Authors: Sang M. Park; Soon M. Chung
Addresses: Department of Computer Science and Engineering, Wright State University, Dayton, Ohio 45435, USA ' Department of Computer Science and Engineering, Wright State University, Dayton, Ohio 45435, USA
Abstract: In Attribute-Based Access Control (ABAC), access is granted based on the attributes of the requesting user. ABAC is a highly flexible and scalable access control scheme which can deal with diverse security requirements in a grid computing environment. However, in ABAC the user attributes published by the identity providers for authorisation decision may cause some privacy violation. We developed an attribute release control mechanism to publish an optimal set of user attributes that are essential to access a desired resource (or service), while exposing the least amount of sensitive user information. To facilitate the selection of an optimal set of user attributes, we also developed a Web service, named Security Policy Publication Service (SPPS), which retrieves the access condition from the access control policies in eXtensible Access Control Markup Language (XACML) and converts it into a Disjunctive Normal Form (DNF) of user attributes. For the implementation of our privacy-preserving ABAC, we used the Globus Toolkit and modified the Shibboleth Identity Provider and GridShib. Our performance analysis shows that the overhead of the proposed system is very small.
Keywords: privacy preservation; grid computing; attribute-based access control; privacy protection; Shibboleth; XACML; attribute release control; web services; security.
International Journal of Grid and Utility Computing, 2014 Vol.5 No.4, pp.286 - 296
Received: 16 Nov 2012
Accepted: 19 Aug 2013
Published online: 09 May 2015 *