research-article

Preserving confidentiality of security policies in data outsourcing

Authors:

Sabrina De Capitani di Vimercati,

Sushil Jajodia,

Stefano Paraboschi,

Gerardo Pelosi,

Pierangela SamaratiAuthors Info & Claims

WPES '08: Proceedings of the 7th ACM workshop on Privacy in the electronic society

Pages 75 - 84

https://doi.org/10.1145/1456403.1456417

Published: 27 October 2008 Publication History

Abstract

Recent approaches for protecting information in data outsourcing scenarios exploit the combined use of access control and cryptography. In this context, the number of keys to be distributed and managed by users can be maintained limited by using a public catalog of tokens that allow key derivation along a hierarchy. However, the public token catalog, by expressing the key derivation relationships, may leak information on the security policies (authorizations) enforced by the system, which the data owner may instead wish to maintain confidential.

In this paper, we present an approach to protect the privacy of the tokens published in the public catalog. Consistently with the data outsourcing scenario, our solution exploits the use of cryptography, by adding an encryption layer to the catalog. A complicating issue in this respect is that this new encryption layer should follow a derivation path that is "reversed" with respect to the key derivation. Our approach solves this problem by combining cryptography and transitive closure information. The result is an efficient solution allowing token release and traversal of the key derivation structure only to those users authorized to access the underlying resources. We also present experimental results that illustrate the behavior of our technique in large settings.

References

[1]

G. Aggarwal, M. Bawa, P. Ganesan, H. Garcia-Molina, K. Kenthapadi, R. Motwani, U. Srivastava, D. Thomas, and Y. Xu. Two can keep a secret: a distributed architecture for secure database services. In Proc. of CIDR 2005, Asilomar, CA, January 2005.

[2]

R. Agrawal, A. Borgida, and H. Jagadish. Efficient management of transitive relationships in large data and knowledge bases. SIGMOD Rec., 18(2):253--262, 1989.

Digital Library

[3]

R. Agrawal, S. Dar, and H. Jagadish. Direct transitive closure algorithms: design and performance evaluation. ACM TODS, 15(3):427--458, 1990.

Digital Library

[4]

M. Atallah, K. Frikken, and M. Blanton. Dynamic and efficient key management for access hierarchies. In Proc. of the 12th ACM CCS, Alexandria, VA, November 2005.

Digital Library

[5]

P. Bonatti and P. Samarati. A unified framework for regulating access and information release on the web. Journal of Computer Security, 10(3):241--272, 2002.

Digital Library

[6]

A. Ceselli, E. Damiani, S. De Capitani di Vimercati, S. Jajodia, S. Paraboschi, and P. Samarati. Modeling and assessing inference exposure in encrypted databases. ACM TISSEC, 8(1):119--152, 2005.

Digital Library

[7]

V. Ciriani, S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Fragmentation and encryption to enforce privacy in data storage. In Proc. of ESORICS 2007, Dresden, Germany, September 2007.

Digital Library

[8]

E. Damiani, S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. An experimental evaluation of multi-key strategies for data outsourcing. In Proc. of the 22nd IFIP TC-11 International Information Security Conference, South Africa, May 2007.

[9]

S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. A data outsourcing architecture combining cryptography and access control. In Proc. of the 1st Computer Security Architecture Workshop, Fairfax, VA, November 2007.

Digital Library

[10]

S. De Capitani di Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, and P. Samarati. Over-encryption: management of access control evolution on outsourced data. In Proc. of the 33rd VLDB Conference, Vienna, Austria, September 2007.

Digital Library

[11]

K. B. Frikken, M. Atallah, and J. Li. Attribute-based access control with hidden policies and hidden credentials. IEEE Trans. Computers, 55(10):1259--1270, 2006.

Digital Library

[12]

H. Hacigümüs, B. Iyer, and S. Mehrotra. Providing database as a service. In Proc. of 18th ICDE, San Jose, CA, February 2002.

Digital Library

[13]

H. Hacigümüs, B. Iyer, and S. Mehrotra. Ensuring integrity of encrypted databases in database as a service model. In Proc. of the IFIP Conference on Data and Applications Security, Estes Park Colorado, CA, August 2003.

