1 Introduction

The increasing development of wireless communication technologies and ambient intelligence is enabling a seamless integration of smart objects in our everyday lives (Atzori et al. 2010). This emerging trend, along with the global deployment of mobile devices, such as smartphones or tablets, is redefining the way people exchange information and communicate with their surrounding environment, transforming current physical spaces into smart buildings. These incipient ecosystems are expected to be composed by sensors, smart devices and appliances that can be remotely monitored and accessed by users or cloud services, resulting in a new generation of intelligent and ubiquitous environments (Weiser 1991).

However, unlike the current Internet, the realization of these scenarios requires higher security and access control restrictions, since physical objects (e.g. smart door locks or lamps) in typical buildings are being integrated into the Internet infrastructure with network and processing abilities, making them vulnerable to attacks and abuse. Moreover, in these pervasive scenarios, services and resources can be accessed via mobile devices anytime and anywhere by common users. While this trend provides significant benefits regarding availability and sharing of information, there are everyday situations in which users could abuse these services if location data are not considered in the access control mechanism. For example, in the smart buildings context, a smart door lock located at a certain room may require that the requesting user is in front of such door. Otherwise, the access could be denied.

Traditionally, location restrictions have been considered as a relevant factor for the corresponding access control mechanism. In this direction, many efforts based on the Location-based Access Control (LBAC) (Ardagna et al. 2006; Covington et al. 2001; Denning and MacDoran 1996) model have been proposed in recent years, in which the user’s physical location is considered when determining her access privileges. Typically, the application of location-aware access control models in the smart buildings context has been considered through the use of central entities or back-end servers, which are responsible to infer the user’s location information and her access privileges. However, these centralized proposals are not able to cope with the requirements of flexibility, interoperability and scalability that are imposed by pervasive scenarios with a potentially high number of heterogeneous devices.

The correctness and effectiveness of these systems is closely related to the accuracy of the location information and the definition of security zone, that is, the area where the smart object considers the access may be granted. However, in the context of smart buildings, how this location information is obtained is a challenging task since traditional mechanisms such as GPS (Misra and Enge 1999) are not practical due to the lack of signal in indoor environments. This has resulted in the development of alternative positioning systems, as those based on WiFi (Garcia-Valverde et al. 2013), ZigBee (Luoh 2014) and RFID (Ni et al. 2004), with acceptable results in buildings. Nevertheless, a common feature of these approaches is the need to deploy additional hardware, consequently, the cost of these solutions is high and frequent maintenance is required. In addition, an inherent aspect of localization systems is the limited accuracy of the location information, due to physical obstacles or interferences. Therefore, in location-aware access control mechanisms, authorization decisions should properly consider this degree of uncertainty associated with the vagueness of localization systems.

To overcome the aforementioned challenges, this paper presents a location-aware access control for smart buildings, in which authorization decisions are based on the combination of user location data and access credentials. The proposed indoor localization system is based on the use of sensors which are integrated in common smartphones. Therefore, unlike most of the current proposals, our approach does not require the deployment of additional hardware or devices, providing a flexible and easy manageable indoor localization system for users. To compensate this lack of infrastructure, which is usually employed to ensure good performance of localization systems, our localization proposal is based on a combination of powerful soft computing techniques (Zadeh 1997) that lets balance the constraints of the problem. In the off-line phase of our localization system, 2D maps of magnetic field measurements taken along building are generated as well as the mechanism to solve localization based on such maps. Then, during the on-line phase, user location data are estimated through Radial Basis Function Networks (RBF).

In our approach, smart objects are configured with a security zone where the requesting user could be authorized. We propose to implement an authorization mechanism in charge of evaluating different requirements for effective service provisioning. Furthermore, this mechanism copes with the uncertainty of location data provided by our indoor localization solution to adequately decide if user is actually inside the security zone. If the requesting user is in this area, her credentials are evaluated. Otherwise, access is denied. These credentials are attached in the access request as access capabilities, based on the distributed CapBAC model (Hernández-Ramos et al. 2013). Therefore, in our proposal, any intermediate entity is needed to provide location-aware access control, offering the benefits of a decentralized approach for smart environments in terms of end-to-end security, scalability, interoperability, and flexibility.

The structure of this paper is as follows: Sect. 2 presents some related works which face similar problems regarding location-aware access control in smart buildings. Section 3 describes our distributed access control approach which integrates user localization data based on magnetic field measurements. In Sect. 4, the different phases of our indoor localization system are explained. Section 5 details the implementation carried out to solve each one of the technical foundation of our proposal to location-aware access control. Section 6 describes the proposed scenario to evaluate the system as well as the experimental results obtained from the evaluations performed. Finally, Sect. 7 provides conclusions and a description of the future directions of our work.

2 Related work

While recent advances have overcome most of the technological challenges to make environments smarter, security and privacy still remain as major concerns for a full adoption of them. Because of this, the application of different access control models in these scenarios is receiving more interest from research community.

In the context of smart homes, a semantic architecture is described in Kim et al. (2012). The proposal is developed on top of the OSGi framework and incorporates a semantic model of a smart home system. In addition, an access control policy is designed to give home owners robust control over the way users can access their devices. In Ebinger et al. (2013), a privacy dashboard is designed to improve user understanding and implementation of privacy rights related to smart buildings. Specifically, the proposed approach is based on XACML (Moses et al. 2005) policies, which can be configured by non-expert users to model their privacy preferences on sensor data or actuators.

