Privacy-preserving photo sharing framework cross different social network

With rapid developments of digital photography and social networks,users of photo-sharing-supported social networking applications can easily forward photos across different social networks at the cost of their growing privacy concerns.To address this problem,a privacy-preserving photo sharing framework was proposed,which could apply to extended control and privacy invasion tracing.In extended control scheme,the following users on a dissemination chain was restrained by each user’s privacy policy.Then several privacy areas of photos were encrypted and the access control polices were bound to the uploaded photos,so that any privacy areas on the photos could be hidden away from unwanted viewers even across different social networks.On this basis,the behaviors of users were record by tracing scheme of privacy invasion,the integrality of records was protected by using nested signature algorithm.The correctness,security and performance of overhead of the scheme are then thoroughly analyzed and evaluated via detailed simulations.     

基于PBAC模型和IBE的医疗数据访问控制方案

医疗卫生领域形成的医疗大数据中包含了大量的个人隐私信息,面临着外部攻击和内部泄密的潜在安全隐患。传统的访问控制模型没有考虑用户访问目的在侧重数据隐私的访问控制中的重要作用,现有的对称、非对称加密技术又都存在密钥管理、证书管理复杂的问题。针对这些问题,提出了综合应用PBAC模型和IBE加密技术的访问控制方案,支持针对医疗数据密文的灵活访问控制。通过加入条件目的概念对PBAC模型进行扩展,实现了对目的树的全覆盖;以病患ID、条件访问位和预期目的作为IBE身份公钥进行病患数据加密,只有通过认证并且访问目的符合预期的用户才能获得相应的私钥和加密数据,从而实现对病患信息的访问。实验结果证明,该方案达到了细粒度访问控制和隐私保护的目的,并具有较好的性能。     

电子病历存储云系统访问控制研究

随着医疗信息化的快速发展,现行EMR系统在信息共享和安全性方面无法很好地满足医疗和患者的需要。文中基于云计算技术提出一种EMR存储云系统,为患者和医院提供统一的电子病历注册和使用服务,并重点对电子病历的访问控制策略进行了讨论,采用一般角色访问控制和用户个性化逐级授权相结合的策略,有效解决了动态授权和用户个性化需求问题,满足了患者对于信息安全性和隐私保护方面的需求。     

权限分离的属性基加密数据共享方案

属性基加密(ABE, attribute-based encryption)用于提供细粒度访问控制及一对多加密,现已被广泛应用于分布式环境下数据共享方案以提供隐私保护。然而,现有的属性基加密数据共享方案均允许数据拥有者任意修改数据,导致数据真实性无法保证,经常难以满足一些实际应用需求,如个人电子病例、审核系统、考勤系统等。为此,提出一种能保证数据真实可靠且访问控制灵活的数据共享方案。首先,基于RSA代理加密技术实现读写权限分离机制以保证数据真实可靠;其次,使用属性基加密机制提供灵活的访问控制策略;最后,利用关键字检索技术实现支持密钥更新的高效撤销机制。详细的安全性分析表明本方案能提供数据机密性以实现隐私保护,且性能分析和仿真表明本方案具有较高效率,能有效满足实际应用需求。     

The quest for personal control over mobile location privacy

How to protect location privacy of mobile users is an important issue in ubiquitous computing. However, location privacy protection is particularly challenging: on one hand, the administration requires all legitimate users to provide identity information in order to grant them permission to use its wireless service; on the other hand, mobile users would prefer not to expose any information that could enable anyone, including the administration, to get some clue regarding their whereabouts; mobile users would like to have complete personal control of their location privacy. To address this issue, we propose an authorized-anonymous-ID-based scheme; this scheme effectively eliminates the need for a trusted server or administration, which is assumed in the previous work. Our key weapon is a cryptographic technique called blind signature, which is used to generate an authorized anonymous ID that replaces the real ID of an authorized mobile device. With authorized anonymous IDs, we design an architecture capable of achieving complete personal control over location privacy while maintaining the authentication function required by the administration.     

