Journal of Computational Information Systems 8: 7 (2012) 3051–3058 Available at http://www.Jofcis.com
Privacy Preserving Personalized Access Control Service at Third Service Provider ⋆ Xiuxia TIAN 1,∗, 1 School
Chaofeng SHA 2 , Xiaoling WANG 3 , Aoying ZHOU 3
of Computer and Information Engineering, Shanghai University of Electric Power, Shanghai 200090, China 2 School
3 Software
of Computer Science, Fudan University, Shanghai 200433, China
Engineering Institute, East China Normal University, Shanghai 200062, China
Abstract With the convenient connection to network, more and more individual information including sensitive information, such as contact list in Mobile Phone or PDA, can be delegated to the professional third service provider to manage and maintain. However, in this paradigm the critical problems to be resolved are to guarantee both the privacy of delegated individual information and the privacy of authorized users, and what is more important to afford the owners of communication devices to have high level of control and power to create their own particular access control policies. In this paper, we present an approach to implement the personalized access control at third service provider in a privacy preserving way. We illustrate and analysis the security properties of our approach by introducing misuse cases. Keywords: Personalized Access Control; Privacy Preserving; Misuse Cases
1
Introduction
With the popularity and convenience of network connectivity in daily life, more and more companies(the third service providers) and individuals are increasingly dependent on the electronic means to provide services and enjoy services [10]. However, the sensitive information, such as contact list included in MobilePhone or PDA, limits the connectivity and sharing in different communication devices like those. In order to guarantee the privacy of delegated information of device owners, the sensitive information stored in their communication devices is only controlled by, local and accessible to the device owners themselves. However, once the devices are lost or failed, the new bought alternative devices couldn’t recover or obtain the information from the old devices conveniently. In this paper, we present the privacy preserving personalized access control service at third service provider to implement the following three security requirements. ⋆
This work was supported by Innovation Program of Shanghai Municipal Education Commission(No.Z2011087), supported by the NSFC grants (No.61170085, No.60903014, No.61073189). ∗ Corresponding author. Email address:
[email protected] (Xiuxia TIAN).
1553–9105 / Copyright April 2012
© 2012 Binary Information Press
3052
X. Tian et al. /Journal of Computational Information Systems 8: 7 (2012) 3051–3058
• Personalized access control. The device owners should have the capability of high level of control and power to create their own particular access control policies. • Information confidentiality. In order to protect the privacy of delegated information against internal and external attackers, the third service provider should unable to read the contents of the delegated information, but have enough additional information to control the authorized access on behalf of the device owners. • The privacy of authorized users. Authorized users including the device owners themselves can access the required delegated information from the third service provider anonymously anytime and anywhere.
2
Related Work
Bertino [10] first presented the use of selective encryption based on the access control policy for XML documents dissemination. But until the year of 2007 did Damiani address the problem of enforcing access control in DaaS by exploiting selective encryption. From then on a lot of papers [13], [14], and [5] were proposed based on selective encryption. Those works resolved the access control problems by using selective encryption, but they didn’t consider how the data owner enforces his/her access policies on the selective encrypted data in terms of generating service authorization certifications for different authorized users. The access policies in our approach also make use of the concept in both the Role-Based Access Control(RBAC) and Discretionary Access Control(DAC) [1]. However, the access policy is also different from role in RBAC, it may represent a relationship between two different persons like in [4], such as some data owner and the person he/she is sharing his/her information with. Another big challenge for deploying practical mobile application service for different authorized users in DaaS scenario is how to provide enough mechanism to guarantee user privacy [3], [5]. Bonatti et al [15] first proposed a uniform framework for attribute-based access control specification and enforcement. Here the attributes are always provided by the use of digital certificates(or credentials) which can be authenticated and verified through using the public key of the certificate owner. The following work [11] minimized the cost of key management by using attributes that can be associated with users. However, these approaches require the attributes in the access control policy to be sent in clear form. Therefore for guaranteeing user privacy the scheme proposed by Shang et al [6] introduced the cryptographic commitments for users to guarantee the privacy of identity attributes of users in the communication. However, in most of the proposed papers [16], [6], the service providers can’t reach both the two goals: authenticating the legitimate users and ensure the users accessible to the delegated information from data owner in a legal way. In this paper, confirm to the future developing trend proposed in [7], we resolved this problem through generating service authorization certification for different authorized users in terms of the personal access policies of data owner by using the blind signature scheme [2].
3
Preliminaries
In this section we introduce the cryptography primitives used in our approach.
X. Tian et al. /Journal of Computational Information Systems 8: 7 (2012) 3051–3058
3.1
3053
Digital signature
Digital signature is implemented by using public key encryption algorithm [9]. There are two keys associated with a digital signature algorithm, public key pk and secret key sk. The public key pk can be publicly known and used to verify the signature signed by the expected information owner, but the secret key sk is only known by the owner himself/herself and used to compute the signature of the owner. For example, the signature S(m) = RSAsk (m) of the sender for information m can be verified by the receiver through using the public key pk of the sender.
3.2
Blind signature
Blind signature is a variation of digital signature in which an information is blinded before it is signed [2]. Assume f and f −1 are the blinding function and unblinding function respectively. Blind signature scheme can be implemented by using any public key encryption scheme, such as RSA [9]. To generate a blind signature on message m, there are mainly three steps as follows: 1)A user, who wants to obtain the signature on message m, first blinds m by using f , then sends the blinded message f (m) to the signer; 2)The signer signs f (m) as the standard signing algorithm does, such as RSA signature RSAsk (f (m)), and then sends the result blind signature RSAsk (f (m)) back to the user; 3)The user unblinds the signature RSAsk (f (m)) by using the unblinding function f −1 to obtain the signer’s signature RSAsk (m) on the original message m, that is f −1 (RSAsk (f (m))) = RSAsk (m).
4
The Proposed Scheme
This section presents our approach through describing and implementing it’s three functionalities.
4.1
Designing personalized access control policies
We mainly describe our personalized access control from the following two aspects: DO’s particular access and sharing requirements The sensitive information in MobilePhone or PDA limits the connectivity and sharing among different communication devices like those. Because in order to guarantee the privacy of device owners, the information stored in these communication devices is only controlled by, local and accessible to the owners themselves. However, once the devices are lost or failed, the new bought alternative devices couldn’t recover or obtain the information in the old devices conveniently. Therefore we list the DO’s particular access and sharing requirements as follows: • The device owner is the administrator and in complete control of access to information in his/her communication device. The device owner decides what permissions assign to which type of user. • In order to manage conveniently and query efficiently, the information in communication device is classified into different groups according to the different relationship types between the DO and the DRs. • Each information in the communication device belongs to one relationship type.
3054
X. Tian et al. /Journal of Computational Information Systems 8: 7 (2012) 3051–3058 Designed by
Assigned to
Composed of Relationship type
PACP DO
DR
Owned by
Information
Actions
Permissions
Fig. 1: Personalized access control model • A personalized access control policy consists of different relationship types. • Permission is granted by assigning a relationship type to a DR. A relationship type is a set of permissions. Personalized access control model Definition 1. A personalized access control policy(PACP) is composed of different relationship types. Each relationship type is representative of a relation between two kind of users, the DO and the DR respectively. And the relationship type also represents the permissions the DO grants the DR through the relationship type assignment. We illustrate the personalized access control model in Fig.1 where the relationship between the DO and DR is established through the relationship type assignment. We define our PACP as follows: • U : A set of users, ui , DO, DRi ∈ U . • DO: A device owner or data owner. • R: A set of relationship types, such as family member, senior schoolmate, colleague, for each Ri , Ri ∈ R, a unique relationship type identifier RIDi is assigned, RIDi ∈ RID. • M : A set of information entries in the communication devices, mi ∈ M . • A: A set of actions, such as read, write, read/write, ai ∈ A, Mainly read actions for DRs, and read/write actions for DO in our approach. • RP : A set of permissions for the corresponding relationship type Ri RP = {(ai , Ri )|ai ∈ A, Ri ∈ R} • PACP: Composed of relationship types in which each relationship type Ri ∈ R. Each DO has his/her own PACP, which may have only one owner relationship type on the condition that the DO doesn’t want to share his/her information with any other DRi except himself/herself.
4.2
Performing selective encryption
Assume E(·) is denoted as a symmetric encryption algorithm. E(m, k) is the encrypted value of information m under encryption key k and encryption algorithm E(·). If D(·) is denoted as the corresponding symmetric decryption algorithm, then equation D(E(m, k), k) = m succeeds.
X. Tian et al. /Journal of Computational Information Systems 8: 7 (2012) 3051–3058
3055
Personalized Access Control Information
Personalized Access Control Information
Service Authorization Generator DSP PACP Registration SA Certification SA Request Keys for PACP
DO
DR
Fig. 2: PACP registration and SA generation In terms of the properties of symmetric encryption, we encrypt the information selectively in terms of relationship types in PACP designed in section4.1. For each relationship type RIDi ∈ RID, a encryption key kRIDi is chosen. That is to say, the information entries mi1 , ..., min ∈ M belonging to the same relationship type RIDi are encrypted under the same encryption key kRIDi . The kRIDi is distributed directly to the DRi who is permitted to access the delegated information of this type by DO.
4.3
Generating SA certification
The service authorization generator is used to generate the legitimate SA certification for each authorized DR. And the generated SA certification is used to guarantee the identity privacy of DR in the subsequent communication between the DR and the DSP. In order to achieve this purpose, as is shown in Fig.2 the service authorization generator needs to complete the following three processes. Key pairs generation process As is shown in Fig.2, each DO, who wants to delegate his/her information to DSP, needs to register his/her PACP at the service authorization generator. For each relationship type Ri ∈ P ACP , the service authorization generator generates a key pair (skRIDi , pkRIDi ) in terms of relationship type identifier RIDi . skRIDi is the secret key and pkRIDi is the corresponding public key. skRIDi is used to sign the blinded certification identifier submitted by the legitimate authorized DR. pkRIDi is used by the DSP to verify the validity of DR’s SA certification. SA certification generation process. SA certification generation process needs to complete the following three phases based on the blind signature scheme [2]. • The blinded phase of DR’s certification identifier. DR first chooses two random numbers rand1 and rand2 . Then he/she generates a digest CIDDR = H(IDDR , rand1 , skDR ) as his/her certification identifier by using hash function H(·) on inputting his/her private key skDR , the identifier IDDR , and rand1 . Finally he/she blinds the generated CIDDR by using the blind factor which is generated by encrypting rand2 under the public key pkRIDi of the relationship identifier RIDi . The blinded information BCIDDR = E(rand2 , pkRID )CIDDR hides the association between the certification identifier and the real identity of DR. • The phase of blind signature generation. After receiving the information IDDR , BCIDDR , SDR , RID from DR, SDR = E(H(IDDR ), skDR ), the service authorization genera-
3056
X. Tian et al. /Journal of Computational Information Systems 8: 7 (2012) 3051–3058
Table 1: Personal access control information RID pkRID HashOID RID1
5gavt4w3
418373718
RID2
8uhiush5
418373718
RID3
frgbgf5h
418373718
tor first verifies the legitimacy of DR with DR’s public key pkDR . If the verification equation is false, then the service authorization generator refuses to sign BCIDDR . Otherwise the service authorization generator signs BCIDDR with private key skRIDi of the relationship identifier RIDi to obtain signature BSCID = E(BCIDDR , skRID ). • The phase of unblinded blind signature. If DR is authenticated to be legitimate, then he/she will obtain the correct signature BSCID . As long as DR computes BSCID /rand2 , he/she can get the real signature SCID for certification identifier CIDDR . ⟨CIDDR , SCID ⟩ is the SA certification for DR and is used to implement the anonymous authorization and service between the DR and the DSP. From SA certification DSP couldn’t derive any private identity information about DR. The additional personal access control information delegation process Suppose the DSP is trusted in authenticating the DRs and performing the normal database operations correctly. In order to make the DSP efficiently control the authorized access to the delegated information in terms of the PACP of DO, the DSP needs to know the mapping relation between the relationship identifier RIDi and its corresponding public key pkRIDi . For this purpose, as is shown in Table1, the additional personal control information table only consists of three attributes RID, pkRID , and HashOID. RID is the set of values for different relationship identifiers in the PACP and pkRID is the set of values for the corresponding public keys.
5
Security Analysis
Misuse case has been proposed as an approach to identify threats and required countermeasures [17]. Due to the paper limit, in this section we only analysis the security guarantee of our approach from the misuse case for access control in Fig.3. Misuse case for access control From Fig.3, the selective encryption and the SA certification, which both extend the personalized access control policy of DO, are used to prevent against unauthorized access to the delegated information. • Firstly, selective encryption on the source information in terms of the PACP makes the delegated encrypted information efficiently prevent against the internal and external attackers including the DSP, because the DSP knows nothing about the encryption keys which are distributed to the DRs directly by the corresponding DO in a secure means. If the DSP colludes with some DR, only the compromised DR’s delegated information is disclosed, any other DR’s delegated information is still confidential. • Secondly, the SA certification for each legitimate DR, generated with regard to the PACP, is
X. Tian et al. /Journal of Computational Information Systems 8: 7 (2012) 3051–3058
Access delegated information
3057
External attacker
Authorized DR
Unauthorized access
delegated information
d
SA certification Personalized access control
Attack privacy of
delegated information Selective encryption
Internal attacker including DSP
Fig. 3: Misuse case: access control enforcement used to help the DSP decide what service and delegated information the DR can access. And the SA certification is also used to authenticate the legitimacy of DR by using the public key for it. Different SA certifications are representative of different access control privileges, and thus make the differentiated access control in terms of the PACP at DSP possible. From the two cases above, we know the DSP can’t read the delegated information, but he/she has enough additional information to control the unauthorized access against both the internal and external attackers.
6
Conclusions and Future Work
In this paper, we present a privacy preserving personalized access control service at third service provider so as to improve the connectivity and sharing problem among devices like Mobile Phone. The proposed approach not only guarantee the privacy of delegated information by using selective encryption, but also control the authorized access to the delegated information by using the SA certification and selective encryption for each legitimate DR. Our future work in this research direction is to construct the general mapping scheme and interface between the DR and the third service provider.
References [1]
S. Osborn, R. Sandhu, and Q. Munawer. Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur., 3(2): 85-106, 2000.
[2]
D. Chaum. Blind Signatures for Untraceable Payments. Advances in Cryptology Proceedings of Crypto, D. Chaum, R. L. Rivest, A. T. Sherman (Eds.), Plenum, pages 199-203, 1982.
[3]
M. Wu and A. Friday. Integrating Privacy Enhancing Services in Ubiquitous Computing Environments. Workshop on Security in Ubiquitous Computing, 4th International UBICOMP, 2002.
[4]
L. Rostad. An initial model and a discussion of access control in patient controlled health records. In the International Workshop on Privacy and Assurance, Proceedings of the International Conference on Availability, Realibility and Security, Barcelona, Apain, 2008.
[5]
B. C. M. Fung, K. Wang, R. Chen and P. S. Yu. Privacy-preserving data publishing: A survey on recent developments. In ACM Computing Surveys, 42(4): 14: 1-53, 2010.
3058
X. Tian et al. /Journal of Computational Information Systems 8: 7 (2012) 3051–3058
[6]
N. Shang, M. Nabeel, F. Paci, and E. Bertino. A privacy-preserving approach to policy-based content dissemination. In Proc. of 26th ICDE Conf., pages 944-955, 2010.
[7]
T. Allard, N. Anciaux, L. Bouganium, Y. L. Guo, L. Folgoc, B. Nguyen, P. Pucheral, I. Ray, I. Ray, and S. Yin. Secure Personal Data Servers: a Vision Paper. In Proc. of 36th VLDB Conf., 2010.
[8]
E. Damiani, S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Selective Data Encryption in Outsourced Dynamic Environments. Electronic Notes in Theoretical Computer Science, Vol. 168, pages 127-142, 2007.
[9]
A. Menezes, S. Vanstone, and P. Van. Handbook of Applied Cryptography. Boca Raton, FL, USA: CRC Press, Inc., 1996.
[10] E. Bertino and E. Ferrari. Secure and selective dissemination of XML documents. ACM Trans. Inf. Syst. Secur., 5(3): 290-331, 2002. [11] V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attributed-based encryption for fine-grained access control of encrypted data. In Proc. of the 13th ACM conference on Computer and communications security. New York, NY, USA: ACM, pages 89-98, 2006. [12] F. Emekci, D. Agrawal, A. EI Abbadi, and A. Gulbeden. Privacy preserving query processing using third parties. In Proc. of 22th ICDE Conf., April 2006. [13] S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Overencryption: management of access control evolution on outsourced data. In Proc. of the 33th VLDB Conf., Vienna, Austria, pages 123-134, September 2007. [14] X. X. Tian X. L. Wang, and A. Y. Zhou. DSP RE-Encryption A Flexible Mechanism for Access Control Enforcement Management in DaaS. IEEE International Conference on Cloud Computing, pages 25-32, 2009. [15] P. Bonatti, and P. Samarati. A unified framework for regulating access and information release on the web. Journal of Computer Security, 10(3): 241-272, 2002. [16] N. Anciaux, M. Benzine, L. Bouganim, P. Pucheral, and D. Shasha. Ghostdb: querying visible and hidden data without leaks. In Proc. of the ACM SIGMOD Conf., pages 677-688, 2007. [17] G. Sindre, A. L. Opdahl, and G. F. Brevik. Eliciting security requirements with misuse cases. Requirements Engineering, 10(1): 34-44, 2005.