However, these proposals are based on a centralized architecture in which a home gateway is responsible for managing and enforce the access control policies defined by the users. In addition, the user’s location is not considered for the authorization decision.

Furthermore, in the smart buildings context, several proposals have been designed to provide location awareness in the authorization process. In this direction, Gupta et al. (2006) introduce a proximity-based access control model (PBAC) for emergency departments. In addition, they implement a prototype by using a RFID-based solution to consider location restrictions. In Gao et al. (2009), a statistical indoor localization method is proposed using WLAN for location-based access control. In the offline phase, a LOESS (Locally Weighted Regression and Smoothing Scatterplots) model is used to build a radio map with the distribution of signal strength. Then, in the on-line phase, locations are inferred by a maximum likelihood estimation (MLE) based on the measured signal strength and the stored distribution. A LBAC system called LOCK is proposed in Wang et al. (2009). The work makes use of autonomous ultrasound positioning devices which are automatically calibrated using a Measurement-Free Calibration method (MFC) to transform their relative positioning results into an absolute coordinate system. Then, a coherent secure zone fitting (CSFZ) method to precisely characterize the secure zones is provided. In the on-line phase, a round-trip judgment (RTJ) algorithm is designed to determine the geographical relationship between the client’s position and such secure zones. In Xin-fang et al. (2011), a location-based access control system for data security in mobile storage devices is introduced. The proposal makes use of an embedded RFID tag into the device and a RFID reader to implement location-based access control. In addition, it makes use of RF signals to build the security zone and gets user’s location information from the tag and the reader. In Rodriguez et al. (2004), a location-aware medical information system was developed to provide access to hospital resources such as patient’s records, based on the user’s location. The system considers WLAN as positioning system, and a location estimation method based on a backpropagation neural-network, which is used to estimate the user’s location.

Unlike previous proposals, this work presents a novel localization system based on magnetic field measurements, which are provided by current mobile devices such as smartphones or tablets. In addition, our proposal does not require additional hardware or infrastructure since the location estimation stage is embedded into smart objects. Furthermore, our approach is built on top of the distributed CapBAC model (Hernández-Ramos et al. 2013). Therefore, no intermediate entities are needed in our location-aware access control mechanism.

3 Design foundations

3.1 Distributed approach

So far, due to severe constraints in smart objects, most of the proposals have addressed the access control in smart environments by using centralized approaches in which a central entity or gateway is responsible for managing the corresponding authorization mechanism. While traditional access control models, and security standard technologies and protocols can be used in these approaches, several drawbacks arise when they are considered in a real deployment. On the one hand, the inclusion of a central entity prevents end-to-end security to be achieved. In addition, this solution cannot provide a suitable level of scalability for smart environments with a potentially huge amount of devices. On the other hand, a centralized approach increases the cost of the solution since additional hardware is needed. Furthermore, due to the fact that a single entity stores and manages all the data from a set of devices, it becomes a single point of failure. Consequently, any vulnerability might compromise a vast amount of sensitive information.

The aforementioned drawbacks could be solved by a distributed approach in which smart objects are able to make authorization decisions without any intermediate entity. In this case, all the access control logic is embedded into devices, which are enabled with abilities to obtain, process and send information to other services and entities in a direct and natural way. While most of mentioned drawbacks of centralized approaches can be solved, a fully distributed approach comes with some cost. In particular, standard security mechanisms are often based on cryptographic primitives that present a high computational cost, which is not appropriate for resource-constrained devices. In addition, the inherent features of traditional access control models, such as RBAC (Ferraiolo et al. 1995) or ABAC (Yuan and Tong 2005), make their implementation unrealistic on smart objects. Recently, we have proposed a fully distributed access control mechanism based on capabilities (distributed CapBAC) (Hernández-Ramos et al. 2013), which has been demonstrated as a feasible approach to be used on smart environments with resource-constrained devices. Therefore, our location-aware access control mechanism is built on top of distributed CapBAC, providing the mentioned benefits of a distributed approach in the context of smart buildings.

Furthermore, in our proposed localization system, each constrained device is responsible for carrying out location estimations by considering only the building’s zone where they are placed. In this way, they are not required to process the location data set related to whole building space which enables location estimation functionality is embedded into resource-constrained devices. Therefore, in our approach, smart objects are enabled with the ability to infer user’s location data as well as to enforce her privileges.

3.2 Integrating location data based on magnetic field measurements

The omnipresent role in the daily life of mobile devices such as smartphones or tablets, has resulted in a huge range of new solutions for the indoor localization problem (Lane et al. 2010). For our location-aware access control mechanism, we propose a novel indoor localization solution which only requires, from the hardware point of view, a smartphone and their built-in sensors. Therefore, external hardware infrastructures are not needed (for instance, no radio access points), providing an accurate, flexible and easily manageable solution for users. Specifically, we only consider the data provided by the magnetic sensors of smart phones to make our location-aware access control totally independent on the type of devices and available signals in buildings.

