or unlock all exits in case of emergency (such as fire or earthquake).

Storing and handling digital access control tokens on a mobile phone raises risks of being targeted by attacks. Particularly, in the context of enterprise usage scenarios attackers may be motivated to perform sophisticated attacks. We address these risks by the underlying platform security architecture, which protects digital access control tokens on the smartphone. The architecture provides a secure storage and a secure execution environment, where digital tokens can be securely stored and processed in strict isolation from untrusted and possibly malicious code.

We developed a SmartTokens app for NFC-enabled Android smartphones. The SmartTokens app utilizes Near Field Communication (NFC) technology, which enables the phone to emulate a contactless smartcard that can be used with standard contactless smartcard readers embedded into electronic door locks.