Privacy-Preserving Personal Health Record System Using Attribute-Based Encryption

ZHENG, YAO

03 July 2011

"Personal health record (PHR) service is an emerging model for health information exchange. It allows patients to create, manage, control and share their health information with other users as well as healthcare providers. In reality, a PHR service is likely to be hosted by third-party cloud service providers in order to enhance its interoperability. However, there have been serious privacy concerns about outsourcing PHR data to cloud servers, not only because cloud providers are generally not covered entities under HIPAA, but also due to an increasing number of cloud data breach incidents happened in recent years. In this thesis, we propose a privacy-preserving PHR system using attribute-based encryption (ABE). In this system, patients can encrypt their PHRs and store them on semi-trusted cloud servers such that servers do not have access to sensitive PHR contexts. Meanwhile patients maintain full control over access to their PHR files, by assigning fine-grained, attribute-based access privileges to selected data users, while different users can have access to different parts of their PHR. Our system also provides extra features such as populating PHR from professional electronic health record (EHR) using ABE. In order to evaluate our proposal, we create a Linux library that implement primitive of key-policy attribute-based encryption (KP-ABE) algorithms. We also build a PHR application based on Indivo PCHR system that allow doctors to encrypt and submit their prescription and diagnostic note to PHR servers using KP-ABE. We evaluate the performance efficiency of different ABE schemes as well as the data query time of Indivo PCHR system when PHR data are encrypted under ABE scheme."

PHR

ABE

fine-grained access control

security

privacy

Quantifying Performance Costs of Database Fine-Grained Access Control

Kumka, David Harold

01 January 2012

Fine-grained access control is a conceptual approach to addressing database security requirements. In relational database management systems, fine-grained access control refers to access restrictions enforced at the row, column, or cell level. While a number of commercial implementations of database fine-grained access control are available, there are presently no generalized approaches to implementing fine-grained access control for relational database management systems. Fine-grained access control is potentially a good solution for database professionals and system architects charged with designing database applications that implement granular security or privacy protection features. However, in the oral tradition of the database community, fine-grained access control is spoken of as imposing significant performance penalties, and is therefore best avoided. Regardless, there are current and emerging social, legal, and economic forces that mandate the need for efficient fine-grained access control in relational database management systems. In the study undertaken, the author was able to quantify the performance costs associated with four common implementations of fine-grained access control for relational database management systems. Security benchmarking was employed as the methodology to quantify performance costs. Synthetic data from the TPC-W benchmark as well as representative data from a real-world application were utilized in the benchmarking process. A simple graph-base performance model for Fine-grained Access Control Evaluation (FACE) was developed from benchmark data collected during the study. The FACE model is intended for use in predicting throughput and response times for relational database management systems that implement fine-grained access control using one of the common fine-grained access control mechanisms - authorization views, the Hippocratic Database, label-based access control, and transparent query rewrite. The author also addresses the issue of scalability for fine-grained access control mechanisms that were evaluated in the study.

Benchmarking

Fine-Grained Access Control

Information Security

Performance

Privacy Preservation

Relational Databases

Computer Sciences

Μηχανισμός πρόσβασης για υπηρεσίες ιστού (web services) για βιομηχανικές εφαρμογές

Κατσαρού, Κατερίνα

22 January 2009

Η διπλωματική εργασία ασχολείται με την ανάγκη για έναν προηγμένο μηχανισμό ασφάλειας που θα παρέχει προστασία πληροφοριών από τους μη εξουσιοδοτημένους χρήστες. Τα περισσότερα συστήματα σε εταιρικό και βιομηχανικό επίπεδο χρησιμοποιούν την απλή εξουσιοδότηση (simple authorization) ή all-or-nothing όπου έχουμε παραχώρηση πρόσβασης στους πόρους του συστήματος εάν ο χρήστης είναι εξουσιοδοτημένος ή εάν δεν είναι άρνηση πρόβλεψης χωρίς να έχει προβλεφθεί κάποια ενδιάμεση λύση. Στην περίπτωση του ελέγχου πρόσβασης για υπηρεσίες Ιστού (web services) –που είναι εφαρμογές που παρέχονται μέσω Διαδικτύου όπως φαίνεται και από το όνομά τους- δεν είναι ικανοποιητική η παραχώρηση πρόσβασης σε ολόκληρη την υπηρεσία Ιστού δηλαδή η πρόσβαση στο υψηλότερο επίπεδο (coarse-grained access control) αλλά απαιτείται και η πρόσβαση σε κάποια ή κάποιες από τις μεθόδους την υπηρεσίας Ιστού δηλαδή η διαβαθμισμένη πρόσβαση (fine-grained access control). Η πολιτική ελέγχου πρόσβασης που χρησιμοποιήσαμε είναι ο έλεγχος πρόσβασης βασισμένος σε ρόλους (Role-based Access Control) όπου οι χρήστες αποκτούν πρόσβαση στους προστατευόμενους πόρους (μια ολόκληρη υπηρεσία Ιστού ή μέθοδο) συνδεόμενοι με ρόλους με τις κατάλληλες άδειες πρόσβασης δηλαδή μόνο εξουσιοδοτημένοι χρήστες έχουν πρόσβαση στους προστατευόμενους πόρους. Τέλος υποθέσαμε μία βιομηχανική υποδομή που παρέχει σε πελάτες πρόσβαση μέσω ενός OPC XML-DA server όπου το OPC είναι ένα σύνολο από ανοικτά πρότυπα που παρέχουν δια-λειτουργικότητα (interoperability) και συνδεσιμότητα (connectivity) μεταξύ βιομηχανικού αυτοματισμού και επιχειρησιακών συστημάτων. / -