The proposals for indoor localization systems based on magnetic field measurements are partly inspired by the evidence that animals make use of the Earth’s magnetic field not only for orientation detection, but also for true navigation (Boles and Lohmann 2003). These solutions assume that the success of magnetic sensors both for orientation and position estimation is conditioned by their capacity to sense the Earth’s magnetic field in environments containing magnetic anomalies. In principle, a non-uniform indoor ambient magnetic field produces different magnetic observations depending on the path taken through it. In buildings, we can find Earth’s magnetic field variations due to any object of iron, cobalt, or nickel, and also from man-made sources such as steel structures, electric power systems and electronic and mechanical appliances. Thus, static objects or infrastructures inside buildings (printers, lifts, etc.) perturb Earth’s magnetic field and can make up a profile of magnetic field values (a map composed by magnetic field fingerprints), which can be used to solve localization in buildings.

Nevertheless, this magnetic profile must be well characterized and quantified previously at estimation process (Haverinen and Kemppainen 2009). To date, main efforts have been made for the study and validation of the approach of using indoor magnetic field for localization, and all these analyses conclude that it represents a stable and unique solution that can be applicable for solving the problem. Some proposals to generate magnetic maps of buildings to be used for indoor localization are presented in the literature, for instance (Gozick et al. 2011; Li et al. 2012). Most of them are based on considering only the intensity value of the magnetic fields measured inside buildings. Nevertheless, the scalability and robustness of these solutions in different types of building cannot be ensured, mainly in buildings where the number of artificial magnetic fields is low, or when the magnetic field sources of the building are of the same nature. Bearing in mind this restriction, in our approach, we consider the vectorial character of magnetic fields, and propose to use the three components \((x, y, z)\) of a magnetic field to provide a more complete characterization of buildings. This approach is addressed by Angermann et al. (2012). It is noticeable that in this type of solutions it is required to control the orientation of the mobile phone during the measurement process. Moreover, a relevant issue for indoor localization systems is to choose the most suitable data processing techniques. For our approach, the uncertainty in the accuracy of location data must be dealt because it varies depending on the building zone where a user is located. Therefore, taking into account this constraint, it is necessary to apply suitable soft computing techniques that address this aspect to provide an accurate localization solution which will be used for the access control of services provided in buildings.

The computation techniques chosen in this work are based on the scene analysis, where, first, reference measurements (fingerprints) of the ambient magnetic field are collected and processed to generate magnetic field maps of the building. For this, powerful techniques such as clustering, classifiers, etc. compound the off-line phase of the localization system. And then, user positions are estimated by matching on-line measurements with the closest a priori location fingerprints. For this, we use an estimator based on Radial Basis Functions Network; it represents the on-line phase of the localization system. Both phases of this system (i.e. off-line and on-line) are fully explained in next section.

4 Indoor localization mechanism based on magnetic field data

4.1 Off-line phase

To generate magnetic field patterns of buildings considering the three magnetic field components to achieve accurate and reliable location estimations, it is required to apply computational techniques that estimate user location based on a particular type of data. A general description of the different actions to be performed to generate such models for localization in buildings is presented below.

  1. 1.

    Phone calibration: it is important to take into account that magnetometer readouts, that are readily available on the smartphones, are prone to disorientation of the sensing module and are dependent to the orientation and position in which the user wears the phone during the data collection, e.g. whether the device is on user’s trousers’ pocket or in a bag. Thus, it is necessary to have phone orientation and user wearing position correctly associated to the data collection performed, and which will be considered in the off-line phase of the localization mechanism proposed.

  2. 2.

    Data collection: magnetic field data are gathered using a smart phone with integrated magnetometer.

  3. 3.

    Clustering: data processing to identify zones of the building where magnetic field distributions represent peaks to be used as landmarks of magnetic field. These landmarks will be used later to geo-reference the magnetic field values measured along the building during the on-line phase of the system.

  4. 4.

    Classifier: to perform the building’s space division according to the identified landmarks. In this way, a higher accuracy value can be obtained in the localization results.

  5. 5.

    Estimator: analysis of each one of these regions in terms of magnetic field distribution associated to the space distribution, and implementation of the best regression technique to estimate user position for each one of the building’s zones associated to a landmark.

Reviewing the most suitable computational techniques recommended in literature to solve each one of these objectives, we analysed contrast different alternatives. The final techniques selected are described below jointly the associated problem’s description to solve.

4.1.1 Calibration

During this first stage, predefined orientation and user phone wearing positions are pre-established to be considered and associated later to the appropriate magnetic field maps generated at the end of the off-line phase of our system. Thus, we generate descriptive models based on these data for the user localization. Furthermore, several data collection processes are carried out considering different context conditions, such as: different levels of occupancy, different moments at day, etc. Thus, the building models generated will be representative enough to cover different building conditions.

4.1.2 Data collection

Considering each one of the pre-established orientations and user phone wearing positions, “snapshots“ of the magnetic field are collected during short periods of time (less than a minute in each location \(Z_q\)) and along building space. Such measurements are associated to the physical positions \(Z^{(t)}_q\) where they were gathered. Then, the set of data pairs are:

$$\begin{aligned} (B^{(t)}_q, Z^{t}_q),\quad t = 1, 2,\ldots , N \end{aligned}$$
(1)

where \(N\) is the number of data instances at location \(Z_q\), \(B^{(t)}_q = [Bx^{(t)}_q, By^{(t)}_q, Bz^{(t)}_q] \in R^n\) and \(Z^{(t)}_q \in R^k\).

