This article describes MPSS, a new way to do proactive secret sharing. MPSS provides mobility: The group of nodes holding the shares of the secret can change at each resharing, which is essential in a long-lived system. MPSS additionally allows the number of tolerated faulty shareholders to change when the secret is moved so that the system can tolerate more (or fewer) corruptions; this allows reconfiguration on-the-fly to accommodate changes in the environment.� MPSS includes an efficient protocol that is intended to be used in practice. The protocol is optimized for the common case of no or few failures, but degradation when there are more failures is modest. MPSS contains a step in which nodes accuse proposals made by other nodes; we show a novel way to handle these accusations when their verity cannot be known. We also present a way to produce accusations that can be verified without releasing keys of other nodes; verifiable accusations improve the performance of MPSS, and are a useful primitive independent of MPSS.
{"title":"MPSS: Mobile Proactive Secret Sharing","authors":"David A. Schultz, B. Liskov, Moses D. Liskov","doi":"10.1145/1880022.1880028","DOIUrl":"https://doi.org/10.1145/1880022.1880028","url":null,"abstract":"This article describes MPSS, a new way to do proactive secret sharing. MPSS provides mobility: The group of nodes holding the shares of the secret can change at each resharing, which is essential in a long-lived system. MPSS additionally allows the number of tolerated faulty shareholders to change when the secret is moved so that the system can tolerate more (or fewer) corruptions; this allows reconfiguration on-the-fly to accommodate changes in the environment.\u0000 MPSS includes an efficient protocol that is intended to be used in practice. The protocol is optimized for the common case of no or few failures, but degradation when there are more failures is modest. MPSS contains a step in which nodes accuse proposals made by other nodes; we show a novel way to handle these accusations when their verity cannot be known. We also present a way to produce accusations that can be verified without releasing keys of other nodes; verifiable accusations improve the performance of MPSS, and are a useful primitive independent of MPSS.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88685547","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Feifei Li, Marios Hadjieleftheriou, G. Kollios, L. Reyzin
Query authentication is an essential component in Outsourced DataBase (ODB) systems. This article introduces efficient index structures for authenticating aggregation queries over large datasets. First, we design an index that features good performance characteristics for static environments. Then, we propose more involved structures for the dynamic case. Our structures feature excellent performance for authenticating queries with multiple aggregate attributes and multiple selection predicates. Furthermore, our techniques cover a large number of aggregate types, including distributive aggregates (such as SUM, COUNT, MIN, and MAX), algebraic aggregates (such as the AVG), and holistic aggregates (such as MEDIAN and QUANTILE). We have also addressed the issue of authenticating aggregation queries efficiently when the database is encrypted to protect data confidentiality. Finally, we implemented a working prototype of the proposed techniques and experimentally validated the effectiveness and efficiency of our methods.
{"title":"Authenticated Index Structures for Aggregation Queries","authors":"Feifei Li, Marios Hadjieleftheriou, G. Kollios, L. Reyzin","doi":"10.1145/1880022.1880026","DOIUrl":"https://doi.org/10.1145/1880022.1880026","url":null,"abstract":"Query authentication is an essential component in Outsourced DataBase (ODB) systems. This article introduces efficient index structures for authenticating aggregation queries over large datasets. First, we design an index that features good performance characteristics for static environments. Then, we propose more involved structures for the dynamic case. Our structures feature excellent performance for authenticating queries with multiple aggregate attributes and multiple selection predicates. Furthermore, our techniques cover a large number of aggregate types, including distributive aggregates (such as SUM, COUNT, MIN, and MAX), algebraic aggregates (such as the AVG), and holistic aggregates (such as MEDIAN and QUANTILE). We have also addressed the issue of authenticating aggregation queries efficiently when the database is encrypted to protect data confidentiality. Finally, we implemented a working prototype of the proposed techniques and experimentally validated the effectiveness and efficiency of our methods.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89272641","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This article presents new protocols for onion routing anonymity networks. We define a provably secure privacy-preserving key agreement scheme in an identity-based infrastructure setting, and use it to design new onion routing circuit constructions. These constructions, based on a user’s selection, offer immediate or eventual forward secrecy at each node in a circuit and require significantly less computation and communication than the telescoping mechanism used by the Tor project. Further, the use of an identity-based infrastructure also leads to a reduction in the required amount of authenticated directory information. Therefore, our constructions provide practical ways to allow onion routing anonymity networks to scale gracefully.
