{"title":"MPSS: Mobile Proactive Secret Sharing","authors":"David A. Schultz, B. Liskov, Moses D. Liskov","doi":"10.1145/1880022.1880028","DOIUrl":"https://doi.org/10.1145/1880022.1880028","url":null,"abstract":"This article describes MPSS, a new way to do proactive secret sharing. MPSS provides mobility: The group of nodes holding the shares of the secret can change at each resharing, which is essential in a long-lived system. MPSS additionally allows the number of tolerated faulty shareholders to change when the secret is moved so that the system can tolerate more (or fewer) corruptions; this allows reconfiguration on-the-fly to accommodate changes in the environment.\u0000 MPSS includes an efficient protocol that is intended to be used in practice. The protocol is optimized for the common case of no or few failures, but degradation when there are more failures is modest. MPSS contains a step in which nodes accuse proposals made by other nodes; we show a novel way to handle these accusations when their verity cannot be known. We also present a way to produce accusations that can be verified without releasing keys of other nodes; verifiable accusations improve the performance of MPSS, and are a useful primitive independent of MPSS.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"73 5 Suppl 1","pages":"34:1-34:32"},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88685547","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Feifei Li, Marios Hadjieleftheriou, G. Kollios, L. Reyzin
{"title":"Authenticated Index Structures for Aggregation Queries","authors":"Feifei Li, Marios Hadjieleftheriou, G. Kollios, L. Reyzin","doi":"10.1145/1880022.1880026","DOIUrl":"https://doi.org/10.1145/1880022.1880026","url":null,"abstract":"Query authentication is an essential component in Outsourced DataBase (ODB) systems. This article introduces efficient index structures for authenticating aggregation queries over large datasets. First, we design an index that features good performance characteristics for static environments. Then, we propose more involved structures for the dynamic case. Our structures feature excellent performance for authenticating queries with multiple aggregate attributes and multiple selection predicates. Furthermore, our techniques cover a large number of aggregate types, including distributive aggregates (such as SUM, COUNT, MIN, and MAX), algebraic aggregates (such as the AVG), and holistic aggregates (such as MEDIAN and QUANTILE). We have also addressed the issue of authenticating aggregation queries efficiently when the database is encrypted to protect data confidentiality. Finally, we implemented a working prototype of the proposed techniques and experimentally validated the effectiveness and efficiency of our methods.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"63 1","pages":"32:1-32:35"},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89272641","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Pairing-Based Onion Routing with Improved Forward Secrecy","authors":"Aniket Kate, Gregory M. Zaverucha, I. Goldberg","doi":"10.1145/1880022.1880023","DOIUrl":"https://doi.org/10.1145/1880022.1880023","url":null,"abstract":"This article presents new protocols for onion routing anonymity networks. We define a provably secure privacy-preserving key agreement scheme in an identity-based infrastructure setting, and use it to design new onion routing circuit constructions. These constructions, based on a user’s selection, offer immediate or eventual forward secrecy at each node in a circuit and require significantly less computation and communication than the telescoping mechanism used by the Tor project. Further, the use of an identity-based infrastructure also leads to a reduction in the required amount of authenticated directory information. Therefore, our constructions provide practical ways to allow onion routing anonymity networks to scale gracefully.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"31 1","pages":"29:1-29:32"},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88968848","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Identity Escrow Protocol and Anonymity Analysis in the Applied Pi-Calculus","authors":"Aybek Mukhamedov, M. Ryan","doi":"10.1145/1880022.1880035","DOIUrl":"https://doi.org/10.1145/1880022.1880035","url":null,"abstract":"Anonymity with identity escrow attempts to allow users of an online service to remain anonymous, while providing the possibility that the service owner can break the anonymity in exceptional circumstances, such as to assist in a criminal investigation. In the article, we propose an identity escrow protocol that distributes user identity among several escrow agents. The main feature of our scheme is it is based on standard encryption algorithms and it provides user anonymity even if all but one escrow holders are dishonest acting in a coalition. We also present analysis of the anonymity property of our protocol in the applied pi-calculus. We review a related scheme by Marshall and Molina-Jiminez [2003] that aimed to achieve goals similar to ours, and show that their scheme suffers from serious weaknesses.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"19 1","pages":"41:1-41:29"},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"73689428","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Patrick P. Tsang, M. Au, Apu Kapadia, Sean W. Smith
