SECURING CAMPUS ACCESS CONTROL AND MANAGEMENT
SYSTEM WITH ATTRIBUTE-BASED ACCESS CONTROL (ABAC)
CHONG CHEE XUAN
FACULTY OF COMPUTING AND INFORMATICS UNIVERSITI MALAYSIA SABAH
2022
SECURING CAMPUS ACCESS CONTROL AND MANAGEMENT
SYSTEM WITH ATTRIBUTE-BASED ACCESS CONTROL (ABAC)
CHONG CHEE XUAN
THESIS SUBMITTED IN PARTIAL FULLFILLMENT FOR THE DEGREE OF BACHELOR OF COMPUTER
SCIENCE WITH HONOURS (NETWORK ENGINEERING)
FACULTY OF COMPUTING AND INFORMATICS UNIVERSITI MALAYSIA SABAH
2022
NAME : CHONG CHEE XUAN MATRIC NUMBER : BI18110208
TITLE : Securing Campus Access Control and Management System with Attribute-Based Access Control (ABAC) DEGREE : BACHELOR OF COMPUTER WITH HONOURS
(NETWORK ENGINEERING) VIVA’S DATE : 08 FEBRUARY 2022
CERTIFIED BY;
SUPERVISOR SIGNATURE
DR. TAN SOO FUN
_____________
I
DECLARATION
I hereby declare that the material in this thesis is my own except for the questions, equations, summaries, and references, which have been duly acknowledged.
12 February 2022 ___ __
CHONG CHEE XUAN BI18110208
II
ACKNOWLEDGEMENT
I would like to express my special thanks of gratitude to my supervisor, Dr. Tan So Fun who gave me the opportunity to do this final year project, which also helped me in doing a lot of research and I came to know about so many new things I am thankful to them.
Secondly, I would also like to thank my parents and friends who helped me a lot in finalizing this project within the limited time frame.
CHONG CHEE XUAN 12 February 2022
III ABSTRACT
Campus Access Control and Management System of UMS Campus still relies on conventional manual registration and spreadsheet management, resulted in a time- consumed registration process, inconsistent data entries, and disclosure of visitor’s privacy. The registration and access control becoming worst during the covid-19 pandemic. Malaysia’s universities are using various systems and platforms to manage their campus access control. For example, the M-Pass ID system from Monash University, Smart Card system from Universiti Sains Malaysia and so more. However, the access control of these systems primarily constructed based on a conventional role-based access control policy that authenticated with a password, which subjected to password guessing attacks and granted permission is based on the user’s role, not on data operations and objects. To address these gaps, this project aimed to propose a Campus Access Control and Management System with Attribute-Based Access Control (ABAC) which granted access to the user by attributes. The project aims to investigate lightweight Attribute-based Access Control from the perspective of computation speed of setup, verify and granting process by using systematic literature review and experimental approach, design and develop a web-based management system with attribute-based encryption on access control by using the waterfall approach, and evaluate the usability performance of the developed campus access control and management system by using System Usability Scale (SUS) approach. A large number of literature reviews from a different angle are expected, interviewing the security division also done for further analysis. Then the experiment on attribute-based encryption was undergoing and chose the best to implement into the project. The expected outcome of this project is a web-based campus access control and management system that eases the UMS security division in registering managing visitor entries.
IV ABSTRAK
Selamat Sistem Kawalan dan Pengurusan Akses Kampus dengan Kawalan Akses Berasaskan Atribut (ABAC)
Sistem Kawalan dan Pengurusan Akses Kampus Kampus UMS masih bergantung kepada pendaftaran manual konvensional dan pengurusan spreadsheet, ia telah menyebabkan proses pendaftaran yang memakan masa, kemasukan data yang tidak konsisten, dan pendedahan privasi pelawat. Pendaftaran dan kawalan akses menjadi semakin teruk semasa wabak covid-19. Universiti Malaysia lain telah menggunakan pelbagai sistem dan platform untuk menguruskan kawalan akses kampus mereka.