[14]

H. Hacigümüs, B. Iyer, S. Mehrotra, and C. Li. Executing SQL over encrypted data in the database-service-provider model. In Proc. of the ACM SIGMOD 2002, Madison, WI, June 2002.

Digital Library

[15]

B. Hore, S. Mehrotra, and G. Tsudik. A privacy-preserving index for range queries. In Proc. of the 30th VLDB Conference, Toronto, Canada, 2004.

Digital Library

[16]

K. Irwin and T. Yu. An identifiability-based access control model for privacy protection in open systems. In Proc. of the WPES 2004, Washington, DC, October 2004.

Digital Library

[17]

H. Jagadish. A compression technique to materialize transitive closure. ACM TODS, 15(4):558--598, 1990.

Digital Library

[18]

A. Lee, M. Winslett, J. Basney, and V. Welch. The traust authorization service. ACM TISSEC, 11(1):1--33, 2008.

Digital Library

[19]

G. Miklau and D. Suciu. Controlling access to published data using cryptography. In Proc. of the 29th VLDB Conference, Berlin, Germany, September 2003.

Digital Library

[20]

E. Mykletun, M. Narasimha, and G. Tsudik. Authentication and integrity in outsourced database. In Proc. of the 11th NDSS, San Diego, CA, February 2004.

[21]

M. Narasimha and G. Tsudik. DSAC: integrity for outsourced databases with signature aggregation and chaining. In Proc. of the 14th ACM ICIKM, Bremen, Germany, 2005.

Digital Library

[22]

R. Sion. Query execution assurance for outsourced databases. In Proc. of the 31st VLDB Conference, Trondheim, Norway, September 2005.

Digital Library

[23]

H. Wang and L. V. Lakshmanan. Efficient secure query evaluation over encrypted XML databases. In Proc. of the 32nd VLDB Conference, Seoul, Korea, September 2006.

Digital Library

[24]

W. H. Winsborough and N. Li. Safety in automated trust negotiation. ACM TISSEC, 9(3):352--390, 2006.

Digital Library

[25]

M. Winslett, N. Ching, V. Jones, and I. Slepchin. Using digital credentials on the world wide web. Journal of Computer Security, 5(3):255--267, 1997.

Digital Library

[26]

M. Winslett, T. Yu, K. Seamons, A. Hess, J. Jacobson, R. Jarvis, B. Smith, and L. Yu. Negotiating trust on the web. IEEE Internet Computing, 6(6):30--37, 2002.

Digital Library

[27]

T. Yu, X. Ma, and M. Winslett. PRUNES: an efficient and complete strategy for automated trust negotiation over the internet. In Proc. of the 7th ACM CCS, Athens, Greece, November 2000.

Digital Library

[28]

T. Yu, M. Winslett, and K. Seamons. Interoperable strategies in automated trust negotiation. In Proc. of the 8th ACM CCS, Philadelphia, PA, November 2001.

Digital Library

[29]

T. Yu, M. Winslett, and K. Seamons. Supporting structured credentials and sensitive policies through interoperable strategies for automated trust negotiation. ACM TISSEC, 6(1):1--42, 2003.

Digital Library

Cited By

Ahamed Ali SRamakrishnan MDuraipandian N(2018)A Comprehensive Analysis of Key Management Models in the Cloud: Design, Challenges, and Future DirectionsInternational Conference on Intelligent Computing and Applications10.1007/978-981-13-2182-5_5(53-61)Online publication date: 9-Sep-2018
https://doi.org/10.1007/978-981-13-2182-5_5
Zeidler CAsghar M(2017)Towards a Framework for Privacy-Preserving Data Sharing in Portable CloudsCloud Computing and Services Science10.1007/978-3-319-62594-2_14(273-293)Online publication date: 20-Jul-2017
https://doi.org/10.1007/978-3-319-62594-2_14
Zeidler CAsghar M(2016)CloudEFS: Efficient and secure file system for cloud storage2016 14th Annual Conference on Privacy, Security and Trust (PST)10.1109/PST.2016.7906969(239-246)Online publication date: Dec-2016
https://doi.org/10.1109/PST.2016.7906969
Show More Cited By

