{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T05:54:16Z","timestamp":1773294856242,"version":"3.50.1"},"reference-count":41,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T00:00:00Z","timestamp":1720396800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T00:00:00Z","timestamp":1720396800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Consiglio Nazionale Delle Ricerche"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2024,10]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The standard ACE framework provides authentication and authorization mechanisms similar to those of the standard OAuth 2.0 framework, but it is intended for use in Internet-of-Things environments. In particular, ACE relies on OAuth 2.0, CoAP, CBOR, and COSE as its core building blocks. In ACE, a non-constrained entity called Authorization Server issues Access Tokens to Clients according to some access control and policy evaluation mechanism. An Access Token is then consumed by a Resource Server, which verifies the Access Token and lets the Client accordingly access a protected resource it hosts. Access Tokens have a validity which is limited over time, but they can also be revoked by the Authorization Server before they expire. In this work, we propose the Usage Control framework as an underlying access control means for the ACE Authorization Server, and we assess its performance in terms of time required to issue and revoke Access Tokens. Moreover, we implement and evaluate a method relying on the Observe extension for CoAP, which allows to notify Clients and Resource Servers about revoked Access Tokens. Through results obtained in a real testbed, we show how this method reduces the duration of illegitimate access to protected resources following the revocation of an Access Token, as well as the time spent by Clients and Resource Servers to learn about their Access Tokens being revoked.<\/jats:p>","DOI":"10.1007\/s10207-024-00877-1","type":"journal-article","created":{"date-parts":[[2024,7,8]],"date-time":"2024-07-08T07:02:10Z","timestamp":1720422130000},"page":"3109-3133","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["Using the ACE framework to enforce access and usage control with notifications of revoked access rights"],"prefix":"10.1007","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3021-2912","authenticated-orcid":false,"given":"Marco","family":"Rasori","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8149-9322","authenticated-orcid":false,"given":"Andrea","family":"Saracino","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6618-0388","authenticated-orcid":false,"given":"Paolo","family":"Mori","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8842-9810","authenticated-orcid":false,"given":"Marco","family":"Tiloca","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2024,7,8]]},"reference":[{"issue":"16","key":"877_CR1","doi-asserted-by":"publisher","first-page":"e1689","DOI":"10.1002\/cpe.6189","volume":"34","author":"G Giorgi","year":"2022","unstructured":"Giorgi, G., La Marra, A., Martinelli, F., Mori, P., Rizos, A., Saracino, A.: Exploiting if this then that and usage control obligations for smart home security and management. Concurr. Comput. Pract. Exp. 34(16), e1689 (2022). https:\/\/doi.org\/10.1002\/cpe.6189","journal-title":"Concurr. Comput. Pract. Exp."