Contohnya, sistem ID M-Pass dari Monash University, sistem Kad Pintar dari Universiti Sains Malaysia dan lain. Walau bagaimanapun, kawalan akses sistem ini dibina terutamanya berdasarkan polisi kawalan akses berasaskan peranan konvensional yang disahkan dengan kata laluan, yang senang dikenakan serangan meneka kata laluan dan izin yang diberikan berdasarkan peranan pengguna, bukan pada operasi data dan objek. Untuk mengatasi jurang ini, projek ini bertujuan untuk mengusulkan Sistem Kawalan dan Pengurusan Akses Kampus dengan Kawalan Akses Berasaskan Atribut (ABAC) yang memberikan akses kepada pengguna berdasarkan atribut.
Projek ini bertujuan untuk menyiasat Kawalan Akses berasaskan Atribut ringan dari perspektif kelajuan pengiraan persediaan, mengesahkan dan memberikan proses dengan menggunakan tinjauan literatur sistematik dan pendekatan eksperimen, merancang dan mengembangkan sistem pengurusan berasaskan web dengan enkripsi berdasarkan atribut pada kawalan akses dengan menggunakan langkah air terjun, dan menilai prestasi kebolehgunaan sistem kawalan dan pengurusan akses kampus yang dikembangkan dengan menggunakan Skala Kebolehgunaan Sistem (SUS). Terdapat bilangan besar tinjauan literatur dari sudut yang berbeza diharapkan, wawancara bahagian keselamatan juga dilakukan untuk analisis lebih lanjut.
Kemudian eksperimen pada enkripsi berasaskan atribut sedang dijalankan dan memilih yang terbaik untuk dilaksanakan ke dalam projek. Hasil yang diharapkan dari projek ini adalah sistem kawalan dan pengurusan akses kampus berasaskan web yang memudahkan bahagian keselamatan UMS dalam mendaftar menguruskan kemasukan pelawat.
TABLE OF CONTENTS
TITLE Pages
DECLARATION ... I ACKNOWLEDGEMENT ... II ABSTRACT ... III ABSTRAK ... IV TABLE OF CONTENTS ... V LIST OF TABLES ... IX LIST OF FIGURES ... XI LIST OF APPENDICES ... XV
CHAPTER 1 INTRODUCTION ... 11
1.1 Introduction ... 1
1.2 Problem Background and Motivation ... 2
1.3 Problem Statement ... 3
1.4 Project Objectives ... 5
1.5 Project Scope ... 5
1.6 Organization of Report ... 7
1.7 Conclusion ... 8
CHAPTER 2 LITERATURE REVIEW... 9
2.1 Review on Access Control and Management System ... 9
2.2 Review on Existing Access Control and Management System ...12
2.2.1 My Visitor ...12
2.2.2 LobbyGuard ...13
2.2.3 Genetec ClearID ...14
2.3 Review on Access Control Approach ...15
2.3.1 Role-based Access Control (RBAC) ...15
2.3.2 Discretionary Access Control (DAC) ...16
2.3.3 Mandatory Access Control (MAC) ...17
2.3.4 Attribute-based Access Control (ABAC) ...17
2.4 Review on Attribute-Based Encryption (ABE) ...19
2.4.1 Attribute-Based Encryption (ABE) ...19
2.4.2 Key Policy Attribute-Based Encryption (KP-ABE) ...20
2.4.3 Cipher Text Policy Attribute-Based Encryption (CP-ABE) ...20
2.4.4 Attribute-Based Encryption with Non-Monotonic Access ASD AS Structure ...20
2.4.5 Hierarchical Attribute-Based Encryption (HABE) ...20
2.4.6 Multi-Authority Attribute-Based Encryption (MABE) ...21
CHAPTER 3 METHODOLOGY ... 24
3.1 Introduction ...24
3.2 Methodology ...24
3.3 Software and Hardware Requirement ...27
3.4 Conclusion ...27
CHAPTER 4 SYSTEM ANALYSIS AND DESIGN ... 28
4.1 Introduction ...28
4.2 Interview Findings ...28
4.3 System Design ...29
4.3.1 Entity Relationship Diagram (ERD) ...29
4.3.2 Data Flow Diagram (DFD) ...30
4.3.3 Data Dictionary ...40
4.3.4 User Interface Design ...40
4.4 Conclusion ...43
CHAPTER 5 EXPERIMENT IMPLEMENTATION ... 44
5.1 Implemented Algorithm ...44
5.2 Experiment Setup ...45
5.3 Implementation ...47
5.3.1 OpenABE ...47
5.4 Conclusion ...49
CHAPTER 6 RESULT AND DISCUSSION ... 50
6.1 Result ...50
6.1.1 Encrypt/Decrypt time with different AES type ...50
6.1.2 Encrypt/Decrypt time with different number of attributes ...51
6.2 Discussion ...53
6.3 Conclusion ...53
CHAPTER 7 IMPLEMENTATION OF SYSTEM ... 54
7.1 Introduction ...54