基于属性的物联网感知层访问控制方案

物联网感知层包含大量环境数据与个人信息。因此,对这些数据的访问做出严格界定对于物联网信息安全与隐私保护至关重要。文中在传统访问控制模型的基础上,引入属性概念,提出了一种基于属性的访问控制方案。在这一方案中,通过对用户的主体属性、被访问资源的客体属性、访问请求的权限属性以及该请求发生时的环境属性进行判定,决定是否给与主体访问权限。基于属性的访问控制方案具有灵活性强、控制相对简单、拓展性强等特点,能够满足动态的大规模环境,有利于解决物联网感知层访问控制问题。     

基于属性的安全增强云存储访问控制方案

为了保证云存储中用户数据和隐私的安全,提出了一种基于属性的安全增强云存储访问控制方案。通过共用属性集,将基于属性的加密体制(ABE)与XACML框架有机结合,在XACML框架上实现细粒度的基于属性的访问控制并由ABE保证数据的机密性。考虑到数据量很大时ABE的效率较低,因此,云存储中海量敏感数据的机密性用对称密码体制实现,ABE仅用于保护数据量较小的对称密钥。实验分析表明,该方案不仅能保证用户数据和隐私的机密性,而且性能优于其他同类系统。     

面向医疗大数据的风险自适应的访问控制模型

面对医疗大数据,策略制定者难以预测医生的访问需求,进而制定准确的访问控制策略。针对上述问题,提出一种基于风险的访问控制模型,能够适应性地调整医生的访问能力,保护患者隐私。该模型通过分析医生的访问历史,使用信息熵和EM算法量化医生侵犯隐私造成的风险。利用量化的风险,监测和控制对于医疗记录的过度访问以及特殊情况下的访问请求。实验结果表明,该模型是有效的,并且相比于其他模型能更为准确地进行访问控制。     

Multi-owner accredited keyword search over encrypted data

A sharing multi-owner setting where data was owned by a fixed number of data owners,the existing searchable encryption schemes could not support ciphertext retrieval and fine-grained access control at the same time.For this end,an efficient cryptographic primitive called as multi-owner accredited keyword search over encrypted data scheme was designed,through combining linear secret-sharing technique with searchable encryption schemes,only the data users authorized bymulti-owner by could decrypt the returned results.The formal security analysis shows that the scheme can protect security and privacy under the bilinear Diffie-Hellman assumption.As a further contribution,an empirical study over real-world dataset was conelucted to show the effectiveness and practicability of the scheme.     

P2HBT: Partially Policy Hidden E-Healthcare System with Black-Box Traceability

Electronic health record (EHR), as the core of the e-healthcare system, is an electronic version of patient medical history, which records personal health-related information. EHR embodies the value of disease monitoring through large-scale sharing via the Cloud service provider (CSP). However, the health data-centric feature makes EHR more preferable to the adversaries compared with other outsourcing data. Moreover, there may even be malicious users who deliberately leak their access privileges for benefits. An e-healthcare system with a black-box traceable and robust data security mechanism is presented for the first time. Specifically, we propose an effective P2HBT, which can perform fine-grained access control on encrypted EHRs, prevent the leakage of privacy contained in access policies, and support tracing of traitors. Under the standard model, the scheme is proved fully secure. Performance analysis demonstrates that P2HBT can achieve the design goals and outperform existing schemes in terms of storage and computation overhead.     

基于隐私本体的个性化访问控制模型

在信息收集频繁化、普遍化的今天,由用户制定隐私策略、自主控制个人信息访问的方式,可以最大程度满足用户的隐私保护需求。构建的隐私本体,客观反映了隐私保护领域普遍认可的知识,体现了用户最根本的隐私保护需求。基于隐私本体的个性化访问控制模型采用基于隐私本体的通用策略与个性策略相结合的模式,通过多级链式激活的方式实现用户不同粒度、灵活多变的个性化隐私保护需求。     

基于RBAC的隐私保护模型设计与实现

对于日益增长的互联网应用,隐私保护越来越重要。目前,用于隐私保护的框架主要有P3P（Platform for Privacy Preferences）,EPAL（Enterprise Privacy Authorization Language）,XACML（eXtensible Access Control Mark...     

基于信任的企业信息系统访问控制研究

随着企业规模的不断扩大及信息化水平的不断提高,越来越多的企业采用信息系统提升其竞争力。针对企业信息系统不能对访问用户进行动态授权的问题,文中提出了一种基于信任的企业信息系统访问控制机制,根据用户行为对用户信任度进行评估,参照用户信任度对用户进行动态授权,对访问企业信息系统的用户权限进行动态控制,提高了企业信息系统的安全性。     

采用加密机制在云计算环境中进行访问控制

从数据的隐私角度来讲,公有云的服务提供商对用户来说是不可信的。为保障用户数据私密性,需要采用加密技术在云计算这种开放互联的环境中对托管数据进行访问控制。文中对广播加密机制和CPK组合公钥密码机制在云计算环境中的访问控制应用进行了探讨,并对这两种加密机制的主要理论基础——多项式插值法、多线性映射,以及ECC复合定理进行了介绍。通过加密技术的应用,为实现在云计算等不可信的空间安全存取敏感数据提供了一种研究思路。     

