Towards privacy-preserving access control with hidden policies, hidden credentials and hidden decisions

The growing adoption of cloud technology in sensitive application domains, such as medicine, gives rise to new problems in maintaining the privacy of the involved parties during authorisation. In such domains, an honest but curious service provider can derive sensitive information purely from the authorisation process. In this paper, we present a detailed discussion of this rising problem including a concrete example and argue the need for the combination of hidden credentials, hidden policies and hidden decisions. We then show that mechanisms explored in previous work only cover individual aspects of this problem, but do not achieve a comprehensive solution without making restrictive assumptions on the resources, policies or subjects to be protected. As a first step towards solving this problem, we introduce an abstract foundation for using homomorphic cryptography to provide the required combination of privacy as a wrapper for other access control (AC) mechanisms. We achieve hidden policies, hidden credentials and even hidden access control decisions, so that the subject of an AC request only learns whether or not access was granted. Meanwhile, the provider of a resource learns nothing at the policy decision point and only access frequencies for individual resources at the policy enforcement point. We postulate that this is the maximum achievable level of protection in the authorisation process, without making restrictive assumptions on the resources, policies or subjects to be protected. Once homomorphic cryptography achieves satisfactory performance, our model can be used to transparently add this protection to other access control models.