{"title":"Pairing-Based Onion Routing with Improved Forward Secrecy","authors":"Aniket Kate, Gregory M. Zaverucha, I. Goldberg","doi":"10.1145/1880022.1880023","DOIUrl":"https://doi.org/10.1145/1880022.1880023","url":null,"abstract":"This article presents new protocols for onion routing anonymity networks. We define a provably secure privacy-preserving key agreement scheme in an identity-based infrastructure setting, and use it to design new onion routing circuit constructions. These constructions, based on a user’s selection, offer immediate or eventual forward secrecy at each node in a circuit and require significantly less computation and communication than the telescoping mechanism used by the Tor project. Further, the use of an identity-based infrastructure also leads to a reduction in the required amount of authenticated directory information. Therefore, our constructions provide practical ways to allow onion routing anonymity networks to scale gracefully.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88968848","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Anonymity with identity escrow attempts to allow users of an online service to remain anonymous, while providing the possibility that the service owner can break the anonymity in exceptional circumstances, such as to assist in a criminal investigation. In the article, we propose an identity escrow protocol that distributes user identity among several escrow agents. The main feature of our scheme is it is based on standard encryption algorithms and it provides user anonymity even if all but one escrow holders are dishonest acting in a coalition. We also present analysis of the anonymity property of our protocol in the applied pi-calculus. We review a related scheme by Marshall and Molina-Jiminez [2003] that aimed to achieve goals similar to ours, and show that their scheme suffers from serious weaknesses.
{"title":"Identity Escrow Protocol and Anonymity Analysis in the Applied Pi-Calculus","authors":"Aybek Mukhamedov, M. Ryan","doi":"10.1145/1880022.1880035","DOIUrl":"https://doi.org/10.1145/1880022.1880035","url":null,"abstract":"Anonymity with identity escrow attempts to allow users of an online service to remain anonymous, while providing the possibility that the service owner can break the anonymity in exceptional circumstances, such as to assist in a criminal investigation. In the article, we propose an identity escrow protocol that distributes user identity among several escrow agents. The main feature of our scheme is it is based on standard encryption algorithms and it provides user anonymity even if all but one escrow holders are dishonest acting in a coalition. We also present analysis of the anonymity property of our protocol in the applied pi-calculus. We review a related scheme by Marshall and Molina-Jiminez [2003] that aimed to achieve goals similar to ours, and show that their scheme suffers from serious weaknesses.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73689428","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Patrick P. Tsang, M. Au, Apu Kapadia, Sean W. Smith
Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, some systems have been proposed in which users can be deanonymized only if they authenticate “too many times,” such as “double spending” with electronic cash. While useful in some applications, such techniques cannot be generalized to more subjective definitions of misbehavior, for example, using such schemes it is not possible to block anonymous users who “deface too many Web pages” on a Web site.� We present BLAC, the first anonymous credential system in which service providers can revoke the credentials of misbehaving users without relying on a TTP . Since revoked users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP . Additionally, our construction supports a d-strikes-out revocation policy, whereby users who have been subjectively judged to have repeatedly misbehaved at least d times are revoked from the system. Thus, for the first time, it is indeed possible to block anonymous users who have “defaced too many Web pages” using our scheme.