{"title":"BLAC: Revoking Repeatedly Misbehaving Anonymous Users without Relying on TTPs","authors":"Patrick P. Tsang, M. Au, Apu Kapadia, Sean W. Smith","doi":"10.1145/1880022.1880033","DOIUrl":"https://doi.org/10.1145/1880022.1880033","url":null,"abstract":"Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user’s privacy at any time, however, is too strong a punishment for misbehavior. To limit the scope of deanonymization, some systems have been proposed in which users can be deanonymized only if they authenticate “too many times,” such as “double spending” with electronic cash. While useful in some applications, such techniques cannot be generalized to more subjective definitions of misbehavior, for example, using such schemes it is not possible to block anonymous users who “deface too many Web pages” on a Web site.\u0000 We present BLAC, the first anonymous credential system in which service providers can revoke the credentials of misbehaving users without relying on a TTP . Since revoked users remain anonymous, misbehaviors can be judged subjectively without users fearing arbitrary deanonymization by a TTP . Additionally, our construction supports a d-strikes-out revocation policy, whereby users who have been subjectively judged to have repeatedly misbehaved at least d times are revoked from the system. Thus, for the first time, it is indeed possible to block anonymous users who have “defaced too many Web pages” using our scheme.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"54 1","pages":"39:1-39:33"},"PeriodicalIF":0.0,"publicationDate":"2010-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87162696","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Private and Continual Release of Statistics","authors":"T-H. Hubert Chan, E. Shi, D. Song","doi":"10.1145/2043621.2043626","DOIUrl":"https://doi.org/10.1145/2043621.2043626","url":null,"abstract":"We ask the question: how can Web sites and data aggregators continually release updated statistics, and meanwhile preserve each individual user’s privacy? Suppose we are given a stream of 0’s and 1’s. We propose a differentially private continual counter that outputs at every time step the approximate number of 1’s seen thus far. Our counter construction has error that is only poly-log in the number of time steps. We can extend the basic counter construction to allow Web sites to continually give top-k and hot items suggestions while preserving users’ privacy.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"61 1","pages":"26:1-26:24"},"PeriodicalIF":0.0,"publicationDate":"2010-07-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88731025","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Qun Ni, E. Bertino, Jorge Lobo, C. Brodie, Clare-Marie Karat, J. Karat, Alberto Trombeta
{"title":"Privacy-aware role-based access control","authors":"Qun Ni, E. Bertino, Jorge Lobo, C. Brodie, Clare-Marie Karat, J. Karat, Alberto Trombeta","doi":"10.1145/1805974.1805980","DOIUrl":"https://doi.org/10.1145/1805974.1805980","url":null,"abstract":"In this article, we introduce a comprehensive framework supporting a privacy-aware access control mechanism, that is, a mechanism tailored to enforce access control to data containing personally identifiable information and, as such, privacy sensitive. The key component of the framework is a family of models (P-RBAC) that extend the well-known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. We formally define the notion of privacy-aware permissions and the notion of conflicting permission assignments in P-RBAC, together with efficient conflict-checking algorithms. The framework also includes a flexible authoring tool, based on the use of the SPARCLE system, supporting the high-level specification of P-RBAC permissions. SPARCLE supports the use of natural language for authoring policies and is able to automatically generate P-RBAC permissions from these natural language specifications. In the article, we also report performance evaluation results and contrast our approach with other relevant access control and privacy policy frameworks such as P3P, EPAL, and XACML.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"78 1","pages":"24"},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"83046728","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Editorial SACMAT 2007","authors":"B. Thuraisingham","doi":"10.1145/1805974.1805979","DOIUrl":"https://doi.org/10.1145/1805974.1805979","url":null,"abstract":"This special issue consists of enhanced versions of five of the articles presented at the ACM Symposium on Access Control Models and Technologies (SACMAT) held in Sophia Antipolis, France, in June 2007. SACMAT has become the premier forum for presentation of research results and experience reports on leading edge issues of access control including models, systems, applications, and theory. The mission of the symposium is to share novel access control solutions that fulfill the needs of heterogeneous applications and environments as well as to identify new directions for future research and development. The article “Privacy-aware Role-Based Access Control” by Q. Ni, E. Bertino, J. Lobo, C. Brodie, C.