},{"key":"877_CR2","doi-asserted-by":"publisher","unstructured":"La Marra, A., Martinelli, F., Mori, P., Rizos, A., Saracino, A.: Introducing usage control in MQTT. In: Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Oslo, Norway, September 14-15, 2017, Revised Selected Papers, Lecture Notes in Computer Science, vol. 10683, pp. 35\u201343. Springer (2017). https:\/\/doi.org\/10.1007\/978-3-319-72817-9_3","DOI":"10.1007\/978-3-319-72817-9_3"},{"key":"877_CR3","doi-asserted-by":"crossref","unstructured":"Seitz, L., Selander, G., Wahlstroem, E., Erdtman, S., Tschofenig, H.: Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth). RFC 9200 (2022)","DOI":"10.17487\/RFC9200"},{"key":"877_CR4","doi-asserted-by":"crossref","unstructured":"Hardt, D.: The OAuth 2.0 Authorization Framework. RFC 6749 (2012)","DOI":"10.17487\/rfc6749"},{"key":"877_CR5","doi-asserted-by":"crossref","unstructured":"Shelby, Z., Hartke, K., Bormann, C.: The Constrained Application Protocol (CoAP). RFC 7252 (2014)","DOI":"10.17487\/rfc7252"},{"key":"877_CR6","doi-asserted-by":"crossref","unstructured":"Bormann, C., Hoffman, P.E.: Concise Binary Object Representation (CBOR). RFC 8949 (2020)","DOI":"10.17487\/RFC8949"},{"key":"877_CR7","doi-asserted-by":"crossref","unstructured":"Schaad, J.: CBOR Object Signing and Encryption (COSE): Structures and Process. RFC 9052 (2022)","DOI":"10.17487\/RFC9052"},{"key":"877_CR8","doi-asserted-by":"crossref","unstructured":"Schaad, J.: CBOR Object Signing and Encryption (COSE): Initial Algorithms. RFC 9053 (2022)","DOI":"10.17487\/RFC9053"},{"key":"877_CR9","doi-asserted-by":"crossref","unstructured":"Tiloca, M., Palombini, F., Echeverria, S., Lewis, G.: Notification of Revoked Access Tokens in the Authentication and Authorization for Constrained Environments (ACE) Framework. Internet-Draft draft-ietf-ace-revoked-token-notification-08, Internet Engineering Task Force (2024). Work in Progress","DOI":"10.17487\/RFC9594"},{"key":"877_CR10","doi-asserted-by":"crossref","unstructured":"Hartke, K.: Observing Resources in the Constrained Application Protocol (CoAP). RFC 7641 (2015)","DOI":"10.17487\/RFC7641"},{"key":"877_CR11","doi-asserted-by":"publisher","first-page":"37","DOI":"10.1016\/j.future.2016.04.010","volume":"63","author":"E Carniani","year":"2016","unstructured":"Carniani, E., D\u2019Arenzo, D., Lazouski, A., Martinelli, F., Mori, P.: Usage control on cloud systems. Futur. Gener. Comput. Syst. 63, 37\u201355 (2016)","journal-title":"Futur. Gener. Comput. Syst."},{"issue":"1","key":"877_CR12","doi-asserted-by":"publisher","first-page":"128","DOI":"10.1145\/984334.984339","volume":"7","author":"J Park","year":"2004","unstructured":"Park, J., Sandhu, R.: The $${UCON}_{ABC}$$ usage control model. ACM Trans. Inf. Syst. Secur. (TISSEC) 7(1), 128\u2013174 (2004)","journal-title":"ACM Trans. Inf. Syst. Secur. (TISSEC)"},{"key":"877_CR13","unstructured":"eXtensible Access Control Markup Language (XACML) version 3.0 plus errata 01 (2017). http:\/\/docs.oasis-open.org\/xacml\/3.0\/xacml-3.0-core-spec-en.html"},{"key":"877_CR14","doi-asserted-by":"crossref","unstructured":"Shelby, Z., Hartke, K., Bormann, C., Frank, B.: RFC 7252: The constrained application protocol (CoAP). Internet Engineering Task Force (IETF) (2014)","DOI":"10.17487\/rfc7252"},{"key":"877_CR15","unstructured":"R. T. Fielding and R. N. Taylor: Architectural styles and the design of network-based software architectures. Doctoral dissertation (2000)"},{"key":"877_CR16","doi-asserted-by":"crossref","unstructured":"Postel, J.: User Datagram Protocol. RFC 768 (1980)","DOI":"10.17487\/rfc0768"},{"key":"877_CR17","doi-asserted-by":"crossref","unstructured":"Rescorla, E., Modadugu, N.: Datagram Transport Layer Security Version 1.2. RFC 6347 (2012)","DOI":"10.17487\/rfc6347"},{"key":"877_CR18","doi-asserted-by":"crossref","unstructured":"Selander, G., Mattsson, J.P., Palombini, F., Seitz, L.: Object Security for Constrained RESTful Environments (OSCORE). RFC 8613 (2019)","DOI":"10.17487\/RFC8613"},{"key":"877_CR19","doi-asserted-by":"publisher","DOI":"10.1016\/j.iot.2020.100333","volume":"13","author":"M Gunnarsson","year":"2021","unstructured":"Gunnarsson, M., Brorsson, J., Palombini, F., Seitz, L., Tiloca, M.: Evaluating the performance of the OSCORE security protocol in constrained IoT environments. Internet of Things 13, 100333 (2021)","journal-title":"Internet of Things"},{"key":"877_CR20","doi-asserted-by":"crossref","unstructured":"Palombini, F., Seitz, L., Selander, G., Gunnarsson, M.: The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework. RFC 9203 (2022)","DOI":"10.17487\/RFC9203"},{"key":"877_CR21","doi-asserted-by":"crossref","unstructured":"Selander, G., Mattsson, J.P., Palombini, F.: Ephemeral Diffie-Hellman Over COSE (EDHOC). RFC 9528 (2024)","DOI":"10.17487\/RFC9528"},{"key":"877_CR22","doi-asserted-by":"crossref","unstructured":"Jones, M., Wahlstroem, E., Erdtman, S., Tschofenig, H.: CBOR Web Token (CWT). RFC 8392 (2018)","DOI":"10.17487\/RFC8392"},{"key":"877_CR23","doi-asserted-by":"crossref","unstructured":"Jones, M., Seitz, L., Selander, G., Erdtman, S., Tschofenig, H.: Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs). RFC 8747 (2020)","DOI":"10.17487\/RFC8747"},{"key":"877_CR24","doi-asserted-by":"crossref","unstructured":"Jones, M., Bradley, J., Sakimura, N.: JSON Web Token (JWT). RFC 7519 (2015)","DOI":"10.17487\/RFC7519"},{"key":"877_CR25","doi-asserted-by":"crossref","unstructured":"Jones, M., Bradley, J., Tschofenig, H.: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs). RFC 7800 (2016)","DOI":"10.17487\/RFC7800"},{"key":"877_CR26","doi-asserted-by":"crossref","unstructured":"Bray, T.: The JavaScript Object Notation (JSON) Data Interchange Format. RFC 8259 (2017)","DOI":"10.17487\/RFC8259"},{"key":"877_CR27","doi-asserted-by":"crossref","unstructured":"Farrell, S., Kutscher, D., Dannewitz, C., Ohlman, B., Ker\u00e4nen, A., Hallam-Baker, P.: Naming Things with Hashes. RFC 6920 (2013)","DOI":"10.17487\/rfc6920"},{"issue":"6","key":"877_CR28","doi-asserted-by":"publisher","first-page":"4682","DOI":"10.1109\/JIOT.2020.2969326","volume":"7","author":"J Qiu","year":"2020","unstructured":"Qiu, J., Tian, Z., Du, C., Zuo, Q., Su, S., Fang, B.: A survey on access control in the age of internet of things. IEEE Internet Things J. 7(6), 4682\u20134696 (2020). https:\/\/doi.org\/10.1109\/JIOT.2020.2969326","journal-title":"IEEE Internet Things J."},{"key":"877_CR29","doi-asserted-by":"publisher","unstructured":"Ravidas, S., Lekidis, A., Paci, F., Zannone, N.: Access control in Internet-of-Things: A survey. Journal of Network and Computer Applications 144, 79\u2013101 (2019) https:\/\/doi.org\/10.1016\/j.jnca.2019.06.017. https:\/\/www.sciencedirect.com\/science\/article\/pii\/S108480451930222X","DOI":"10.1016\/j.jnca.2019.06.017"},{"key":"877_CR30","doi-asserted-by":"publisher","unstructured":"Ouaddah, A., Mousannif, H., Abou Elkalam, A., Ait Ouahman, A.: Access control in the internet of things: Big challenges and new opportunities. Computer Networks 112, 237\u2013262 (2017) https:\/\/doi.org\/10.1016\/j.comnet.2016.11.007. https:\/\/www.sciencedirect.com\/science\/article\/pii\/S1389128616303735","DOI":"10.1016\/j.comnet.2016.11.007"},{"issue":"4","key":"877_CR31","doi-asserted-by":"publisher","first-page":"724","DOI":"10.4304\/jsw.6.4.724-731","volume":"6","author":"G Zhang","year":"2011","unstructured":"Zhang, G., Gong, W.: The research of access control based on UCON in the internet of things. J. Softw. 6(4), 724\u2013731 (2011). https:\/\/doi.org\/10.4304\/jsw.6.4.724-731","journal-title":"J. Softw."},{"key":"877_CR32","doi-asserted-by":"publisher","unstructured":"Schuette, J., Brost, G.S.: Lucon: Data flow control for message-based iot systems. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications\/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom\/BigDataSE), pp. 289\u2013299 (2018). https:\/\/doi.org\/10.1109\/TrustCom\/BigDataSE.2018.00052","DOI":"10.1109\/TrustCom\/BigDataSE.2018.00052"},{"key":"877_CR33","unstructured":"Banks, A., Briggs, E., Borgendale, K., Gupta, R.: OASIS Standard MQTT Version 5.0 (2019). http:\/\/docs.oasis-open.org\/mqtt\/mqtt\/v5.0\/os\/mqtt-v5.0-os.html"},{"issue":"2","key":"877_CR34","doi-asserted-by":"publisher","first-page":"38","DOI":"10.1109\/2.485845","volume":"29","author":"RS Sandhu","year":"1996","unstructured":"Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 29(2), 38\u201347 (1996). https:\/\/doi.org\/10.1109\/2.485845","journal-title":"Computer"},{"key":"877_CR35","doi-asserted-by":"publisher","unstructured":"Fern\u00e1ndez, F., Alonso, A., Marco, L., Salvach\u00faa, J.: A model to enable application-scoped access control as a service for IoT using OAuth 2.0. In: 2017 20th Conference on Innovations in Clouds, Internet and Networks (ICIN), pp. 322\u2013324 (2017). https:\/\/doi.org\/10.1109\/ICIN.2017.7899433","DOI":"10.1109\/ICIN.2017.7899433"},{"key":"877_CR36","doi-asserted-by":"crossref","unstructured":"Barka, E., Mathew, S.S., Atif, Y.: Securing the web of things with role-based access control. In: El Hajji, S., Nitaj, A., Carlet, C., Souidi, E.M. (eds.) Codes, Cryptology, and Information Security, pp. 14\u201326. Springer International Publishing, Cham (2015)","DOI":"10.1007\/978-3-319-18681-8_2"},{"key":"877_CR37","doi-asserted-by":"publisher","unstructured":"Jindou, J., Xiaofeng, Q., Cheng, C.: Access control method for web of things based on role and SNS. In: 2012 IEEE 12th International Conference on Computer and Information Technology, pp. 316\u2013321 (2012). https:\/\/doi.org\/10.1109\/CIT.2012.81","DOI":"10.1109\/CIT.2012.81"},{"key":"877_CR38","unstructured":"Vincent C.\u00a0Hu David, F., Rick, K., Adam, S., Sandlin K.\u00a0Robert, M., Karen, S.: Guide to attribute based access control (ABAC) definition and considerations (2014)"},{"key":"877_CR39","doi-asserted-by":"publisher","unstructured":"Hussein, D., Bertin, E., Frey, V.: A community-driven access control approach in distributed IoT environments. IEEE Commun. Mag. 55(3), 146\u2013153 (2017). https:\/\/doi.org\/10.1109\/MCOM.2017.1600611CM","DOI":"10.1109\/MCOM.2017.1600611CM"},{"key":"877_CR40","doi-asserted-by":"publisher","unstructured":"Ray, I., Alangot, B., Nair, S., Achuthan, K.: Using attribute-based access control for remote healthcare monitoring. In: 2017 Fourth International Conference on Software Defined Systems (SDS), pp. 137\u2013142 (2017). https:\/\/doi.org\/10.1109\/SDS.2017.7939154","DOI":"10.1109\/SDS.2017.7939154"},{"key":"877_CR41","doi-asserted-by":"publisher","unstructured":"Alshehri, A., Sandhu, R.: Access control models for cloud-enabled Internet of Things: A proposed architecture and research agenda. In: 2016 IEEE 2nd International Conference on Collaboration and Internet Computing (CIC), pp. 530\u2013538 (2016). https:\/\/doi.org\/10.1109\/CIC.2016.081","DOI":"10.1109\/CIC.2016.081"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00877-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-024-00877-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-024-00877-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,11,23]],"date-time":"2024-11-23T16:20:26Z","timestamp":1732378826000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-024-00877-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,8]]},"references-count":41,"journal-issue":{"issue":"5","published-print":{"date-parts":[[2024,10]]}},"alternative-id":["877"],"URL":"https:\/\/doi.org\/10.1007\/s10207-024-00877-1","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"value":"1615-5262","type":"print"},{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,8]]},"assertion":[{"value":"8 July 2024","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors do not have any Conflict of interest with any party which might be relevant to the result of this study.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"We ensure compliance with ethical principles and guidelines throughout our study. The current study had not as object human participants, nor animals. All contributors of this work have been properly acknowledged through authorship. Participation and possibility to provide contributions to the current work has not been biased by traits such as gender, religious belief, or political orientation of the people involved.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}}]}}