4.1.3 Pre-processing

The pre-processing unit is responsible for preparing the measured data by transformation. Besides, feature vectors are extracted from data to be used for location estimation. The different processing techniques applied in this stage are:

  1. 1.

    Transformation: based on the raw dataset collected by the phone. During the features transformation, compact representations of the magnetic field values are extracted, namely features, which will be used later for localization estimation. The initial feature selection to represent magnetic field distribution is based on studies proposed in the literature that already make use of them to achieve similar goals (as it is described in Table 1). The dataset values are segmented to windows of 64 samples, and each window is processed through several feature extraction methods producing a feature vector that can be used to generate the clusters and train the classifier. The adopted features are summarized in Table 1. At this stage, 27 features were extracted for evaluation (9 features for each magnetic field component: \(Bx\), \(By\) and \(Bz\)).

  2. 2.

    Filtering: it replaces all missing values for nominal and numeric attributes in a dataset with the modes and means from the training data.

  3. 3.

    Normalize: it normalizes all numeric values in the given dataset. The resulting values are in the \([0,1]\) interval for every feature extracted from the initial dataset.

  4. 4.

    Feature selection: it performs a Principal Components Analysis (PCA) and transformation of the data which are used in conjunction with a ranker search. PCA is a major technique for reducing dimensionality in high-dimensional data. PCA identifies the directions in which the observations are more variable. If we consider \(b(i)\) as multi-dimensional observations and \(u\) an arbitrary direction in this multi-dimensional space, the principal components are calculated by maximizing the following equation:

    $$\begin{aligned} \frac{1}{m} \cdot \sum _{i=1}^m (b(i)^\mathrm{T}\cdot u)^2 \end{aligned}$$
    (2)

    Dimensionality reduction is accomplished by choosing enough vectors to account for some percentage of the variance in the original data (by default 0.95). In this case, the maximum number of attributes to include in transformed attribute names is established to 5, thus the final computational load of our localization system is reduced. The ranking is performed over all features, and among them we choose the first 5 features best ranked. The final selected features are:

    1. (a)

      By VarFTT (\(f1\)).

    2. (b)

      Bx Intensity (\(f2\)).

    3. (c)

      By Intensity (\(f3\)).

    4. (d)

      Bx SumPowerDetCoeff (\(f4\)).

    5. (e)

      By Entropy (\(f5\)).

    Considering such features, the Eq. (1) can be rewritten as:

    $$\begin{aligned} \{[f1^{(t)}_q, f2^{(t)}_q, f3^{(t)}_q, f4^{(t)}_q, f5^{(t)}_q], Z^{t}_q\},\quad t=1,2,\ldots ,N\nonumber \\ \end{aligned}$$
    (3)

    where \(P_q = [f1_q, f2_q, f3_q, f4_q, f5_q]\) is the vector of features extracted from the magnetic field measurements associated to the physical location \(Z_q\). At this point, and based on these magnetic field features, we generate the map of the building. These maps are used during the following stages of our proposed localization mechanism.

Table 1 Summary of the extracted features from magnetic field measurements (in 3D)
Full size table

4.1.4 Clustering

This phase performs the space division of the building according to the magnetic field value distribution. It groups the collected data according to the identified clusters, whose centroids are associated to magnetic field landmarks.

After a comparison among different techniques for clustering, the selected method is based on the Simple Expectation Maximisation (EM) (McGregor 2004), which shows the best performance in terms of classification error obtained.

EM assigns a probability distribution to each instance which indicates the probability of it belongs to each of the clusters. EM can decide how many clusters to create by cross validation, although this number can be previously specified. For this, we propose an automatic search of the number of clusters that optimizes the classification success and the localization estimation accuracy (Luna et al. 2011).

Each generated cluster is a vector of mean values of the magnetic field features composing the centroid of the cluster and a vector of deviation values associated to such cluster. These vectors can be represented mathematically as: \(\mu _{Ci}\) = [\(\mu _{f1}\), \(\mu _{f2}\), \(\mu _{f3}\), \(\mu _{f4}\), \(\mu _{f5}\), \(\mu _Z\)], and \(\sigma _{Ci}\) = [\(\sigma _{f1}\), \(\sigma _{f2}\), \(\sigma _{f3}\), \(\sigma _{f4}\), \(\sigma _{f5}\), \(\sigma _Z\)]; where \(\mu _{Ci}\) and \(\sigma _{Ci}\) denote the mean and deviation of the centroid of the landmark \(i\), respectively.

4.1.5 Landmark’s classifier

In this phase, we implement a classifier that lets assign each new magnetic field measurement to one landmark. In this way, we can focus on the building’s zone covered by each landmark, and discriminate the rest of the building’s space to carry out the location estimation.

After analysis of different proposals, the selected classifier for carrying out this assignment is the meta-classifier Decorate (Melville and Mooney 2005), which achieves the highest success value in classification.

Decorate is a meta-learner for building diverse ensembles of classifiers using specially constructed artificial training examples. Comprehensive experiments have demonstrated that this technique is consistently more accurate than its base classifiers [Bagging (Breiman 1996) and Random Forests (Breiman 2001)]. It also obtains higher accuracy than Boosting (Friedman et al. 2000) on small training sets, and achieves comparable performance on larger training sets.

