Privacy-Preserving Enforcement of Spatially Aware RBAC

Abstract

Several models for incorporating spatial constraints into role-based access control (RBAC) have been proposed, and researchers are now focusing on the challenge of ensuring such policies are enforced correctly. However, existing approaches have a major shortcoming, as they assume the server is trustworthy and require complete disclosure of sensitive location information by the user. In this work, we propose a novel framework and a set of protocols to solve this problem. Specifically, in our scheme, a user provides a service provider with role and location tokens along with a request. The service provider consults with a role authority and a location authority to verify the tokens and evaluate the policy. However, none of the servers learn the requesting user's identity, role, or location. In this paper, we define the protocols and the policy enforcement scheme, and present a formal proof of a number of security properties.

Keywords

Access control, Protocols, Encryption, Servers, Privacy, applied cryptography., RBAC, privacy, security, access control

Date of this Version

2012

DOI

10.1109/TDSC.2011.62

Comments

IEEE Transactions on Dependable and Secure Computing Sept.-Oct. 2012 (vol. 9 no. 5)
pp. 627-640

Share

COinS