Access Control Policies Research Articles

An access control model based on blockchain master-sidechain collaboration

The centralized storage and centralized authorization approach in medical information systems can lead to data tampering and private information privacy leakage, while the traditional access control model has an overly simple authentication approach, relies excessively on trusted third-party organizations for the enforcement of access control policies, and has low efficiency in processing access requests. To address these problems, this paper proposes an access control model based on the collaboration of blockchain main and side chains, AC-BMS. Firstly, a password-based authentication scheme is designed based on doctors’ identity information; then Polygon side chain is designed to enhance the storage scalability of the blockchain; finally, the access node information on the main Ethereum chain is located on the side chain, and resources are obtained by executing Roll-up contracts deployed on the side chain. It is confirmed by simulation experiments in Hyperledger Fabric that the access efficiency and throughput of the blockchain access model proposed in this paper are improved when the number of accesses is multiplied, the average access time is saved by 2–3 s, the latency time is floating and stable, and the security, scalability, and availability are enhanced.

CVTEE: A Compatible Verified TEE Architecture With Enhanced Security

Sensitive resources in Trusted Execution Environment (TEE) have suffered serious security threats in recent years. Previous protection approaches either lack a strong assurance of TEE security properties or are limited to a single platform. We propose a compatible verified TEE architecture, called <monospace>CVTEE</monospace> , which delegates a security monitor to manage TEE resources securely. This architecture has two key advantages: i) its functional correctness and security are guaranteed by a machine-checkable proof of security objectives of Trusted Application (TA) isolation, runtime confidentiality, and runtime integrity, and ii) it is applicable to different TEE platforms and implementation-independent due to its high level of abstraction and non-determinism of data types. Note that access control policy and information flow control policy are the core for security management of resources. After formally specifying the security attributes of TEE resources, we develop these policies based on Common Criteria (CC) in the security monitor and provide atomic interfaces. <monospace>CVTEE</monospace> is formally verified with 386 lemmas/theorems and <inline-formula><tex-math notation="LaTeX">$\sim$</tex-math></inline-formula> 10,000 LOC of Isabelle/HOL. In addition, we implement a proof of concept for the access control module of Teaclave, and prove that the constructed access control model meets the security requirements through 5 theorems.

Effective Collaboration in the Management of Access Control Policies: A Survey of Tools

Access control (AC) tools implement security policies for controlling access to various assets, including file systems, physical resources, and social media posts. They are also used as pedagogical tools for exploring and understanding intricate details of complex security policies. However, current tools are not developed based on the actual needs of security and policy professionals. They are not equipped to support basic and vital operations like providing a policy overview, policy comparisons, identifying and resolving policy conflicts. In this paper, we explore (a) the specific challenges faced in the collaboration between access control policy makers and implementers, and (b) the limitations that current tools have towards addressing these challenges. We argue that a lack of effective collaboration between policy makers and implementers may lead to a misunderstanding of security policy semantics. The main reason for this problem is that policy makers and implementers use different technical languages for communication. The lack of a common technical language leads to a miscommunication between the two parties. The key aim of our work is to review the currently available research-based access control tools and to identify their pros and cons. To accomplish this, we have reviewed a set of access control tools that have a wide variety of features and applications. We have also identified a set of tasks that these access control tools possess to help the work of policy professionals who are involved in the creation, management and maintenance of security policies. We also compared the functionalities of these tools, the different types of security policies that they support, and their visualizations. Together, these comparisons provide a clear understanding of what current access control systems lack and how they can be improved in order to support effective collaboration between policy makers and policy implementers. We have also found that many of these tools could be more accessible to non-technical policy professionals to understand the semantics of security policies if these tools provide features for visualizing security policies.