4.1.6 Localization estimator

Once the magnetic field measurements are correctly classified to their associated landmarks, the building’s zone of every measurement can be inferred. Thus, the position estimation is carried out using the available knowledge about the associated landmark. For this, a Radial Basis Functions Network (Simon 1999) for each landmark is computed as regression technique, which uses all training data associated to every landmark to estimate the user position according to its magnetic field feature vector.

RBF networks find approximation solutions in the form of weighted sums of basis functions based on reference data. The main advantages of using RBF for estimation are its scalability and easy deployment under different context conditions, where a variable number of centroids have been identified previously.

In our case, for each building’s space division associated to one landmark, an RBF network is implemented.

The input space \(P\) of our RBF is the vector of selected features of the magnetic field. These data can be denoted as:

$$\begin{aligned} P \in R, P = \{p_{i}\},\quad \forall p_{i}=[p_{1},p_{2},\ldots ,p_{n}] \end{aligned}$$
(4)

where \(n\) is the number of measurements received from the phone and classified within the chosen subarea associated to a landmark. The target class \(Z\) represents the position. This is denoted as:

$$\begin{aligned} Z \in R^{k}, Z = \{z_{i}^{k}\},\quad \forall z_{i}^{k} =[z_{1}^{k},z_{2}^{k},\ldots ,z_{n}^{k}] \end{aligned}$$
(5)

where \(k\) is the dimension of the position. In our case, we assume a value of \(k = 2\). Then, given the training values \(\{(p_{i}, z_{i}^{k}),\ldots ,(p_{n}, z_{n}^{k})\},\) our goal is to find a function that allows us to classify the monitored tag position (\(z_i = [x_i, y_i]\)), knowing its vector of magnetic field features (\(p_i\)).

The vector \(p_{j}\) is provided as input to all functions of our RBF network, and the output \(f(p_j)\) is given by:

$$\begin{aligned} f(p_j)=\sum _{i=1}^c w_i \cdot \varphi (\parallel p_j-c_i \parallel ) \end{aligned}$$
(6)

where \(\parallel p_j-c_i \parallel \) is the Euclidean distance between \(p_j\) and the RBF function with center \(c_i\).

The number of RBFs is \(C\), and \(w_i\) is the weight of the network. The value of \(\beta \) specifies the width of the basis functions and allows their sensitivity to be adjusted. As \(\beta \) decreases, the basis functions become wider and overlapping may increase. An appropriate value of \(\beta \) is usually selected experimentally based on the reference data, and this can be further adjusted when testing data are available.

In our proposal, we use the k-means clustering algorithm (Kanungo et al. 2002) to provide the basis functions of our RBFs, and to learn either a linear regression on top of that. For this, symmetric multivariate gaussian functions are fit to the data from each cluster. The RBF network implementation for each one of the magnetic field landmarks, which is obtained after clustering, represents the last stage of the off-line phase of our proposed localization system.

Finally, Fig. 1 shows a schema with the sequence of all the steps involved in the off-line phase of our localization system.

Fig. 1
figure 1

Off-line phase of the localization mechanism

Full size image

4.2 On-line phase

After the off-line phase, user localization can be estimated using the magnetic field maps generated during the off-line stage, as well as the localization estimator designed. A schema of the steps carried out during the on-line phase of our localization system can be seen in Fig. 2. Input data are the magnetic field measurements sensed by user’s phone magnetometer. From such measurements, the magnetic field features are extracted. Later, this feature vector is classified as belonging to one landmark’s cluster. And finally, considering the RBF implemented for such landmark, user position is estimated.

Fig. 2
figure 2

Building model based on magnetic field for indoor localization

Full size image

This localization system is used in our proposed access control mechanism to properly evaluate if requesting user is inside the security zone defined for a specific smart object. The integration of this information and access credentials for our proposed access control mechanism is described in next section.

5 Location-aware access control

5.1 Mechanism overview

An overview of our location-aware access control system is shown in Fig. 3. The basis of the proposed approach is built on top of distributed CapBAC, which is described in detail in Hernández-Ramos et al. (2013). This scenario has been designed taking into account the constraints which are inherent to current smart objects, as well as the requirements of smart environments regarding interoperability, flexibility and heterogeneity. Specifically, our proposal makes use of an IP-based communications architecture with emerging protocols which have been designed for constrained environments. In particular, IPv6 over Low power Wireless Personal Area Networks (6LoWPAN) (Mulligan 2007) is considered as the extension of IPv6 for use in 802.15.4 wireless networks, enabling end-to -end IP networking for resource-constrained devices. In Oliveira et al. (2013a) an approach based on 6LowPAN neighbor discovery protocol is proposed to mitigate attacks initiated from the Internet, without adding additional overhead on the 6LoWPAN sensor. And in Oliveira et al. (2013b) it is presented an example of access control framework for 6LoWPAN networks.

Fig. 3
figure 3

Proposed scenario

Full size image

In the smart buildings context, these elements could be instantiated by typical objects such as door locks, lamps or smart meters. Moreover, the Constrained Application Protocol (CoAP) (Shelby et al. 2013) enables interoperability at the application layer through RESTful Web services. The protocol is designed with very low overhead and simplicity for machine-to-machine (M2M) applications such as smart energy and building automation.