LPPA: Lightweight privacy‐preservation access authentication scheme for massive devices in fifth Generation (5G) cellular networks

Because of the requirements of stringent latency, high‐connection density, and massive devices concurrent connection, the design of the security and efficient access authentication for massive devices is the key point to guarantee the application security under the future fifth Generation (5G) systems. The current access authentication mechanism proposed by 3rd Generation Partnership Project (3GPP) requires each device to execute the full access authentication process, which can not only incur a lot of protocol attacks but also result in signaling congestion on key nodes in 5G core networks when sea of devices concurrently request to access into the networks. In this paper, we design an efficient and secure privacy‐preservation access authentication scheme for massive devices in 5G wireless networks based on aggregation message authentication code (AMAC) technique. Our proposed scheme can accomplish the access authentication between massive devices and the network at the same time negotiate a distinct secret key between each device and the network. In addition, our proposed scheme can withstand a lot of protocol attacks including interior forgery attacks and DoS attacks and achieve identity privacy protection and group member update without sacrificing the efficiency. The Burrows Abadi Needham (BAN) logic and the formal verification tool: Automated Validation of Internet Security Protocols and Applications (AVISPA) and Security Protocol ANimator for AVISPA (SPAN) are employed to demonstrate the security of our proposed scheme.     

Privacy risk adaptive access control model via evolutionary game

Aiming at the problem that in the private sensitive date centralized and opening information systems,a fine-grained and self-adaptive access control model for privacy preserving is desperately needed,thus the balance between privacy preserving and data access utility should be achieved,a rational multi-player risk-adaptive based access control model for privacy preserving was proposed.Firstly,the privacy risk values of access request and requester were formulized by the private information quantity of the requested dataset,and by using Shannon information.Secondly,a risk-adaptive based access control evolutionary game model was constructed by using evolutionary game under the supposing of bounded rational players.Furthermore,dynamic strategies of participants were analyzed by using replicator dynamics equation,and the method of choosing evolutionary stable strategy was proposed.Simulation and comparison results show that,the proposed model is effective to dynamically and adaptively preserve privacy and more risk adaptive,and dynamic evolutionary access strategies of the bounded rational participants are more suitable for practical scenarios.     

基于UCON的访问控制模型在银行中的应用

随着网络技术在银行业务的深入应用,网络的访问控制安全策略对银行数据安全的影响越来越重要,传统访问控制无法有效解决银行网络体系对访问控制的安全性和灵活性需求,对此文中提出了一个种基于UCON(Usage Control Model)使用控制的访问控制模型,该模型提出了比传统访问控制策略更加严格和灵活的访问策略,增强了访问控制环节的安全。     

云计算中数据隐私保护研究进展

由于社会分工和资源共享的必然,公共云平台必将成为和电网、互联网等同等重要的国家基础设施。云计算面临的安全问题制约着云计算的广泛使用。数据安全在云计算中尤为重要,如何保证数据的安全性是云计算安全的核心。从数据的隐私保护计算、数据处理结果的完整性认证、数据访问权限控制以及数据的物理安全4个方面对已有研究工作进行了分类和总结,为后续云计算中数据的安全性研究提供参照。     

PriMa: a comprehensive approach to privacy protection in social network sites

With social networks (SNs) allowing their users to host large amounts of personal data on their platforms, privacy protection mechanisms are becoming increasingly important. The current privacy protection mechanisms offered by SNs mostly enforce access control policies based on users’ privacy settings. The task of setting privacy preferences may be tedious and confusing for the average user, who has hundreds of connections (e.g., acquaintances, colleagues, friends, etc.) and maintains an extensive profile on his main SN. Hence, users often end up with policies that do not sufficiently protect their personal information, thus facilitating potential privacy breaches and information misuse. In this paper, we propose PriMa (Privacy Manager), a privacy protection mechanism that supports semiautomated generation of access rules for users’ profile information, filling the gap between the privacy management needs of SN users and the existing SNs’ privacy protection mechanisms. PriMa access rules are generated using a multicriteria algorithm, so as to account for an extensive set of criteria to be considered when dealing with access control in SN sites. The resulting rules are simple yet powerful specifications, indicating the adequate level of protection for each user, and are dynamically adapted to the ever-changing requirements of the users’ preferences and SN configuration. We have implemented PriMa on a Drupal platform and as a third-party Facebook application. We have evaluated the performance of the PriMa application with respect to access rule generation.