Lightweight and Bilateral Controllable Data Sharing for Secure Autonomous Vehicles Platooning Service

Autonomous vehicle platoons are emerging as a promising solution to modern urban governance challenges, such as traffic congestion, air pollution, and fuel waste. As a data-driven paradigm, ensuring secure data sharing is a key challenge for autonomous vehicle platoon applications. However, existing research on secure data sharing of autonomous vehicles platoon suffers from practical weaknesses such as privacy leakage, lack of flexible data source identification, and inefficiency. Motivated by that, this paper first proposes the LFBA scheme, which is the first fine-grained data sharing framework that supports bilateral access control and access policy hiding with lightweight and almost constant computational and storage resources consumption, this can be owed to the sophisticated algorithm structure we designed. We then construct an edge-assisted deployment model over LFBA (EA-LFBA) to further improve efficiency and security against common attacks. We then provide the security proof for LFBA, and security analysis for EA-LFBA. Simulation tests and comparative experiments demonstrate the practicality and superiority of our solution compared to state-of-the-art representative works.

Integration of IoT and Blockchain for user Authentication

The proliferation of Internet of Things (IoT) devices has ushered in a new era of connectivity, necessitating robust solutions for user authentication to address security and trust challenges. This paper explores an innovative approach to user authentication in IoT environments by leveraging the unique capabilities of Non-Fungible Tokens (NFTs) and 9NM (9NFTMANIA) tokens, with a specific focus on utilizing contract addresses. The proposed system involves the tokenization of user identities through the creation of contract addresses on blockchain networks. Each user is assigned a unique digital identity represented by an NFT or 9NM token, providing a tamper-proof association between the user and their cryptographic keys. Blockchain smart contracts are employed to manage authentication processes, dictating access control policies based on the user's contract address. The research underscores the importance of industry-wide collaboration to develop common standards for user authentication in IoT environments. By offering a comprehensive exploration of user authentication in IoT using contract address-based NFTs and 9NM tokens that are developed on Satoshi core based blockchain, this paper contributes to the advancement of secure and user-centric practices in the rapidly evolving landscape of IoT technology. The proposed framework not only enhances the overall security posture of IoT networks but also lays the foundation for a more transparent and interoperable authentication ecosystem. This paper has discussed the mechanism where web 3.0 based programming is made using Javascript, Python, ASP.NET and PHP for user authentication considering presence of smart contracts in user wallet.

Attribute-Based Access Control Policy Generation Approach from Access Logs Based on the CatBoost

Attribute-Based Access Control Policy Generation Approach from Access Logs Based on the CatBoost

Enabling Attribute-based Access Control in NoSQL Databases.

NoSQL databases are being increasingly used for efficient management of high volumes of unstructured data in applications like information retrieval, natural language processing, social computing, etc. However, unlike traditional databases, data protection measures such as access control for these databases are still in their infancy, which could lead to significant vulnerabilities and security/privacy issues as their adoption increases. Attribute-based Access Control (ABAC), which provides a flexible and dynamic solution to access control, can be effective for mediating accesses in typical usage scenarios for NoSQL databases. In this paper, we propose a novel methodology for enabling ABAC in NoSQL databases. Specifically we consider MongoDB, which is one of the most popular NoSQL databases in use today. We present an approach to both specify ABAC access control policies and to enforce them when an actual access request has been made. MongoDB Wire Protocol is used for extracting and processing appropriate information from the requests. We also present a method for supporting dynamic access decisions using environmental attributes and handling of ad-hoc access requests through digitally signed user attributes. Results from an extensive set of experiments on the Enron corpus as well as on synthetically generated data demonstrate the scalability of our approach. Finally, we provide details of our implementation on MongoDB and share a Github repository so that any organization can download and deploy the same for enabling ABAC in their own MongoDB installations.

Janus: Hierarchical Multi-Blockchain-Based Access Control (HMBAC) for Multi-Authority and Multi-Domain Environments

Although there are several access control systems in the literature for flexible policy management in multi-authority and multi-domain environments, achieving interoperability and scalability, without relying on strong trust assumptions, is still an open challenge. We present HMBAC, a distributed fine-grained access control model for shared and dynamic multi-authority and multi-domain environments, along with Janus, a practical system for HMBAC policy enforcement. The proposed HMBAC model supports: (a) dynamic trust management between different authorities; (b) flexible access control policy enforcement, defined at the domain and cross-domain level; (c) a global source of truth for all entities, supported by an immutable, audit-friendly mechanism. Janus implements the HMBAC model and relies on the effective fusion of two core components. First, a Hierarchical Multi-Blockchain architecture that acts as a single access point that cannot be bypassed by users or authorities. Second, a Multi-Authority Attribute-Based Encryption protocol that supports flexible shared multi-owner encryption, where attribute keys from different authorities are combined to decrypt data distributedly stored in different authorities. Our approach was implemented using Hyperledger Fabric as the underlying blockchain, with the system components placed in Kubernetes Docker container pods. We experimentally validated the effectiveness and efficiency of Janus, while fully reproducible artifacts of both our implementation and our measurements are provided.

Traditional Techniques and Emerging Technologies in Observability

Identity and access management is the bedrock of cybersecurity. Identity access to digital resources is governed by its techniques, procedures, and rules, which also define the breadth of identity permission over those resources. Some new cyberattack or data breach pops up in the news every week. Many data breaches occur due to inadequate security measures, software flaws, human mistake, malevolent insiders, or the abuse of access and privileges. An improved access control system is possible with the use of AI methods. In order for organisations to better handle authentication and access control in order to reduce cyber risks and other IAM difficulties, studies into artificial intelligence in IAM are necessary. With an eye towards AI’s potential uses in identity and access management - more especially in the areas of privilege monitoring, administration, and control - this research investigates the nature of the connection between AMIS and AI. To better understand how AI works in minimising recognised IAM issues, this study aimed to present evidence from the relevant literature. This study’s results show how AI reinforces identity and access management, which helps with automating procedures, keeping up with technology advances, and reducing the prevalence of cyber threats. One way to accomplish this is by using a binary classification system for security access control, which takes the PDP problem and turns it into a yes/no question. In order to create a distributed, effective, and accurate policy decision point (PDP), a vector decision classifier is also built using the supervised machine learning technique. Kaggle-Amazon access control policy dataset evaluated performance by comparing the proposed mechanism to previous research standards in terms of performance, duration, and flexibility. Given that the PDP is not in direct contact with the PAP, the proposed approach accomplishes a high level of secrecy in relation to access control requirements. In conclusion, PDP-based ML can manage massive access requests, execute many major policies simultaneously, and have a 95% accuracy rate, all without policy conflicts, with a response time of about 0.15 s. The security of access control can be enhanced by making it more responsive, flexible, dynamic, and dispersed.

A novel system for medical equipment supply chain traceability based on alliance chain and attribute and role access control

With the increasing sales of the medical device market, the medical incidents caused by passive medical devices are increasing, which needs to be solved from the medical device supply chain. In addition, there are complex rights retrieval and assignment problems in the medical device supply chain system, and the traditional Role-based Access Control (RBAC) model is no longer suitable for the actual application environment of the supply chain.This article combines the traditional RBAC model and the Attribute-based Access Control (ABAC) model for access control management in the medical device supply chain to overcome the limitations abovementioned, taking advantage of the ABAC model’s flexibility to achieve granular and dynamic management of permissions, as also the RBAC model to simplify the permissions management of the entire system. Blockchain technology’s traceability, non-tampering, and decentralization features are essential to eliminate passive and inferior medical equipment sales activities, solving the problem of mutual mistrust and ‘Information Silo’ between the two sides of medical device transactions. The access control model is implemented in the blockchain’s smart contract, providing granular and dynamic authority management for the medical equipment supply chain and guaranteeing the security and privacy of medical device information in the supply chain. Three smart contracts on Hyperledger Fabric are designed for device management information, storage of implemented access control models, and implementation of access control policies. Experimental results show that the entire system is stable, ensuring high throughput and high security and promising.

A Smart Contract-Based Access Control Framework For Smart Healthcare Systems

Abstract Security faces huge challenges in Internet of Things (IoT) environments. In particular, conventional access control standards and models tend to be less tailored for IoT due to the constrained nature of smart objects. Usually, a powerful third party is used to handle the access control logic. However, this third party is lacking in transparency and could harm user privacy. Therefore, providing a distributed access control solution, while considering transparency and privacy-preserving awareness in IoT smart systems, is of paramount importance. The described issue can be addressed using the emergent Blockchain technology that provides a promising choice to build a new generation of decentralized and transparent access control solutions. This paper proposes a smart contract-based access control framework for IoT smart healthcare systems, which is based on smart contracts to provide a distributed and trustworthy access control, combined with the GTRBAC model to express fine-grained access control policies while considering temporal authorization constraints. To prove the feasibility and validity of the proposed framework, this paper also provides a detailed technical description and an initial implementation and execution. An experimental evaluation shows that security properties’ analyses on smart contracts achieved the best possible evaluation with no vulnerabilities found, and the cost of access control operations increases linearly as the number of policy constraints increases. Besides, a comparative analysis reveals that the proposed approach can achieve good results with low gas costs and latency.

Efficient dynamic key‐aggregate cryptosystem for secure and flexible data sharing

SummarySecure and efficient enforcement of dynamic access control policies on shared data is a central problem in dynamic and scalable application scenarios, including the Internet of Things and smart cities. Key‐aggregate cryptosystem (KAC) is an efficient mechanism to delegate decryption rights of a subset of a large collection of data items to authorized users. While KAC provides an efficient solution to the problem of secure data sharing, we identify that using it to enforce continuously changing access policies is highly inefficient. In this article, we propose a novel dynamic KAC that, in addition to satisfying all key‐aggregate efficiency requirements, enforces dynamic updates to the aggregate sets with constant computation and constant communication cost. We propose a concrete construction for our dynamic KAC, prove its soundness and formal security, and analyze its theoretical and practical performance. We implement the procedures of a dynamic hierarchical key assignment scheme using the proposed as well as the existing dynamic KACs. We compare the costs of enforcing dynamic updates in large hierarchies. We conclude that the performance enhancement achieved by the proposed dynamic KAC compared to the existing KACs is even more significant in practical access control scenarios.

A Parallel Secure Flow Control Framework for Private Data Sharing in Mobile Edge Cloud

Nowadays, the rapid development of edge computing is accelerating the data sharing between cloud computing platforms and mobile users. These data often contain sensitive information, which faces severe leakage risks not only from the semi-trusted cloud servers but also from the malicious senders in the organizations. Fortunately, access control encryption (ACE) has been utilized to secure the data with access control policies, in which a sanitizer (e.g., the edge node) is employed to check all the communications between the sender and receiver, and drop illegal ciphertexts according to the access control policy. However, previous schemes have some limitations in mobile edge cloud, e.g., the sender's attributes are not strictly authenticated in the attribute-based access control policy, or the sanitization time is the bottleneck of fast data sharing. To this end, we introduce PSFlow, a parallel secure flow control framework for private data sharing in mobile edge cloud. First, we propose an attribute-based outsourced ACE (AOACE) scheme, which achieves secure fine-grained data read and write control, and reduces the computational cost of the sender and receiver with outsourced computations in edge nodes. Then, we propose a concrete construction of PSFlow from AOACE, and accelerate the sanitization process with parallel computing. Specifically, PSFlow parallelizes the sanitization operations with a multi-server model in each edge node, and optimizes the sanitization efficiency in each edge server by constructing a shared pool from the attribute universe. The experimental results show that PSFlow is more efficient and practical than previous schemes in mobile edge cloud.

Blockchain-based multi-hop permission delegation scheme with controllable delegation depth for electronic health record sharing

Permission delegation has become a new way for data sharing by delegating the authorized permission to other users. A flexible authorization model with strict access control policies is promising for electronic health record (EHR) sharing with security. In this paper, a blockchain-based multi-hop permission delegation scheme with controllable delegation depth for EHR sharing has been presented. We use the interplanetary file system (IPFS) for storing the original EHRs. Smart contracts and proxy re-encryption technology are implemented for permission delegation. In order to ensure data security, we use attribute-based encryption to provide fine-grained access control. Additionally, blockchain is used to achieve traceability and immutability. We deploy smart contracts so that the delegation depth can be set by delegators. Security analysis of the proposed protocol shows that our solution meets the designed goals. Finally, we evaluate the proposed algorithm and implement the scheme on the Ethereum test chain. Our scheme outperforms the competition in terms of performance, according to the results of our experiments.

Secure and Efficient General Circuits Attribute-Based Access Control in Cloud Computing

The access structure of a general circuit can represent the access control policy flexibility and has broad applications in the field of dense data access control. All previous proposals are declared to support fined-grain access control for encrypted data and secure sharing in cloud. However, these schemes have their limitations, as the circuit nodes can only output layer by layer, and the circuit depth of the access structure implemented in the system is a fixed value. In addition, recent results show that these schemes have serious security defects, such as unresisting collusion attacks and vulnerability of the ciphertext stored in cloud. This article aims at solving the problems mentioned above and a scheme with improved efficiency and security is proposed. In the presented scheme, the circuit access structure with any depth less than or equal to the maximum depth is realized through equivalent conversion of circuit. By modifying the parameter form of shares, we solved the limitation that the previous scheme could only output layer by layer upward, and realized that each node could output to any node with a depth greater than its own across layers. This scheme greatly reduces the redundant computational overhead and improves the encryption and decryption efficiency.

Effective cyber security system to secure optical data based on deep learning approach for healthcare application

In the recent days, data’s plays a significant role and its enormous quantity are extracted based on various IoT devices. Various IoT devices generates huge data and it is processed to extract the knowledge data through data analytics. To process those data, which are extracted and needs Deep Learning (DL) model as it needs large number of input and its attributes. The deep learning models helps in classifying the data and process those data generated from IoT and those useful optical data will be useful to those consumers. As huge data are circulated and it contains some private information’s related to optics to be secure from the third parties along with effective data processing. The modified deep learning approach based on Cyber Physical Systems (CPS) is propose to effectively process those IoT based data with enhanced data security. Based on deep learning model, the data access algorithm helps to process the raw data generated from IoT time to time and it helps to convert the data to knowledge data. Then the data are secured based on policy access control against various attacks like DoS and DDoS. Based on the performance analysis, the approach helps to provide effective classification of data and reliable data’s to be maintained. Then security on IoT data to be verified against DoS and DDoS attacks on cyber physical system on real time applications.

SAUSA: Securing Access, Usage, and Storage of 3D Point CloudData by a Blockchain-Based Authentication Network

The rapid development of three-dimensional (3D) acquisition technology based on 3D sensors provides a large volume of data, which are often represented in the form of point clouds. Point cloud representation can preserve the original geometric information along with associated attributes in a 3D space. Therefore, it has been widely adopted in many scene-understanding-related applications such as virtual reality (VR) and autonomous driving. However, the massive amount of point cloud data aggregated from distributed 3D sensors also poses challenges for secure data collection, management, storage, and sharing. Thanks to the characteristics of decentralization and security, Blockchain has great potential to improve point cloud services and enhance security and privacy preservation. Inspired by the rationales behind the software-defined network (SDN) technology, this paper envisions SAUSA, a Blockchain-based authentication network that is capable of recording, tracking, and auditing the access, usage, and storage of 3D point cloud datasets in their life-cycle in a decentralized manner. SAUSA adopts an SDN-inspired point cloud service architecture, which allows for efficient data processing and delivery to satisfy diverse quality-of-service (QoS) requirements. A Blockchain-based authentication framework is proposed to ensure security and privacy preservation in point cloud data acquisition, storage, and analytics. Leveraging smart contracts for digitizing access control policies and point cloud data on the Blockchain, data owners have full control of their 3D sensors and point clouds. In addition, anyone can verify the authenticity and integrity of point clouds in use without relying on a third party. Moreover, SAUSA integrates a decentralized storage platform to store encrypted point clouds while recording references of raw data on the distributed ledger. Such a hybrid on-chain and off-chain storage strategy not only improves robustness and availability, but also ensures privacy preservation for sensitive information in point cloud applications. A proof-of-concept prototype is implemented and tested on a physical network. The experimental evaluation validates the feasibility and effectiveness of the proposed SAUSA solution.

Non-interactive Boolean Searchable Asymmetric Encryption With Bilateral Access Control

Abstract Searchable asymmetric encryption (SAE) enables a client to search over a data owner’s encrypted data. Nevertheless, state-of-the-art SAE schemes allow a data owner to specify access control policy for a client, while they have not considered the threat case of a malicious data owner. To address the problem, this work presents a non-interactive SAE scheme with bilateral access control: (i) allowing data owner and client to both specify policies toward the other party; (ii) allowing client to perform arbitrary boolean queries with sub-linear search complexity. Technically, we extend Cash et al.’s highly scalable SSE into an asymmetric setting and introduce the property of data owner authenticity. By refining identity-based matchmaking encryption, we formalize the syntax and security definition of our SAE with identity-based bilateral access control. Moreover, the security of the proposed SAE can be reduced to discrete logistic assumption and decisional bilinear Diffie–Hellman assumption. As an enhanced extension, we present a non-interactive multi-client SAE scheme with fuzzy identity-based bilateral access control. In addition, we implement the proposed schemes in real cloud platform and evaluate their performance on a real-world dataset. The result confirms that our SAE schemes achieve bilateral access control for both data owner and client with highly acceptable efficiency.

AC-ABAC: Attribute-based access control for electronic medical records during acute care

Acute care demands fast response and procedures from the healthcare professionals involved in the emergency. The availability of electronic medical records (EMR) enables acute care teams to access patient data promptly, which is critical for proper treatment. The EMR contains sensitive data, so proper access control is a necessity. However, acute care situations entail the introduction of dynamic authorisation techniques that are able to swiftly grant access to the acute care teams during the treatment and that at the same time can revoke it as soon as the treatment is over. In this work, our contributions are threefold. First, we propose a step-by-step methodology that defines dynamic and fine-grained access control in acute care incidents. Then, we applied this methodology with the Amsterdam University Medical Center acute stroke care teams, resulting in a new model coined ’Acute Care Attribute-Based Access Control (AC-ABAC)’. AC-ABAC implements access control policies that take into account contextual attributes for dynamically sharing patient data with the appropriate healthcare professionals during the life cycle of acute care. Finally, we evaluate the performance and show the feasibility and correctness of AC-ABAC through a prototype implementation of the model and simulation of patient data requests in various scenarios. The results show that the most complex policy evaluation takes on average 194.89 ms, which is considered worthwhile when compared to the added value to the system’s security and the acute care process.

Towards SDN-based smart contract solution for IoT access control

Access control is essential for the IoT environment to ensure that only approved and trusted parties are able to configure devices, access sensor information, and command actuators to execute activities. The IoT ecosystem is subject to various access control complications due to the limited latency between IoT devices and the Internet, low energy requirements of IoT devices, the distributed framework, ad-hoc networks, and an exceptionally large number of heterogeneous IoT devices that need to be managed. The motivation for this proposed work is to resolve the incurring challenges of IoT associated with management and access control security. Each IoT domain implementation has particular features and needs separate access control policies to be considered in order to design a secure solution. This research work aims to resolve the intricacy of policies management, forged policies, dissemination, tracking of access control policies, automation, and central management of IoT nodes and provides a trackable and auditable access control policy management system that prevents forged policy dissemination by applying Software Defined Network (SDN) and blockchain technology in an IoT environment. Integration of SDN and blockchain provides a robust solution for IoT environment security. Recently, smart contracts have become one of blockchain technology’s most promising applications. The integration of smart contracts with blockchain technology provides the capability of designing tamper-proof and independently verifiable policies. In this paper, we propose a novel, scalable solution for implementing immutable, verifiable, adaptive, and automated access control policies for IoT devices together with a successful proof of concept that demonstrates the scalability of the proposed solution. The performance of the proposed solution is evaluated in terms of throughput and resource access delay between the blockchain component and the controller as well as from node to node. The number of nodes in the IoT network and the number of resource access requests were independently and systematically increased during the evaluations. The results illustrate that the resource access delay and throughput were affected neither linearly nor exponentially; hence, the proposed solution shows no significant degradation in performance with an increase in the number of nodes and/or requests.