The basic operation of our access control mechanism is as follows. As initial step, the issuer entity of the system, which could be the device’s owner or manager, issues a capability token to the subject granting permissions on the device. Furthermore, such issuer signs this token to prevent security breaches. The value of the signature is attached to the capability token and sent to the subject. It is noteworthy that this stage actually requires an access control process, whereby a set of permissions are inferred and granted to the subject. Nevertheless, the process of how to generate the token is outside the scope of this work. An example of capability token in the smart buildings context with permissions on a smart door lock is shown in Fig. 4.

Fig. 4
figure 4

Example of token

Full size image

Once the subject has received the capability token, she tries to make use of the smart object (e.g. a smart door lock). To do this, when she is close to the geographical area of the target device, she generates a request including magnetic field values and the capability token. In addition, this request must be signed to get access to the smart object. For this purpose, the CoAP request format has been extended with three headers:

  1. 1.

    Capability, which contains the capability token.

  2. 2.

    Signature, including the subject’s signature for the request.

  3. 3.

    Magnetic field values, which hold the magnetic measurements provided by the subject’s personal phone.

The aspect of the resulting CoAP request is shown in Fig. 5. Moreover, according to Fig. 3, this request does not have to be read by any intermediate entity. Indeed, the component which is denoted as gateway could be instantiated by a 6LowPAN Border Router (6LBR) with basic routing functionalities.

Fig. 5
figure 5

Appearance of the extended CoAP request format

Full size image

When the smart object receives the request, an authorization engine is launched to make the access control decision. This mechanism has been designed by considering our indoor localization proposal, which is based on magnetic field measurements. Finally, once the authorization process has been completed, the device generates a CoAP response based on the authorization decision made, which is sent to the subject. A more detailed description of the authorization engine is given in next section.

5.2 Authorization engine

Taking into account the overview of our access control mechanism, now we describe the actions performed by the authorization engine integrated in every device whose services are required.

In our proposal, each one of these smart objects only needs the map with the magnetic field characterization belonging to the building’s zone where it is placed. Therefore, when devices have to evaluate their services’ access, they only have to process the map’s area containing the magnetic field model of the landmark associated to such building’s zone. In this way, the smart object’s computational load is reduced and, consequently, power consumption is saved.

Taking into account the requirements of our access control problem in which both localization data and user credentials are involved, we propose an evaluation in which different tasks are executed in ascending order of complexity. Furthermore, in the case any of the steps in the evaluation fails, the authorization engine will be immediately aborted. Therefore, remaining tasks will not be required. The first task to be performed by the authorization engine is the assessment of if the subject is inside the same building’s zone where the smart object is placed. For this, we base on the magnetic field characterization associated to the landmark identified in such zone, since the characterization of every building’s zone is made through the magnetic field features associated to the landmark’s centroid identified there (see Sect. 4.1). Such landmarks’ centroid is represented through mean and deviation values associated to each magnetic field feature. Deviation is the parameter which indicates the zone’s extension covered by each landmark in terms of magnetic field. Therefore, given a device located in a building’s zone where the magnetic field landmark \(j\) (\(l_j\)) with centroid \(Cj\) has been identified, the required device must assess if the distance between the mean values of the landmark centroid and the vector of magnetic field features extracted from the measurements sent by the user, is smaller than the deviation associated to such landmark’s centroid. If it is smaller, the subject is inside the same building zone as the device. Otherwise, the authorization process is aborted and the service is denied. If the previous requirement is satisfied, the second evaluation task is carried out. It consists of evaluating the capability token, which is attached to the access request. The different steps to be executed for this evaluation are shown in Algorithm 2. In addition, a complete description of this process is given in Hernández-Ramos et al. (2013). In case the capability token is successfully evaluated, the last task involved in our authorization engine is launched. During this step, it is evaluated if the subject is inside the security zone defined for the required service (which can be denoted as \(SZ\)). For this evaluation, it is necessary to estimate firstly the subject position using the RBF defined for the associated landmark. Once subject location is estimated (\(Z^k\)), the distance between subject and device is calculated, and then, it is evaluated if such distance is smaller than \(SZ\). For this last evaluation, it is considered as the mean accuracy value (\(\mu _z\)) associated to the RBF utilized to estimate the subject position. The complete sequence of the authorization engine is shown in Algorithm 1.

figure a
figure b

6 Evaluation

In this section, we show the evaluation of our location-aware access control proposal for services provisioning in the smart buildings context. For this purpose, we carry out some experiments to evaluate the performance of each one of the solutions proposed to solve the different technical issues involved in our location-aware authorization approach.

6.1 Evaluation of localization mechanism

To evaluate the proposed algorithms for localization, we have developed a sensing application on an Android G1 dev phone. The android G1 is equipped with a Hall-effect geomagnetic sensor3 in three axes. This sensor implements a Dynamic Offset Estimation (DOE) algorithm to automatically compensate the magnetic offset fluctuations thereby making it more resilient to magnetic field variation within device (Katzakis and Hori 2009). In addition, we have also mitigated the effect of high frequency ambient noise by averaging the measurements prior to the calibration of the device orientation.

Our application is able to log magnetometer signals into a database with frequency of 25 Hz. 10 Subjects were selected from the Information and Communications Engineering Department of the University of Murcia to perform the experiments during which the data were collected. During this stage, the subjects were asked to walk on predefined trajectories along the first floor of the Computer Science Faculty. In addition, the orientation of mobile phones was fixed with users and placed on the middle of their chest. We repeated the data collection during different days and considering different conditions of perturbation, specifically considering different levels of occupancy of the building. In this way, for each building, it should be required to carry out such procedure for providing its magnetic field profile which will be used for localization following our approach of solution. In this sense, the time limit specified required for each building depends on the context of each building, i.e. on the variability of the conditions according to the expected use that each building has and can affect its magnetic field profile.

