Issue No. 05 - Sept.-Oct. (2012 vol. 9)
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2011.62
Michael S. Kirkpatrick , James Madison University, Harrisonburg
Gabriel Ghinita , University of Massachusetts, Boston
Elisa Bertino , Purdue University, West Lafayette
Several models for incorporating spatial constraints into role-based access control (RBAC) have been proposed, and researchers are now focusing on the challenge of ensuring such policies are enforced correctly. However, existing approaches have a major shortcoming, as they assume the server is trustworthy and require complete disclosure of sensitive location information by the user. In this work, we propose a novel framework and a set of protocols to solve this problem. Specifically, in our scheme, a user provides a service provider with role and location tokens along with a request. The service provider consults with a role authority and a location authority to verify the tokens and evaluate the policy. However, none of the servers learn the requesting user's identity, role, or location. In this paper, we define the protocols and the policy enforcement scheme, and present a formal proof of a number of security properties.
Access control, Protocols, Encryption, Servers, Privacy, applied cryptography., RBAC, privacy, security, access control
G. Ghinita, M. S. Kirkpatrick and E. Bertino, "Privacy-Preserving Enforcement of Spatially Aware RBAC," in IEEE Transactions on Dependable and Secure Computing, vol. 9, no. , pp. 627-640, 2011.