{"title":"BLAC: Revoking Repeatedly Misbehaving Anonymous Users without Relying on TTPs","authors":"Patrick P. Tsang, M. Au, Apu Kapadia, Sean W. Smith","doi":"10.1145/1880022.1880033","DOIUrl":"https://doi.org/10.1145/1880022.1880033","url":null,"abstract":"Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, some systems have been proposed in which users can be deanonymized only if they authenticate “too many times,” such as “double spending” with electronic cash. While useful in some applications, such techniques cannot be generalized to more subjective definitions of misbehavior, for example, using such schemes it is not possible to block anonymous users who “deface too many Web pages” on a Web site.\u0000 We present BLAC, the first anonymous credential system in which service providers can revoke the credentials of misbehaving users without relying on a TTP . Since revoked users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP . Additionally, our construction supports a d-strikes-out revocation policy, whereby users who have been subjectively judged to have repeatedly misbehaved at least d times are revoked from the system. Thus, for the first time, it is indeed possible to block anonymous users who have “defaced too many Web pages” using our scheme.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87162696","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We ask the question: how can Web sites and data aggregators continually release updated statistics, and meanwhile preserve each individual user’s privacy? Suppose we are given a stream of 0’s and 1’s. We propose a differentially private continual counter that outputs at every time step the approximate number of 1’s seen thus far. Our counter construction has error that is only poly-log in the number of time steps. We can extend the basic counter construction to allow Web sites to continually give top-k and hot items suggestions while preserving users’ privacy.
{"title":"Private and Continual Release of Statistics","authors":"T-H. Hubert Chan, E. Shi, D. Song","doi":"10.1145/2043621.2043626","DOIUrl":"https://doi.org/10.1145/2043621.2043626","url":null,"abstract":"We ask the question: how can Web sites and data aggregators continually release updated statistics, and meanwhile preserve each individual user’s privacy? Suppose we are given a stream of 0’s and 1’s. We propose a differentially private continual counter that outputs at every time step the approximate number of 1’s seen thus far. Our counter construction has error that is only poly-log in the number of time steps. We can extend the basic counter construction to allow Web sites to continually give top-k and hot items suggestions while preserving users’ privacy.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-07-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88731025","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Qun Ni, E. Bertino, Jorge Lobo, C. Brodie, Clare-Marie Karat, J. Karat, Alberto Trombeta
In this article, we introduce a comprehensive framework supporting a privacy-aware access control mechanism, that is, a mechanism tailored to enforce access control to data containing personally identifiable information and, as such, privacy sensitive. The key component of the framework is a family of models (P-RBAC) that extend the well-known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. We formally define the notion of privacy-aware permissions and the notion of conflicting permission assignments in P-RBAC, together with efficient conflict-checking algorithms. The framework also includes a flexible authoring tool, based on the use of the SPARCLE system, supporting the high-level specification of P-RBAC permissions. SPARCLE supports the use of natural language for authoring policies and is able to automatically generate P-RBAC permissions from these natural language specifications. In the article, we also report performance evaluation results and contrast our approach with other relevant access control and privacy policy frameworks such as P3P, EPAL, and XACML.