-M. Karat, J. Karat, and A. Trombetta extends the popular role-based access control model with complex and realistic privacy policies. The article describes the security model as well as the design and implementation of a system based on this privacy-aware role-based access control also known as P-RBAC. The authors also compare and contrast their system with those based on other privacy models including P3P, EPAL, and XACML. The article “On the Consistency of Distributed Proofs with Hidden Subtrees” by A. Lee, K. Minami, and M. Winslett describes a mechanism for distributed proofs appropriate for pervasive systems. The authors show that consistency constraints may be enforced in a proof system where the complete proofs are not available to the queriers. They also present their performance results that show that the overhead is modest. The article “A Logical Specification and Analysis for SELinux MLS Policy” by B. Hicks, S. Rueda, L. St. Clair, T. Jaeger, and P. McDaniel states that the SELinux multilevel security policy is difficult to verify due to its richness. They then describe a logic-based specification and implementation of this specification in Prolog. They also develop some analyses to test the properties of a policy. In the article “The Role Mining Problem: A Formal Perspective” by J. Vaidya, V. Atluri, and Q. Guo, the authors define the Role Mining Problem as the problem of discovering an optimal set of roles from existing user permissions. The article analyzes the theoretical bounds of the Role Mining Problem and shows the reducibility of this problem to several problems already identified in the data mining and data analysis literature. Subsequently, the authors borrow the existing implementation solutions that guide their research. The article “A Framework to Enforce Access Control Over Data Streams” by B. Carminati, E. Ferrari, and K. L. Tan describes an access control model for data streams. The authors specify a secure algebra for data stream query processing and describe the design of a system for access control enforcement.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"51 1","pages":"23:1-23:2"},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"87055938","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
V. Ciriani, S. Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, P. Samarati
{"title":"Combining fragmentation and encryption to protect privacy in data storage","authors":"V. Ciriani, S. Vimercati, S. Foresti, S. Jajodia, S. Paraboschi, P. Samarati","doi":"10.1145/1805974.1805978","DOIUrl":"https://doi.org/10.1145/1805974.1805978","url":null,"abstract":"The impact of privacy requirements in the development of modern applications is increasing very quickly. Many commercial and legal regulations are driving the need to develop reliable solutions for protecting sensitive information whenever it is stored, processed, or communicated to external parties. To this purpose, encryption techniques are currently used in many scenarios where data protection is required since they provide a layer of protection against the disclosure of personal information, which safeguards companies from the costs that may arise from exposing their data to privacy breaches. However, dealing with encrypted data may make query processing more expensive.\u0000 In this article, we address these issues by proposing a solution to enforce the privacy of data collections that combines data fragmentation with encryption. We model privacy requirements as confidentiality constraints expressing the sensitivity of attributes and their associations. We then use encryption as an underlying (conveniently available) measure for making data unintelligible while exploiting fragmentation as a way to break sensitive associations among attributes. We formalize the problem of minimizing the impact of fragmentation in terms of number of fragments and their affinity and present two heuristic algorithms for solving such problems. We also discuss experimental results, comparing the solutions returned by our heuristics with respect to optimal solutions, which show that the heuristics, while guaranteeing a polynomial-time computation cost are able to retrieve solutions close to optimum.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"22 1","pages":"22:1-22:33"},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74673515","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"The role mining problem: A formal perspective","authors":"Jaideep Vaidya, V. Atluri, Qi Guo","doi":"10.1145/1805974.1805983","DOIUrl":"https://doi.org/10.1145/1805974.1805983","url":null,"abstract":"Devising a complete and correct set of roles has been recognized as one of the most important and challenging tasks in implementing role-based access control. A key problem related to this is the notion of goodness/interestingness—when is a role good/interesting? In this article, we define the Role Mining Problem (RMP) as the problem of discovering an optimal set of roles from existing user permissions. The main contribution of this article is to formally define RMP and analyze its theoretical bounds. In addition to the above basic RMP, we introduce two different variations of the RMP, called the Δ-Approx RMP and the minimal-noise RMP that have pragmatic implications. We reduce the known “Set Basis Problem” to RMP to show that RMP is an NP-complete problem. An important contribution of this article is also to show the relation of the RMP to several problems already identified in the data mining and data analysis literature. By showing that the RMP is in essence reducible to these known problems, we can directly borrow the existing implementation solutions and guide further research in this direction. We also develop a heuristic solution based on the previously proposed FastMiner algorithm, which is very accurate and efficient.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"1 1","pages":"27:1-27:31"},"PeriodicalIF":0.0,"publicationDate":"2010-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"82934903","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}