Portable and Flexible Document Access Control Mechanisms

Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies

2005

In this work we address the problem of portable and flexible privacy-preserving access rights for large online data repositories. Privacy-preserving access control means that the service provider can neither learn what access rights a customer has nor link a request to access an item to a particular customer, thus maintaining privacy of both customer activity and customer access rights. Flexible access rights allow any customer to choose any subset of items from the repository and correspondingly be charged only for the items selected. And portability of access rights means that the rights themselves can be stored on small devices of limited storage space and computational capabilities, and therefore the rights must be enforced using the limited resources available.Our main results are solutions to the problem that utilize minimal perfect hash functions and order-preserving minimal perfect hash functions. None of them use expensive cryptography, all require very little space, and they are therefore suitable for computationally weak and spacelimited devices such as smartcards, sensors, etc. Performance of the schemes is measured as the probability of false positives (i.e., the probability that access to an unpurchased item will be permitted) for a given storage space bound. Using our techniques, for a data repository of size n and subscription order of m n items, we achieve a probability of false positives of m −c using only O(cm) bits of storage space, where c is an adjustable parameter (a constant or otherwise) that can be set to provide the desired performance. This is the first time that such provable bounds are established for this problem, and we believe the techniques we use are of more general interest through the unusual use we make of perfect hashing.

Section: Related Workmentioning

confidence: 95%

Section: Related Workmentioning

confidence: 98%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Provable bounds for portable and flexible privacy-preserving access

Blanton

Proceedings of the Tenth ACM Symposium on Access Control Models and Technologies

2005

“…, i k then you get free access to document j". Schemes that do not have this vulnerability are considerably more computationally expensive [1], so the present scheme has a crucial virtue of being simple and inexpensive. The ideal deployment for the scheme of this paper is in dynamic situations where the document repository changes rapidly, the policies need to be re-generated on a periodic basis, or other situations where the card contents are refreshed periodically through interaction (say, once a month or more frequently) with a server.…”

Section: Implementation and Deployment Issuesmentioning

confidence: 99%

“…This is in fact another reason (in addition to the above-mentioned necessity of making the system less vulnerable to information-sharing attacks) why optimization needs to be periodically re-done, i.e., our scheme used with the new data to compute the new optimal solution. We leave the design of a self-evolving system that does not need such periodic check-points for future research (in fact we already have partial solutions to this [1]). …”

Section: Implementation and Deployment Issuesmentioning

confidence: 99%

Succinct specifications of portable document access policies

Bykova

Proceedings of the Ninth ACM Symposium on Access Control Models and Technologies

2004

Self Cite

When customers need to each be given portable access rights to a subset of documents from a large universe of n available documents, it is often the case that the space available for representing each customer's access rights is limited to much less than n, say it is no more than m bits. This is the case when, e.g., limited-capacity inexpensive cards are used to store the access rights to huge multimedia document databases. How does one represent subsets of a huge set of n elements, when only m bits are available and m is much smaller than n? We use an approach reminiscent of Bloom filters, by assigning to each document a subset of the m bits: If that document is in a customer's subset then we set the corresponding bits to 1 on the customer's card. This guarantees that each customer gets the documents he paid for, but it also gives him access to documents he did not pay for ("false positives"). We want to do so in a manner that minimizes the expected total false positives under various deterministic and probabilistic models: In the former model we assume k customers whose respective subsets are known a priori, whereas in the latter we assume (more realistically) that each document has a probability of being included in a customer's subset. We cannot use randomly assigned bits for each document (in the way Bloom filters do), rather we need to consider the a priori knowledge (deterministic or probabilistic) we are given in each model in order to better assign a subset of the m available bits to each of the n documents. We analyze and give efficient schemes for this problem.

Portable and Flexible Document Access Control Mechanisms

Computer Security – ESORICS 2004

Bykova

2004

Self Cite

Abstract. We present and analyze portable access control mechanisms for large data repositories, in that the customized access policies are stored on a portable device (e.g., a smart card). While there are significant privacy-preservation advantages to the use of smart cards anonymously created and bought in public places (stores, libraries, etc), a major difficulty is that, for huge data repositories and limited-capacity portable storage devices, it is not possible to represent any possible access configuration on the card. For a customer whose card is supposed to contain a subset S of documents, access to all of S must be allowed. In some situations a small enough number of "false positives" (which are accesses to non-S documents) is acceptable to the server, and the challenge then is to minimize the number of false positives implicit to any given card. We describe and analyze schemes for both unstructured and structured collections of documents. For these schemes, we give fast algorithms for efficiently using the limited space available on the card. In our model the customer does not know which documents correspond to false positives, the probability of a randomly chosen document being a false positive is small, and information about false positives bound to one card is useless for any other card even if both of them permit access to the same set of documents S.