{"title":"Privacy-aware role-based access control","authors":"Qun Ni, E. Bertino, Jorge Lobo, C. Brodie, Clare-Marie Karat, J. Karat, Alberto Trombeta","doi":"10.1145/1805974.1805980","DOIUrl":"https://doi.org/10.1145/1805974.1805980","url":null,"abstract":"In this article, we introduce a comprehensive framework supporting a privacy-aware access control mechanism, that is, a mechanism tailored to enforce access control to data containing personally identifiable information and, as such, privacy sensitive. The key component of the framework is a family of models (P-RBAC) that extend the well-known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. We formally define the notion of privacy-aware permissions and the notion of conflicting permission assignments in P-RBAC, together with efficient conflict-checking algorithms. The framework also includes a flexible authoring tool, based on the use of the SPARCLE system, supporting the high-level specification of P-RBAC permissions. SPARCLE supports the use of natural language for authoring policies and is able to automatically generate P-RBAC permissions from these natural language specifications. In the article, we also report performance evaluation results and contrast our approach with other relevant access control and privacy policy frameworks such as P3P, EPAL, and XACML.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83046728","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This special issue consists of enhanced versions of five of the articles presented at the ACM Symposium on Access Control Models and Technologies (SACMAT) held in Sophia Antipolis, France, in June 2007. SACMAT has become the premier forum for presentation of research results and experience reports on leading edge issues of access control including models, systems, applications, and theory. The mission of the symposium is to share novel access control solutions that fulfill the needs of heterogeneous applications and environments as well as to identify new directions for future research and development. The article “Privacy-aware Role-Based Access Control” by Q. Ni, E. Bertino, J. Lobo, C. Brodie, C.-M. Karat, J. Karat, and A. Trombetta extends the popular role-based access control model with complex and realistic privacy policies. The article describes the security model as well as the design and implementation of a system based on this privacy-aware role-based access control also known as P-RBAC. The authors also compare and contrast their system with those based on other privacy models including P3P, EPAL, and XACML. The article “On the Consistency of Distributed Proofs with Hidden Subtrees” by A. Lee, K. Minami, and M. Winslett describes a mechanism for distributed proofs appropriate for pervasive systems. The authors show that consistency constraints may be enforced in a proof system where the complete proofs are not available to the queriers. They also present their performance results that show that the overhead is modest. The article “A Logical Specification and Analysis for SELinux MLS Policy” by B. Hicks, S. Rueda, L. St. Clair, T. Jaeger, and P. McDaniel states that the SELinux multilevel security policy is difficult to verify due to its richness. They then describe a logic-based specification and implementation of this specification in Prolog. They also develop some analyses to test the properties of a policy. In the article “The Role Mining Problem: A Formal Perspective” by J. Vaidya, V. Atluri, and Q. Guo, the authors define the Role Mining Problem as the problem of discovering an optimal set of roles from existing user permissions. The article analyzes the theoretical bounds of the Role Mining Problem and shows the reducibility of this problem to several problems already identified in the data mining and data analysis literature. Subsequently, the authors borrow the existing implementation solutions that guide their research. The article “A Framework to Enforce Access Control Over Data Streams” by B. Carminati, E. Ferrari, and K. L. Tan describes an access control model for data streams. The authors specify a secure algebra for data stream query processing and describe the design of a system for access control enforcement.
本期特刊包括2007年6月在法国索菲亚安提波利斯举行的ACM访问控制模型和技术研讨会(SACMAT)上发表的五篇文章的增强版本。SACMAT已成为介绍访问控制前沿问题的研究成果和经验报告的主要论坛,包括模型、系统、应用和理论。研讨会的任务是分享新的访问控制解决方案,以满足异构应用和环境的需求,并确定未来研究和发展的新方向。本文“基于隐私的基于角色的访问控制”,作者:Q. Ni, E. Bertino, J. Lobo, C. Brodie, C. m。Karat, J. Karat和A. Trombetta用复杂和现实的隐私策略扩展了流行的基于角色的访问控制模型。本文描述了安全模型以及基于这种隐私感知的基于角色的访问控制(也称为P-RBAC)的系统的设计和实现。作者还将他们的系统与基于其他隐私模型(包括P3P、EPAL和XACML)的系统进行了比较和对比。由a . Lee、K. Minami和M. Winslett撰写的文章“关于带有隐藏子树的分布式证明的一致性”描述了一种适用于普及系统的分布式证明机制。作者表明,在查询者无法获得完整证明的证明系统中,一致性约束可以被强制执行。他们还展示了性能结果,表明开销是适度的。由B. Hicks、S. Rueda、L. St. Clair、T. Jaeger和P. McDaniel撰写的文章“SELinux MLS策略的逻辑规范和分析”指出,SELinux多级安全策略由于其丰富而难以验证。然后,他们在Prolog中描述基于逻辑的规范和该规范的实现。他们还开发了一些分析来测试策略的属性。在J. Vaidya、V. Atluri和Q. Guo的文章“角色挖掘问题:一个正式的视角”中,作者将角色挖掘问题定义为从现有用户权限中发现最优角色集的问题。本文分析了角色挖掘问题的理论边界,并展示了该问题可简化为数据挖掘和数据分析文献中已经发现的几个问题。随后,作者借用了现有的实现解决方案来指导他们的研究。B. Carminati、E. Ferrari和K. L. Tan撰写的文章“对数据流实施访问控制的框架”描述了数据流的访问控制模型。作者指定了一个用于数据流查询处理的安全代数,并描述了一个访问控制执行系统的设计。
