Mask: a system for privacy-preserving policy-based access to published content


We propose to demonstrate Mask, the first system addressing the seemingly-unsolvable problem of how to selectively share contents among a group of users based on access control policies expressed as conditions against the identity attributes of these users while at the same time assuring the privacy of these identity attributes from the content publisher. Mask consists of three entities: a Content Publisher, Users referred to as Subscribers, and Identity Providers that issue certified identity attributes. The content publisher specifies access control policies against identity attributes of subscribers indicating which conditions the identity attributes of a subscriber must verify in order for this subscriber to access a document or a subdocument. The main novelty of Mask is that, even though the publisher is able to match the identity attributes of the subscribers against its own access control policies, the publisher does not learn the values of the identity attributes of the subscribers; the privacy of the authorized subscribers is thus preserved. Based on the specified access control policies, documents are divided into subdocuments and the subdocuments having different access control policies are encrypted with different keys. Subscribers derive the keys corresponding to the subdocuments they are authorized to access. Key distribution in Mask is supported by a novel group key management protocol by which subscribers can reconstruct the decryption keys from the subscription information they receive from the publisher. The publisher however does not learn which decryption keys each subscriber is able to reconstruct. In this demonstration, we show our system using a healthcare scenario.


MASK, identity attributes, privacy, content publisher, access control policies

Date of this Version



SIGMOD '10 Proceedings of the 2010 international conference on Management of data