Υπηρεσίες ιστού

005.8

Web services

Fine-grained access control

Role-based access control

Integration of Attribute-Based Encryption and IoT: An IoT Security Architecture

Elbanna, Ziyad

January 2023

Services relying on internet of things (IoTs) are increasing day by day. IoT makes use of internet services like network connectivity and computing capability to transform everyday objects into smart things that can interact with users, and the environment to achieve a purpose they are designed for. IoT nodes are memory, and energy constrained devices that acquire information from the surrounding environment, those nodes cannot handle complex data processing and heavy security tasks alone, thus, in most cases a framework is required for processing, storing, and securing data. The framework can be cloud-based, a publish/subscribe broker, or edge computing based. As services relying on IoT are increasing enormously nowadays, data security and privacy are becoming concerns. Security concerns arise from the fact that most IoT data are stored unencrypted on untrusted third-party clouds, which results in many issues like data theft, data manipulation, and unauthorized disclosure. While some of the solutions provide frameworks that store data in encrypted forms, coarse-grained encryption provides less specific access policies to the users accessing data. A more secure control method applies fine-grained access control, and is known as attribute-based encryption (ABE). This research aims to enhance the privacy and the security of the data stored in an IoT middleware named network smart objects (NOS) and extend its functionality by proposing a new IoT security architecture using an efficient ABE scheme known as key-policy attribute-based encryption (KP-ABE) along with an efficient key revocation mechanism based on proxy re-encryption (PRE). Design science research (DSR) was used to facilitate the solution. To establish the knowledge base, a previous case study was reviewed to explicate the problem and the requirements to the artefact were elicited from research documents. The artefact was designed and then demonstrated in a practical experiment by means of Ubuntu operating system (OS). Finally, the artefact’s requirements were evaluated by applying a computer simulation on the Ubuntu OS. The result of the research is a model artefact of an IoT security architecture which is based on ABE. The model prescribes the components and the architectural structure of the IoT system. The IoT system consists of four entities: data producers, data consumers, NOS, and the TA. The model prescribes the new components needed to implement KP-ABE and PRE modules. First, data is transferred from data producers to NOS through secure hypertext transfer protocol (HTTPS), then the data is periodically processed and analyzed to obtain a uniform representation and add useful metadata regarding security, privacy, and data-quality. After that, the data is encrypted by KP-ABE using users’ attributes. PRE takes place when a decryption key is compromised, then the ciphertext is re-encrypted to prevent it’s disclosure. The evaluation results show that the proposed model improved the data retrieval time of the previous middleware by 32% and the re-encryption time by 87%. Finally, the author discusses the limitations of the proposed model and highlights directions for future research.

Internet of things

Attribute based encryption

Fine-grained access control

Key revocation

Proxy re-encryption

Computer Sciences

Datavetenskap (datalogi)

Security in cloud computing / La sécurité dans le Cloud

Lounis, Ahmed

03 July 2014

Le Cloud Computing, ou informatique en nuages, est un environnement de stockage et d’exécution flexible et dynamique qui offre à ses utilisateurs des ressources informatiques à la demande via internet. Le Cloud Computing se développe de manière exponentielle car il offre de nombreux avantages rendus possibles grâce aux évolutions majeures des Data Centers et de la virtualisation. Cependant, la sécurité est un frein majeur à l’adoption du Cloud car les données et les traitements seront externalisés hors de site de confiance de client. Cette thèse contribue à résoudre les défis et les issues de la sécurité des données dans le Cloud pour les applications critiques. En particulier, nous nous intéressons à l’utilisation de stockage pour les applications médicales telles que les dossiers de santé électroniques et les réseaux de capteurs pour la santé. D’abord, nous étudions les avantages et les défis de l’utilisation du Cloud pour les applications médicales. Ensuite, nous présentons l’état de l’art sur la sécurité dans le Cloud et les travaux existants dans ce domaine. Puis nous proposons une architecture sécurisée basée sur le Cloud pour la supervision des patients. Dans cette solution, nous avons développé un contrôle d’accès à granularité fine pour résoudre les défis de la sécurité des données dans le Cloud. Enfin, nous proposons une solution de gestion des accès en urgence. / Cloud computing has recently emerged as a new paradigm where resources of the computing infrastructures are provided as services over the Internet. However, this paradigm also brings many new challenges for data security and access control when business or organizations data is outsourced in the cloud, they are not within the same trusted domain as their traditional infrastructures. This thesis contributes to overcome the data security challenges and issues due to using the cloud for critical applications. Specially, we consider using cloud storage services for medical applications such as Electronic Health Record (EHR) systems and medical Wireless Sensor Networks. First, we discuss the benefits and challenges of using cloud services for healthcare applications. Then, we study security risks of the cloud, and give an overview on existing works. After that, we propose a secure and scalable cloud-based architecture for medical applications. In our solution, we develop a fine-grained access control in order to tackle the challenge of sensitive data security, complex and dynamic access policies. Finally, we propose a secure architecture for emergency management to meet the challenge of emergency access.

Virtualisation

Applications médicales

Réseaux de capteurs pour la santé

E-santé

Dossiers de santé électroniques

Cloud computing

E-health

Wireless sensor networks

Sensitive data

Security

Fine-grained access control

Attribute based encryption

Confidentiality

Privacy