{"title":"Editorial SACMAT 2007","authors":"B. Thuraisingham","doi":"10.1145/1805974.1805979","DOIUrl":"https://doi.org/10.1145/1805974.1805979","url":null,"abstract":"This special issue consists of enhanced versions of five of the articles presented at the ACM Symposium on Access Control Models and Technologies (SACMAT) held in Sophia Antipolis, France, in June 2007. SACMAT has become the premier forum for presentation of research results and experience reports on leading edge issues of access control including models, systems, applications, and theory. The mission of the symposium is to share novel access control solutions that fulfill the needs of heterogeneous applications and environments as well as to identify new directions for future research and development. The article “Privacy-aware Role-Based Access Control” by Q. Ni, E. Bertino, J. Lobo, C. Brodie, C.-M. Karat, J. Karat, and A. Trombetta extends the popular role-based access control model with complex and realistic privacy policies. The article describes the security model as well as the design and implementation of a system based on this privacy-aware role-based access control also known as P-RBAC. The authors also compare and contrast their system with those based on other privacy models including P3P, EPAL, and XACML. The article “On the Consistency of Distributed Proofs with Hidden Subtrees” by A. Lee, K. Minami, and M. Winslett describes a mechanism for distributed proofs appropriate for pervasive systems. The authors show that consistency constraints may be enforced in a proof system where the complete proofs are not available to the queriers. They also present their performance results that show that the overhead is modest. The article “A Logical Specification and Analysis for SELinux MLS Policy” by B. Hicks, S. Rueda, L. St. Clair, T. Jaeger, and P. McDaniel states that the SELinux multilevel security policy is difficult to verify due to its richness. They then describe a logic-based specification and implementation of this specification in Prolog. They also develop some analyses to test the properties of a policy. In the article “The Role Mining Problem: A Formal Perspective” by J. Vaidya, V. Atluri, and Q. Guo, the authors define the Role Mining Problem as the problem of discovering an optimal set of roles from existing user permissions. The article analyzes the theoretical bounds of the Role Mining Problem and shows the reducibility of this problem to several problems already identified in the data mining and data analysis literature. Subsequently, the authors borrow the existing implementation solutions that guide their research. The article “A Framework to Enforce Access Control Over Data Streams” by B. Carminati, E. Ferrari, and K. L. Tan describes an access control model for data streams. The authors specify a secure algebra for data stream query processing and describe the design of a system for access control enforcement.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87055938","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
V. Ciriani, S. Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, P. Samarati
The impact of privacy requirements in the development of modern applications is increasing very quickly. Many commercial and legal regulations are driving the need to develop reliable solutions for protecting sensitive information whenever it is stored, processed, or communicated to external parties. To this purpose, encryption techniques are currently used in many scenarios where data protection is required since they provide a layer of protection against the disclosure of personal information, which safeguards companies from the costs that may arise from exposing their data to privacy breaches. However, dealing with encrypted data may make query processing more expensive.� In this article, we address these issues by proposing a solution to enforce the privacy of data collections that combines data fragmentation with encryption. We model privacy requirements as confidentiality constraints expressing the sensitivity of attributes and their associations. We then use encryption as an underlying (conveniently available) measure for making data unintelligible while exploiting fragmentation as a way to break sensitive associations among attributes. We formalize the problem of minimizing the impact of fragmentation in terms of number of fragments and their affinity and present two heuristic algorithms for solving such problems. We also discuss experimental results, comparing the solutions returned by our heuristics with respect to optimal solutions, which show that the heuristics, while guaranteeing a polynomial-time computation cost are able to retrieve solutions close to optimum.
