Abstract When studying traditional access control models, one could conclude that they have been proven inefficient in handling modern security threats, with access decisions influenced by several factors, including situational, environmental and risk factors. Accordingly, several studies have proposed risk-aware access control models to overcome the limitations of the traditional models. In this paper, the authors continue to improve on a previously proposed risk adaptive hybrid access control system, in which risk assessment is performed using a multilevel fuzzy inference system, by introducing an enhanced multi-key model for generating the symmetric encryption key dynamically for each user on demand. Consequently, the proposed model helps in solving the issue of having a single point of failure caused by employing a master encryption key, as in the previous models. The experimental results show that the proposed multi-key model does, indeed, improve the overall security of the system while preserving the previous model architecture and with negligible processing overhead.

References

[1] Ahmed A. and Zhang N., Towards the Realisation of Context-Risk-Aware Access Control in Pervasive Computing, Telecommunication Systems, vol. 45, no. 2-3, pp. 127-137, 2009.

[2] Al-Zewairi M., Alqatawna J., and Al-Kadi O., Privacy and Security for RFID Access Control Systems: RFID Access Control Systems without Back-End Database, in Proceedings of the IEEE Jordan Conference on Applied Electrical Engineering and Computing Technologies, Amman, pp. 272-277, 2011.

[3] Al-Zewairi M., Alqatawna J., and Atoum J., Risk Adaptive Hybrid RFID Access Control System, Security Communication Networks, vol. 8, no. 18, pp. 3826-3835, 2015.

[4] Al-Zewairi M., Suleiman D., and Shaout A., Multilevel Fuzzy Inference System for Risk Adaptive Hybrid RFID Access Control System, in Proceedings of Cyber security and Cyber forensics Conference, Amman, pp. 17, 2016.

[5] An R., Feng H., Liu Q., and Li L., Three Elliptic Curve Cryptography-Based RFID Authentication Protocols for Internet of Things, in Advances on Broad-Band Wireless Computing, Communication and Applications, 2016.

[6] Bijon K., Krishnan R., and Sandhu R., A Framework for Risk-Aware Role Based Access Control, in Proceedings of IEEE Conference on Communications and Network Security, National Harbor, pp. 462-469, 2013.

[7] Cheng P., Rohatgi P., Keser C., Karger P., Wagner G., and Reninger A., Fuzzy Multi- 590 The International Arab Journal of Information Technology, Vol. 15, No. 3A, Special Issue 2018 Level Security: An Experiment on Quantified Risk-Adaptive Access Control, in Proceedings of IEEE Symposium on Security and Privacy, pp. 222-230, 2007.

[8] Chikouche N., Formal Analysis of a Novel RFID Authentication Protocol, in Proceedings of the 8th International Conference on Computing, Communication and Networking Technologies, pp. 1-7, 2017.

[9] Cole P. and Ranasinghe D., Networked RFID Systems and Lightweight Cryptography: Raising Barriers to Product Counterfeiting, Springer, 2008.

[10] Dass P. and Om H., A Secure Authentication Scheme for RFID Systems, Procedia Computer Science, vol. 78, pp. 100-106, 2016.

[11] Dinarvand N. and Barati H., An Efficient and Secure RFID Authentication Protocol Using Elliptic Curve Cryptography, Wireless Networks, pp. 1-14, 2017.

[12] Dosko il R., An Evaluation of Total Project Risk Based on Fuzzy Logic, Business: Theory and Practice, vol. 17, no. 1, pp. 23-31, 2016.

[13] Fall D., Okuda T., Kadobayashi Y., and Yamaguchi S., Risk Adaptive Authorization Mechanism (RAdAM) for Cloud Computing, Journal of Information Processing, vol. 24, no. 2, pp. 371-380, 2016.

[14] Ferdous M., Margheri A., Paci F., Yang M., and Sassone V., Decentralised Runtime Monitoring for Access Control Systems in Cloud Federations, in Proceedings of the IEEE 37th International Conference on Distributed Computing Systems, pp. 2632-2633, 2017.

[15] Huh J., Bobba R., Markham T., Nicol D., Hull J., Chernoguzov A., Khurana H., Staggs K., and Huang J., Next-Generation Access Control for Distributed Control Systems, IEEE Internet Computing, vol. 20, no. 5, pp. 28-37, 2016.

[16] Karda S. and Gen Z., Security Attacks and Enhancements to Chaotic Map-Based RFID Authentication Protocols, Wireless Personal Communications, vol. 98, no. 1, pp. 1135-1154, 2018.

[17] Karp A., Haury H., and Davis M., From ABAC to ZBAC: The Evolution of Access Control Models, Technical Report, 2009.

[18] Lv C., Li H., Ma J., and Zhang Y., Vulnerability Analysis of Elliptic Curve Cryptography-Based RFID Authentication Protocols, Transactions on Emerging Telecommunications Technologies, vol. 23, no. 7, pp. 618-624, 2012.

[19] Majumdar S., Dhuri K., Dongre S., and Badwaik M., RFID Tag Security, Personal Privacy Protocols and Privacy Model, International Journal of Exploring Emerging Trends in Engineering, vol. 3, no. 04, pp. 247-251, 2016.

[20] Malik A., Anwar H., and Shibli M., Self- Adaptive Access Control Delegation in Cloud Computing, in Proceedings of 17th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, Shanghai, pp. 169-176, 2016.

[21] Mohandes M., Deriche M., Ahmadi H., Kousa M., and Balghonaim A., An Intelligent System for Vehicle Access Control using RFID and ALPR Technologies, Arabian Journal for Science and Engineering, vol. 41, no. 9, pp. 3521-3530, 2016.

[22] Ni Q., Bertino E., and Lobo J., Risk-Based Access Control Systems Built on Fuzzy Inferences, in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, New York, pp. 250- 260, 2010.

[23] Nogoorani S. and Jalili R., TIRIAC: A Trust- Driven Risk-Aware Access Control Framework for Grid Environments, Future Generation Computer Systems, vol. 55, pp. 238-254, 2016.

[24] Raj M., Pote S., Mhaske A., and Mahakale R., Bus Security and Attendance Management for School Children Using RFID, Imperial Journal of Interdisciplinary Research, vol. 2, no. 3, 2016.

[25] Sallam H., Cyber Security Risk Assessment Using Multi Fuzzy Inference System, International Journal of Engineering and Innovative Technology, vol. 4, no. 8, pp. 13-19, 2015.

[26] Shaikh R., Adi K., Logrippo L., and Mankovski S., Risk-Based Decision Method for Access Control Systems, in Proceedings of 9th Annual International Conference on Privacy, Security and Trust, pp. 189-192, 2011.

[27] Shu Y., Gu Y. J., and Chen J., Dynamic Authentication with Sensory Information for the Access Control Systems, IEEE Transactions on Parallel and Distributed Systems, vol. 25, no. 2, pp. 427-436, 2014.

[28] Tounsi W., Cuppens-Boulahia N., Cuppens F., and Pujolle G., Access and Privacy Control Enforcement in RFID Middleware Systems: Proposal and Implementation on the Fosstrak Platform, World Wide Web, vol. 19, no. 1, pp. 41-68, 2016.

[29] Yang L., Wu Q., Bai Y., Zheng H., and Lin S., An Improved Hash-Based RFID Two-Way Security Authentication Protocol And Application in Remote Education, Journal of Intelligent and Fuzzy Systems, vol. 31, no. 5, pp. 2713-2720, 2016. A new Model of Multi-Key Generation for RFID Access Control System 591 Mustafa Al-Fayoumi received a BSc degree in Computer Science from Yarmouk University, Irbid, Jordan, in 1988. He earned an MSc degree in Computer Science from the University of Jordan, Amman, Jordan, in 2003, and his PhD in Computer Science from the Faculty of Science and Technology at Anglia University, UK, in 2009. Currently, he is the Dean s Assistant for King Hussein School of computing sciences at Princess Sumaya University for Technology (PSUT), Jordan. His research interests include computer security, cryptography, identification and authentication, wireless and mobile networks security, e-application security, simulation and modelling, algorithm analyses and design, information retrieval, data mining and other related topics. Malek Al-Zewairi is an Information Security Researcher, Consultant, and Trainer. He has over six years of experience in the information security field and holds more than 16 Professional Security Certificates. He also sits on several International Security Boards and Committees. Malek is currently, a PhD candidate at Princess Sumaya University for Technology studying Computer Science with a focus on information security. His research interests lie primarily in the area of intelligence and security informatics, network security and RFID. Salam Hamdan is a PhD candidate in Computer Science at Princess Sumaya University for Technology. She received her bachelor s degree in Computer Engineering from Al- Balqa Applied University, 2012. She received her master s degree in Information System Security and Digital Criminology from Princess Sumaya University for Technology (PSUT), 2015. Her research interests include hardware security, network security and vehicular ad hoc networks.