7.2 Development of Project ...54
7.3 Platform Used to Create Database ...61
7.4 Integrated Development Environment (IDE) Platform ...62
7.5 Embedded Element in Project ...62
7.6 Conclusion ...64
CHAPTER 8 TESTING AND EVALUATION ... 65
8.1 Introduction ...65
8.2 Unit Testing ...65
8.3 System Integration Testing ...70
8.4 User Acceptance Testing ...72
8.5 Conclusion ...78
CHAPTER 9 CONCLUSION ... 79
9.1 Conclusion ...79
9.2 Limitation ...80
9.3 Future Works ...81
REFERENCES ... 82
APPENDICES ... 886
IX
LIST OF TABLES
Pages
Table. 1.1: Modules of the Campus Access Control and Management System ... 6
Table. 2.1: Different on Categories of the System ...10
Table. 2.2: Comparison of Existing System and Proposed ...14
Table. 2.3: Comparison of Access Control Approach ...18
Table. 2.4: Comparison of different attribute-based encryption...22
Table. 4.1: Data Dictionary...40
Table. 6.1: The Average Encryption and Decryption Time in Milliseconds for AES_80, AES_128, And AES_192 ...51
Table. 6.2: The Average Encryption Time and Decryption Time in Millisecond used by Three Algorithms with The Different Number of Attributes ...52
Table. 8.1: Unit Testing for User Registration and Authentication ...66
Table. 8.2: Unit Testing for Visitor/Manager Profile Management ...67
Table. 8.3: Unit Testing for Encryption and Decryption ...67
Table. 8.4: Unit Testing for Report Generation ...68
Table. 8.5: Unit Testing for Real Time Status (Dashboard) ...68
Table. 8.6: Unit Testing for Location Tracking ...69
X
Table. 8.7: Unit Testing for Access Ticket ...69
Table. 8.8: Unit Testing for Revoke Ticket ...70
Table. 8.9: SIT of System ...70
XI
LIST OF FIGURES
Pages Figure. 2.1: Example contents in end-user facing, infrastructure, and admin
facing ...10
Figure. 2.2: Registration Form of My Visitor ...12
Figure. 2.3: Admin Management Page for My Visitor ...13
Figure. 2.4: Admin Management Page for LobbyGuard ...13
Figure. 2.5: Admin Management Page for Genetec ClearID ...14
Figure. 2.6: Structure of RBAC ...15
Figure. 2.7: Structure of DAC ...16
Figure. 2.8: Structure of MAC ...17
Figure. 2.9: Structure of ABAC ...17
Figure. 2.10: Encrypt/Decrypt Process on ABE ...19
Figure. 3.1: Flow Chart of The Activities ...26
Figure. 4.1: ERD diagram ...29
Figure. 4.2: Context Diagram ...30
Figure. 4.3: DFD Level 0 ...31
Figure. 4.4: User Registration and Authentication ...32
XII
Figure. 4.5: Manage Visitor Profile ...33
Figure. 4.6: Attribute-based Encryption ...34
Figure. 4.7: Generate Report ...35
Figure. 4.8: Visitor Status ...36
Figure. 4.9: Location Details ...37
Figure. 4.10: Access Ticket ...38
Figure. 4.11: Revoke Ticket ...39
Figure. 4.12: Dashboard ...40
Figure. 4.13: Registration Visitor ...41
Figure. 4.14: Access Ticket ...41
Figure. 4.15: Location/Tracking ...42
Figure. 4.16: Report ...42
Figure. 5.1: Example Access Structure ...46
Figure. 5.2: Message to decrypted ...46
Figure. 5.3: Implementation Code ...48
Figure. 6.1: The Average Encryption and Decryption Time in Milliseconds for AES_80, AES_128, and AES_192 ...51
XIII
Figure. 6.2: The Average Encryption Time and Decryption Time in Millisecond
used by Three Algorithms with The Different Number of Attributes ...52
Figure. 7.1: Main Page of The System ...54
Figure. 7.2: Main Page of The System (Dashboard) ...55
Figure. 7.3: Login Page of The System ...55
Figure. 7.4: Register Selection of The System ...56
Figure. 7.5: Contractor Register Form of The System ...56
Figure. 7.6: Warning on Error of The System ...57
Figure. 7.7: Maps Feature on The System ...57
Figure. 7.8: Profile Feature on The System ...58
Figure. 7.9: Apply Ticket on The System ...58
Figure. 7.10: Check In Feature on The System ...59
Figure. 7.11: Check Out Feature on The System ...59
Figure. 7.12: View History Feature on The System ...60
Figure. 7.13: Admin Feature on The System ...60
Figure. 7.14: Report Feature on The System ...61
Figure. 7.15: Database used on The System ...61
XIV
Figure. 7.16: IDE Platform Sublime Text ...62
Figure. 7.17: Access Structure in System ...62
Figure. 7.18: Access Tree Structure Diagram ...63
Figure. 7.19: Authentication of System ...63
Figure. 8.1: Result of First Question ...73
Figure. 8.2: Result of Second Question ...74
Figure. 8.3: Result of Third Question ...74
Figure. 8.4: Result of Fourth Question ...75
Figure. 8.5: Result of Fifth Question ...75
Figure. 8.6: Result of Sixth Question ...76
Figure. 8.7: Result of Seventh Question ...76
Figure. 8.8: Result of Eighth Question ...77
Figure. 8.9: Result of Ninth Question ...77
Figure. 8.10: Result of Last Question ...78
XV
LIST OF APPENDICES
Pages
APPENDIX A FEEDBACK TO PROPOSAL REVIEW ...86
APPENDIX B INTERVIEW QUESTION ...87
APPENDIX C INTERVIEW LETTER ...88
APPENDIX D FEEDBACK TO PROGRESS REPORT REVIEW ...90
APPENDIX E EXAMPLE CODE RESULT ...91
APPENDIX F PROJECT TIMELINE ...92
APPENDIX G FEEDBACK TO PROGRESS REPORT REVIEW ...94
APPENDIX H INTERVIEW FORM FOR UAT TESTING ...95
CHAPTER 1
INTRODUCTION
1.1 Introduction
In the year 2015, 2.3 million students started university in the United Kingdom, standing for 4% of the population are at greater risk of crime than other people in Britain. (Wootton et al., 2015). Based on the figures from the Office of National Statistics, 19% of full-time students were victims of crime in 2014-15, compared to 16% of all adults in the general population. These situations can be reduced or against effectively as there was a proper or well-equipped campus access control and management system exist. With the system, the campus or administrator can fully control or checking the access of visitors or contractors within the areas easily.
Currently, there are several types of campus access control and management system used by universities. For example, ONEcard from the University of Alberta with the slogan “the one card you need on campus” and TigerCard from Princeton University that enables students to make the payment on campus and access the building. Besides foreign universities, there also have a Smart Card system from Universiti Sains Malaysia that has a similar function mention before. Although Universities Malaysia Sabah also has their own Matric Card system, there are limited functions related to access control that is used or lack of development on the card system.
2
On the other hands, it is making the situation severe as the Security division of Universiti Malaysia Sabah still relies on the traditional paperwork to register visitor and granting their access to entering campus. Universiti Malaysia Sabah has good coverage in the use of free campus WIFI which means there are enabled to connect to the internet from everywhere on the campus even at the gates of the campus, but they seem like they had given up on using a proper or advanced campus access control and management system.
This project aimed to produce a campus access control and management system with attribute-based access control (ABAC) that suitable in Universiti Malaysia Sabah. By using this system, Universiti Malaysia Sabah may walk forward on securing the campus.
1.2 Problem Background and Motivation
Based on the observation, the Security division of Universiti Malaysia Sabah relies on the traditional paperwork to register visitor and granting their access to entering campus. This causes the visitors or contractors need spending even more time on the formalities for only one pass using on campus. Once sightseeing has done, visitors also need to repeat for revocation of the pass. On-campus part, the security division UMS also needed to clean up or disposed of the detail of visitors or contractors periodically to prevent the overload.