{"title":"Combining fragmentation and encryption to protect privacy in data storage","authors":"V. Ciriani, S. Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, P. Samarati","doi":"10.1145/1805974.1805978","DOIUrl":"https://doi.org/10.1145/1805974.1805978","url":null,"abstract":"The impact of privacy requirements in the development of modern applications is increasing very quickly. Many commercial and legal regulations are driving the need to develop reliable solutions for protecting sensitive information whenever it is stored, processed, or communicated to external parties. To this purpose, encryption techniques are currently used in many scenarios where data protection is required since they provide a layer of protection against the disclosure of personal information, which safeguards companies from the costs that may arise from exposing their data to privacy breaches. However, dealing with encrypted data may make query processing more expensive.\u0000 In this article, we address these issues by proposing a solution to enforce the privacy of data collections that combines data fragmentation with encryption. We model privacy requirements as confidentiality constraints expressing the sensitivity of attributes and their associations. We then use encryption as an underlying (conveniently available) measure for making data unintelligible while exploiting fragmentation as a way to break sensitive associations among attributes. We formalize the problem of minimizing the impact of fragmentation in terms of number of fragments and their affinity and present two heuristic algorithms for solving such problems. We also discuss experimental results, comparing the solutions returned by our heuristics with respect to optimal solutions, which show that the heuristics, while guaranteeing a polynomial-time computation cost are able to retrieve solutions close to optimum.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74673515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role-based access control. A key problem related to this is the notion of goodness/interestingness—when is a role good/interesting? In this article, we define the Role Mining Problem (RMP) as the problem of discovering an optimal set of roles from existing user permissions. The main contribution of this article is to formally define RMP and analyze its theoretical bounds. In addition to the above basic RMP, we introduce two different variations of the RMP, called the Δ-Approx RMP and the minimal-noise RMP that have pragmatic implications. We reduce the known “Set Basis Problem” to RMP to show that RMP is an NP-complete problem. An important contribution of this article is also to show the relation of the RMP to several problems already identified in the data mining and data analysis literature. By showing that the RMP is in essence reducible to these known problems, we can directly borrow the existing implementation solutions and guide further research in this direction. We also develop a heuristic solution based on the previously proposed FastMiner algorithm, which is very accurate and efficient.
{"title":"The role mining problem: A formal perspective","authors":"Jaideep Vaidya, V. Atluri, Qi Guo","doi":"10.1145/1805974.1805983","DOIUrl":"https://doi.org/10.1145/1805974.1805983","url":null,"abstract":"Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role-based access control. A key problem related to this is the notion of goodness/interestingness—when is a role good/interesting? In this article, we define the Role Mining Problem (RMP) as the problem of discovering an optimal set of roles from existing user permissions. The main contribution of this article is to formally define RMP and analyze its theoretical bounds. In addition to the above basic RMP, we introduce two different variations of the RMP, called the Δ-Approx RMP and the minimal-noise RMP that have pragmatic implications. We reduce the known “Set Basis Problem” to RMP to show that RMP is an NP-complete problem. An important contribution of this article is also to show the relation of the RMP to several problems already identified in the data mining and data analysis literature. By showing that the RMP is in essence reducible to these known problems, we can directly borrow the existing implementation solutions and guide further research in this direction. We also develop a heuristic solution based on the previously proposed FastMiner algorithm, which is very accurate and efficient.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82934903","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: