Owing to the rapid progress of network researching, attribute-based access control (ABAC) has attracted more and more attention due to its appreciable expressiveness, flexibility, and scalability. Unfortunately, collecting user attributes is necessary to complete the standard ABAC decision process, which increases the risk of privacy disclosure. This problem increases public doubts about ABAC and hinders its popularization. In this paper, a privacy-protected and efficient attribute-based access control (EPABAC) scheme is proposed to prevent the privacy leakage of access subject in the decision-making process of ABAC by introducing a novel hash-based binary search tree. The analyses and experimental evaluations show that the EPABAC achieves user privacy protection in the decision-making process with acceptable additional computing overhead.
KEYWORDSattribute-based access control, binary search tree, digital signature, privacy, security
INTRODUCTIONRecently, the rapid development of the latest network computing techniques has enabled billions of users to access online resources and services more conveniently than ever before. On the one hand, the new computing frameworks such as mobile cloud computing, 1 edge computing, 2 transparent computing, 3-5 and underlying 4G/5G networks bring unprecedented convenience and freedom to users. However, on the other hand, those innovations lead to more complicated scenes, which are significantly dynamic, distribute, fine-grained and changeable, and bring new challenges to the access control technology. 6,7 In these cases, like the earlier classical models such as discretionary access control (DAC) 8 and mandatory access control (MAC), 9 most typical access control models, including Role-Based Access Control (RBAC), 10 are gradually becoming unadaptable because of the extensive decision-making mechanism and the lack of flexible, fine-grained, and dynamic authorization.Owing to the development of access control technology, the attribute-based access control (ABAC) model, 11 which diversely considers many security factors such as subject, object, and environment state, has emerged. By introducing the policy-based access control management mechanism, ABAC achieves stronger expressive ability, flexibility, and scalability than classical access control schemes, which lead to better adaptability for dynamic modern network service scenarios. 12-15 As a promising technique, the ABAC method has been applied in many frontier fields, including cloud computing, 16-18 big data, [19][20][21][22][23] and Internet of Things (IoT) 24,25 scenarios and has been developed into a mature business solution. 26,27 However, even the ABAC model suffers the potential risk of privacy leakage. Due to the importance of disclosing attributes value involved in an initiated access request in the classical ABAC decision process, the unprotected attributes, especially static users attributes which may imply Concurrency Computat Pract Exper. 2020;32:e5556. wileyonlinelibrary.com/journal/cpe