Once data collection was performed, the analysis and data processing techniques presented in Sect. 4.1 were offline processed with Matlab. Consequently, both a 2D building’s map containing magnetic field feature vectors and the RBFs in charge of the location estimation were obtained.

Finding the optimal design parameters for implementing the location estimator in charge of providing the localization data during the on-line phase of the system represents the main requirement for providing accuracy to the final results. For this reason, we decided to focus the evaluation process of the localization system on this key issue.

Firstly, we calculate the optimum number of clusters to be considered for the classifier construction. Thus, we have to find the number of clusters that achieves a tradeoff between the error obtained in the landmark classification and the associated error in the location estimation. The distribution of magnetic field landmarks identified in such floor corresponds to building’s points set where different electronic and mechanical infrastructures are placed, such as lifts, printers, servers, laboratories, etc., representing all of them as sources of perturbation of the ambient Earth’s magnetic field.

Fig. 6
figure 6

Magnetic field landmarks

Full size image

We focus on the floor’s corridor shown in Fig. 6 to present the results obtained from the tests performed, since this presents a high activity level and where numerous laboratories are located. Such corridor is 28 m long. In Table 2, we show the accuracy values in location estimations for different settings in our mechanism, i.e. considering different number of clusters. During this analysis, we achieved mean values of classification success between 83 and 91 %. We can see that the best performance of the mechanism in this floor corresponds to a cluster number of 8, with 2.9 m of mean error in localization estimation. It is noticeable that such accuracy value is suitable to be considered for access control, and most taking into account the common services provided in smart buildings and their service areas.

Table 2 Accuracy in location data
Full size table

Considering our location-aware authorization mechanism, the cluster number (landmark’s number) established will affect directly the accuracy in the computation of the distance between subject and landmark. For access authorization, such distance should be smaller than the associated deviation of the magnetic field centroid of the landmark. Therefore, we calculate such distance considering only the magnetic field parameters. The deviation values associated to every landmark are obtained after the clustering of the magnetic field dataset collected in the off-line phase of our localization system.

Therefore, in this point we show in Table 3 the values associated to the deviation of each one of the 8 landmarks identified after clustering, as well as the mean and deviation accuracy values of each RBF implemented for each one of these 8 landmarks. From these results, we can see how it is possible to achieve very accurate localization results, and most considering the fact that there is a low number of different sources of magnetic field perturbation in the scenario under analysis, which is a constraint of the current solutions that follow the same approach for indoor localization.

Table 3 Deviation in the landmark position (\(\sigma _l\)), accuracy in location estimation (\(\varepsilon \)) and deviation in the accuracy associated (\(\sigma _{\varepsilon }\))
Full size table
Fig. 7
figure 7

Box plots for different numbers of clusters

Full size image

Using these results, we obtain the box plots of the three configurations with the best associated location results, see Fig. 7. The numerical results are graphically depicted by their quartiles. The lines extending vertically from the boxes (whiskers) indicate variability outside the upper and lower quartiles. Using 8 landmarks, we achieved low dispersion among the results and a suitable degree of mean accuracy in the location data, providing a success value of 75 % in classification, and an error of 2.9 m in localization estimation. Therefore, 8 landmarks were considered suitable to generate the magnetic field map of the target corridor, and implement a RBF network for every zone in the building associated to each one of these 8 landmarks.

For a more complete assessment of the proposal to use the magnetic field for indoor localization, we present a comparison of the localization results achieved by our mechanism with those provided using another phone-based technology and considering the same test scenario (i.e. the corridor shown in Fig. 6). With this comparison, we intend to validate the results obtained with our proposal of indoor localization system comparing with the results of another system already validated as feasible solution in indoor environment and currently being used for solving such problem.

Following the approach of using WiFi signals for indoor localization, Garcia-Valverde et al. (2013) proposed a localization system which receives WiFi signals from a number of existing WiFi access points with no prior knowledge of the location of the access points and the environment. This system provides the percentages of success in the classification performed to predict location. Therefore, its level of granularity is in terms of building’s zones. In this sense, we can take into account the zones resulting from the clustering mechanism applied in our localization system (which is based on the magnetic field distribution), and compare the classification results provided by the system based on using WiFi measurements. This WiFi-based localization system was developed in the University of Murcia and evaluated in different buildings of the same university. It is noticeable that it provided the most accurate results in the building of the Computer Science Faculty, since in this building the number of access points deployed and available to be used by this system is high.

In Table 4, we show the classification success results obtained with both systems. By considering the surface of the target zones, we can provide an approximate error for the WiFi-based localization system. The mean values are 73 % for WiFi and 75 % for magnetic field measurements. Considering the surface of each zone involved in the classification, a mean error of 7.6 m can be obtained using WiFi, and 6.1 m using magnetic field. But note that after this classification, our localization system provides more accurate estimates applying a regression technique to the magnetic field data associated to the zone resulting from the classification (results collected in Table 3). Nevertheless, it is previously necessary to carry out successful classification to ensure the accuracy of the location data.

Analyzing the results obtained from these two phone-based solutions to indoor localization, it can be seen that the WiFi-based system is more sensitive to the problem of adjacent zones, most of the classification errors occur in positions close, but belong to different adjacent areas. This is mainly due to the variable distribution of wireless signals in an indoor environment. However, the magnetic field-based localization is more sensitive to resolve the problem of distinguishing zones where the magnetic field variability is low, as between zones 3, 4 and 5 in Table 4.

Table 4 Success in location classification considering WiFi and Magnetic Field
Full size table

6.2 Token evaluation

According to the proposed scenario, the main elements of our location-aware access control mechanism are the subject and the smart object. The former have been implemented in a common smartphone whose features have been described in the previous section. In a real deployment, it is expected that non-expert users are able to communicate with surrounding smart objects via their mobile devices such as smartphones or tablets. Moreover, the smart object of our scenario was implemented in a JN5139 mote equipped with Contiki OS. JN5139 is a low power and low cost wireless microcontroller with 16 MHz clock, which is suitable for IEEE802.15.4 applications. These devices will be instantiated by resource-constrained devices in the context of smart buildings, such as lamps or door locks.

To demonstrate the feasibility of our solution, we executed 50 tests of the token evaluation stage by taking into account the landmark values and magnetic fields measurements. The results are shown in Table 5 with a minimum time of 494 ms, and a maximum of 522 ms. The average time for the test suite is 508 ms, which represents around a 6 % increase compared to the results from Hernández-Ramos et al. (2013). This time includes the Round-Trip delay Time (RTT) since the subject does not send the request until she gets the authorization response. At this point, it is worth mentioning that this time assumes that the subject is authorized to perform the action and, therefore, all steps of the authorization evaluation must be completed. In the case any of the steps in the evaluation fails, the authorization process will be immediately aborted, without carrying out all authorization steps. Therefore, in case the subject is unauthorized, the time to get the decision will be always lesser. This positively affects the energy consumption of the smart object, since fewer operations would be required.

Table 5 Average time and deviation of the token evaluation stages for 50 tests
Full size table

Table 5 shows the partial times that have been obtained from each of the tests. According to the results, and as expected, the most expensive phases correspond to stages where cryptographic operations are required. In particular, times for subject authentication and issuer’s signature validation are very similar, since those times are mainly determined by our optimized ECDSA signature validation algorithm. However, it is worth mentioning that unlike most previous proposals in smart environments, our ECC optimizations have allowed to embed this functionality into constrained devices. Moreover, the remaining time includes the stage to assess if the user is inside the same building’s zone where the smart object is placed and other tasks to validate the capability token which are described in more detail in Hernández-Ramos et al. (2013).

7 Conclusions and future work

Recent advancements in wireless communications and ambient intelligence are dramatically changing our perceptions of common physical places towards an integrated vision of smart objects as part of surrounding spaces. In these emerging scenarios, traditional access control mechanisms have to face new security risks since constrained devices are seamlessly integrated into the Internet infrastructure and can be accessed anytime and anywhere.

To overcome these challenges, this paper has introduced a novel location-aware access control mechanism in which authorization decisions are based on the combination of user location data and access credentials. Our proposed scenario has been designed by considering the constraints imposed by the use of resource-constrained devices, as well as the requirements of smart environments regarding flexibility and heterogeneity.

Specifically, this work has presented a novel localization system based on magnetic field measurements, which are provided by current smartphones’ magnetometer. In our approach, smart objects are not required to process the location data set related to whole building space but only the building’s zone where they are placed. This design has enabled location estimation functionality is embedded into smart objects, and consequently, additional hardware or infrastructure is not required. Our localization system is composed of two phases. During the off-line phase, building’s maps containing magnetic field features are generated, and the mechanism to estimate location data is implemented. Then, in the on-line phase, users provide the magnetic field measurements from their phones and these are translated into their associated location positions. We have performed some experiments to validate this localization system in terms of accuracy achieved in location estimates. From these tests, a mean accuracy value of 2.9 m is achieved in a building’s zone of 28 m long. This result is precise enough to be considered for our access control mechanism taking into account the usual services which are commonly considered in smart buildings. Furthermore, the proposed location-aware authorization engine has been implemented taking into account the constraints of the existing smart objects in terms of communication and processing power. The capability token design and ECC optimizations have enabled expensive cryptographic operations are embedded into resource-constrained devices. These foundations have made possible its development and evaluation over a real platform based on the Jennic/NXP JN5139 chipset. The time required for the evaluation of the capability token has been around 0.5 s, making it totally feasible for a real environment. Therefore, in our location-aware access control mechanism, no intermediate entities are required, offering the benefits of a decentralized approach for smart environments in terms of end-to-end security, scalability, interoperability, and flexibility.

The current working line is focused on testing the performance of our location-aware access control mechanism in a real smart building, specifically, the Technology Transfer Center at University of Murcia. Footnote 1 Furthermore, we are developing a fuzzy approach to address the uncertainty of our solution associated to the accuracy of our localization system. The future work will be focused on the behavior assessment of our access control mechanism when every smart object is not only aware of its building’s zone, proposing to include larger magnetic field maps containing several landmark’s characterization, and considering different building zones as evaluation scenarios. Moreover, given the degree of sensitivity of location information, we plan to explore the use of additional techniques for enhancing privacy, such as attribute-based signatures (ABS) as an alternative to ECC-based signature schemas.