This situation may cause the risk of spread out the pandemic Covid-19 which is the most dangerous virus nowadays. Due to the prevention of the pandemic, the processing time on the formalities become longer than usual and it causes the flows of the visitors to become longer which means easier to spread or affect the Covid-19 in these times. There also have data from the WHO state that universities or school may become one of the outbreaks of the pandemic.
3
On the other side, the visitors or outsiders also can easily sneak into UMS to do some illegal activities especially sexual harassment, stealing, and more. The campus may endure an amount of loss that the property destroyed or stolen by visitors.
With a Campus Access Control and Management system, the department can gather, compile, and analyse information more efficiently. The overall operations, strategies, decision-making by the department can be reform into a more powerful combination (David Weedmark, 2019). A web-based system is an excellent choice since there are free from updating issues, quick development cycles, better security, highly support in different platform, reliable performance in limited cost, etc (Jimi, 2019).
Apart from UMS, the Campus Access Control and Management system used by other campuses also have some limitation. For example, ONEcard from the University of Alberta is counting perfect for the students, lecturers, or other relators to campuses but it seems not very suitable to outsiders. It is impossible to produce a new ONEcard for only visiting campus once. Even on the campus if ONEcard from the student has a door access issue there also have no solution but replacement only.
Moreover, the system they are using was role-based access control also have some limitation which will further discuss in the next following section.
1.3 Problem Statements
The problem statement can be summarized as follows:
i. Inadequate Of Role-Based Access Control Policy In Existing Campus Access Control And Management System
Since there needs a lot of work and time on assigning the roles and the permissions. The role-based access control is not suitable for campus access control and management system that are not well prepared. There is a serious concern on RBAC which is the implementation of separation of duty controls (Vincent Hu et al., 2006). For example, there is a student who has assigned
4
a role that has a restriction on access to a resource library. Then, he has assigned to another role that has no restriction to access that resource library.
This conflict causes a loophole in the role structure (Vincent Hu et al., 2006).
The attribute-based access control will fulfil the inadequate access control policy that enables the developers to implement attributes easily at any time.
ii. Privacy Issues On Storing Visitor’s Data
The Security Division of UMS still relies on traditional paperwork to register visitors and data visitors are storing at the spreadsheet that subjected to sabotage and risk of disclosure. According to kisi(2019), a management system can significantly increase the protection against the privacy of visitor information as there is privacy protection by encryption data. The presence of the campus access control and management system will enable turn out data visitor into a database with encrypted that may reduce the risk of leaking information.
iii. Lack Of Audit Tracing For Visitors And Contractors Access
The traditional paperwork to register visitors and data visitors are lacking audit tracing for visitors and contractors access. We also need to waste a lot of time searching and pairing the data that we need. For example, a web system called ‘My Visitor’ has provided visitor name search capability that increases the efficiency significantly compared to auditing the visitor from spreadsheet data on the logbook. A complete, suitable management system will minimize the issues of inadequate auditing on tracking visitors and contractors access.
5 1.4 Project Objectives
▪ To investigate lightweight Attribute-based Access Control from the perspective of computation speed of setup, verify and granting process by using systematic literature review and experimental approach.
▪ To design and develop a web-based management system with attribute- based encryption on access control by using the waterfall approach.
▪ To evaluate the usability performance of the developed campus access control and management system by using the System Usability Scale (SUS) approach.
1.5 Project Scope
The target users are the visitors of campus and the contractors which mean the unrelated people that come into UMS campus. The embedded research element is the attribute-based encrypted access control. Table. 1.1 shows the modules, description, and targeted user or roles in the campus access control and management system.
6
Table. 1.1: Modules of the Campus Access Control and Management System
Module Description Targeted
Users /Roles
User registration and authentication
Used for registering the system user Used for granted/denied access permission.
Used for keying visitor information.
Admin Manager Visitors Contractors
Visitor/manager profile management
Used for update/delete visitor information
Admin Manager
Attribute-based encryption
Implementation of ABE algorithm for enclosing/disclose data.
Visitors Contractors Admin Manager
Report generation
Generate a detail when searching for user
Used for search visitor data by using attribute
Visitors Contractors Admin Manager
Real-time visitor status
(Dashboard) Used to view status of visitor
Visitors Contractors Admin Manager