Index Terms

Preserving confidentiality of security policies in data outsourcing

Recommendations

Encryption policies for regulating access to outsourced data

Current access control models typically assume that resources are under the strict custody of a trusted party which monitors each access request to verify if it is compliant with the specified access control policy. There are many scenarios where this ...
Privacy-preserving multireceiver ID-based encryption with provable security

Multireceiver identity ID based encryption and ID-based broadcast encryption allow a sender to use the public identities of multiple receivers to encrypt messages so that only the selected receivers or a privileged set of users can decrypt the messages. ...
ESPOON: Enforcing Encrypted Security Policies in Outsourced Environments
ARES '11: Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security

The enforcement of security policies in outsourced environments is still an open challenge for policy-based systems. On the one hand, taking the appropriate security decision requires access to the policies. However, if such access is allowed in an ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '08: Proceedings of the 7th ACM workshop on Privacy in the electronic society

October 2008

128 pages

ISBN:9781605582894

DOI:10.1145/1456403

General Chair:
Vijay Atluri
Rutgers University, USA
,
Program Chair:
Marianne Winslett
University of Illinois at Urbana-Champaign, USA

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 October 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS08

Sponsor:

CCS08: 15th ACM Conference on Computer and Communications Security 2008

October 27, 2008

Virginia, Alexandria, USA

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

27
Total Citations
View Citations
705
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)1

Reflects downloads up to 20 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ahamed Ali SRamakrishnan MDuraipandian N(2018)A Comprehensive Analysis of Key Management Models in the Cloud: Design, Challenges, and Future DirectionsInternational Conference on Intelligent Computing and Applications10.1007/978-981-13-2182-5_5(53-61)Online publication date: 9-Sep-2018
https://doi.org/10.1007/978-981-13-2182-5_5
Zeidler CAsghar M(2017)Towards a Framework for Privacy-Preserving Data Sharing in Portable CloudsCloud Computing and Services Science10.1007/978-3-319-62594-2_14(273-293)Online publication date: 20-Jul-2017
https://doi.org/10.1007/978-3-319-62594-2_14
Zeidler CAsghar M(2016)CloudEFS: Efficient and secure file system for cloud storage2016 14th Annual Conference on Privacy, Security and Trust (PST)10.1109/PST.2016.7906969(239-246)Online publication date: Dec-2016
https://doi.org/10.1109/PST.2016.7906969
Hadavi MJalili RKarimi L(2016)Access control aware data retrieval for secret sharing based database outsourcingDistributed and Parallel Databases10.1007/s10619-015-7186-x34:4(505-534)Online publication date: 1-Dec-2016
https://dl.acm.org/doi/10.1007/s10619-015-7186-x
Li THu LLi YChu JLi HHan H(2015)The Research and Prospect of Secure Data Access Control in Cloud Storage EnvironmentJournal of Communications10.12720/jcm.10.10.753-759Online publication date: 2015
https://doi.org/10.12720/jcm.10.10.753-759
Vimercati SForesti SParaboschi SPelosi GSamarati P(2015)Shuffle IndexACM Transactions on Storage10.1145/274787811:4(1-55)Online publication date: 16-Oct-2015
https://dl.acm.org/doi/10.1145/2747878
Capitani Di Vimercati SForesti SLivraga GSamarati P(2015)Practical Techniques Building on Encryption for Protecting and Managing Data in the CloudLNCS Essays on The New Codebreakers - Volume 910010.1007/978-3-662-49301-4_15(205-239)Online publication date: 1-Nov-2015
https://dl.acm.org/doi/10.1007/978-3-662-49301-4_15
Tian XHuang LWang YSha CWang X(2015)DualAcESecurity and Communication Networks10.1002/sec.10988:8(1494-1508)Online publication date: 25-May-2015
https://dl.acm.org/doi/10.1002/sec.1098
De Capitani SForesti SJajodia SSamarati P(2014)Database Security and PrivacyComputing Handbook, Third Edition10.1201/b16768-61(53-1-53-21)Online publication date: May-2014
https://doi.org/10.1201/b16768-61
Guo XSun SVogel D(2014)A Dataflow Perspective for Business Process IntegrationACM Transactions on Management Information Systems10.1145/26294505:4(1-33)Online publication date: 9-Oct-2014
https://dl.acm.org/doi/10.1145/2629450
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents