RiBAC: Strengthening Access Control Systems for Pandemic Risk Reduction while Preserving Privacy

Proceedings of the 18th International Conference on Availability, Reliability and Security Pub Date : 2023-08-29 DOI:10.1145/3600160.3605039

S. Krenn, Jan Orlicky, Daniel Slamanig, T. Trpišovský

{"title":"RiBAC: Strengthening Access Control Systems for Pandemic Risk Reduction while Preserving Privacy","authors":"S. Krenn, Jan Orlicky, Daniel Slamanig, T. Trpišovský","doi":"10.1145/3600160.3605039","DOIUrl":null,"url":null,"abstract":"Traditional (physical) access control systems are well-established mechanisms, allowing organizations to determine who should be able to access which physical space. This can either be a facility such as a critical infrastructure with a well-defined set of individuals, e.g., employees, or public spaces where everyone can be subject to access control. During the Covid-19 pandemic, additional features to reduce the risks of individuals when entering spaces became popular or even mandatory, including automatic scanning for protective wear (e.g., whether an individual wears a mask), body temperature checks, or digital health certificates, certifying that one has been negatively tested for, or vaccinated against, Covid-19. We refer to this as risk-based access control (RiBAC). In the Covid-19 pandemic largely due to the time pressure for implementing these measures, many of such RiBAC extensions to classical AC systems required manual intervention. This, besides posing health risks for the individuals performing these checks, yields a solution which is not scalable. Now that the Covid-19 pandemic no longer constitutes a public health emergency of international concern by the World Health Organization (WHO), it is time to reconsider RiBAC systems. Our main focus in this work is to investigate requirements for such systems and to discuss possible generic architectures for RiBAC systems. In order to be prepared for a future pandemic, the goal should be to implement such systems in a way such that they are scalable and risk-minimizing. We will specifically focus on privacy of the individuals subject to access control in RiBAC, while preserving the functionality of the system. Moreover, our focus is on the European setting where digital health certificates were considered as a central risk-reducing mechanism. In this context, we discuss the use of privacy-preserving cryptography in order to be able to have RiBAC systems that are privacy-preserving already in place for any potential future pandemic.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 18th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3600160.3605039","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Traditional (physical) access control systems are well-established mechanisms, allowing organizations to determine who should be able to access which physical space. This can either be a facility such as a critical infrastructure with a well-defined set of individuals, e.g., employees, or public spaces where everyone can be subject to access control. During the Covid-19 pandemic, additional features to reduce the risks of individuals when entering spaces became popular or even mandatory, including automatic scanning for protective wear (e.g., whether an individual wears a mask), body temperature checks, or digital health certificates, certifying that one has been negatively tested for, or vaccinated against, Covid-19. We refer to this as risk-based access control (RiBAC). In the Covid-19 pandemic largely due to the time pressure for implementing these measures, many of such RiBAC extensions to classical AC systems required manual intervention. This, besides posing health risks for the individuals performing these checks, yields a solution which is not scalable. Now that the Covid-19 pandemic no longer constitutes a public health emergency of international concern by the World Health Organization (WHO), it is time to reconsider RiBAC systems. Our main focus in this work is to investigate requirements for such systems and to discuss possible generic architectures for RiBAC systems. In order to be prepared for a future pandemic, the goal should be to implement such systems in a way such that they are scalable and risk-minimizing. We will specifically focus on privacy of the individuals subject to access control in RiBAC, while preserving the functionality of the system. Moreover, our focus is on the European setting where digital health certificates were considered as a central risk-reducing mechanism. In this context, we discuss the use of privacy-preserving cryptography in order to be able to have RiBAC systems that are privacy-preserving already in place for any potential future pandemic.

查看原文本刊更多论文

RiBAC:在保护隐私的同时加强访问控制系统以减少大流行风险

传统的(物理)访问控制系统是建立良好的机制，允许组织确定谁应该能够访问哪个物理空间。这可以是一个设施，如关键基础设施，有一组定义良好的个人，如员工，或公共空间，每个人都可以受到访问控制。在2019冠状病毒病大流行期间，降低个人进入空间风险的其他功能变得流行起来，甚至是强制性的，包括自动扫描防护服(例如，个人是否戴口罩)、体温检查或数字健康证书，证明某人已接受Covid-19阴性检测或接种疫苗。我们将其称为基于风险的访问控制(RiBAC)。在2019冠状病毒病大流行期间，主要由于实施这些措施的时间压力，许多此类RiBAC扩展到经典交流系统需要人工干预。这除了会给执行这些检查的个人带来健康风险外，还会产生不可扩展的解决方案。既然Covid-19大流行不再构成世界卫生组织(世卫组织)关注的国际突发公共卫生事件，现在是重新考虑RiBAC系统的时候了。我们在这项工作中的主要重点是调查此类系统的需求，并讨论RiBAC系统可能的通用架构。为了为未来的大流行做好准备，目标应该是以可扩展和风险最小化的方式实施这些系统。我们将特别关注在RiBAC中受访问控制的个人的隐私，同时保留系统的功能。此外，我们的重点是欧洲环境，在那里，数字健康证书被视为降低风险的主要机制。在这种情况下，我们讨论了隐私保护加密技术的使用，以便能够拥有已经保护隐私的RiBAC系统，以应对任何潜在的未来大流行。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 18th International Conference on Availability, Reliability and Security

自引率

0.00%

发文量