基于用户同意的隐私保护协议形式化描述与验证
Formalization and Verification of Privacy Preserving Protocol Based on User Consent
- 电子学报 2023年51卷第7期 页码:1842-1849
- 作者机构:
1.江西科技师范大学大数据科学学院,江西南昌 330038
2.江西师范大学数字产业学院,江西南昌 330022
- 作者简介:
[ "马丽 女,1974年出生,安徽安庆人.博士.现为江西科技师范大学大数据科学学院讲师.主要从事访问控制、隐私保护和形式化建模等方面的研究工作.E-mail: mali@jxstnu.edu.cn" ]
[ "姜火文(通讯作者) 男,1974年出生,江西进贤人.博士.现为江西科技师范大学大数据科学学院教授、硕士生导师.主要从事隐私保护、软件演化和计算机教育等方面的研究工作." ]
[ "彭云 男,1972年出生,江西宜春人.博士.现为江西师范大学数字产业学院副教授、硕士生导师.主要从事自然语言处理、人工智能与数据挖掘等方面的研究工作.E-mail: pengyun@jxnu.edu.cn" ]
- 基金信息:江西省社会科学基金项目(21TQ08D);江西省高校人文社会科学研究项目(JC22115);江西省自然科学基金项目(20224BAB202013)
DOI:10.12263/DZXB.20230144
中图分类号: TP309.2收稿:2023-02-17,
修回:2023-06-01,
纸质出版:2023-07-25
- 稿件说明:
移动端阅览
马丽,姜火文,彭云.基于用户同意的隐私保护协议形式化描述与验证[J].电子学报,2023,51(07):1842-1849.
MA Li,JIANG Huo-wen,PENG Yun.Formalization and Verification of Privacy Preserving Protocol Based on User Consent[J].ACTA ELECTRONICA SINICA,2023,51(07):1842-1849.
马丽,姜火文,彭云.基于用户同意的隐私保护协议形式化描述与验证[J].电子学报,2023,51(07):1842-1849. DOI: 10.12263/DZXB.20230144.
MA Li,JIANG Huo-wen,PENG Yun.Formalization and Verification of Privacy Preserving Protocol Based on User Consent[J].ACTA ELECTRONICA SINICA,2023,51(07):1842-1849. DOI: 10.12263/DZXB.20230144.
摘要
将用户同意与访问控制相结合是解决隐私保护的主要方法之一.然而,现有的隐私保护访问控制方法仅从数据控制者的角度,不考虑个人对访问决策的参与,无法满足自主可控的需求.为了解决这个问题,本文提出了一种基于用户同意的隐私保护访问控制协议,将用户同意转化为一种同意权限,形成一种同意加授权的双重访问控制机制.本文给出协议的语法、语义及安全性定义和分析,并采用模型检测的方法对协议应满足的性质进行验证,最终证明本文的设计可以从访问控制的角度满足个人信息保护法规的要求.
Abstract
The combination of user consents and access control is one of the main approaches to address privacy protection today. However
most of privacy protection access control approaches are from the perspective of the data controller
without considering individual participation in access decisions
and can not meet the need for privacy protection in terms of autonomy and control. In order to solve this problem
this paper proposes a privacy-preserving access control protocol based on user consents
which transforms user consents into a kind of consent authority and forms a dual access control mechanism of consent plus authorization. The syntax
semantics and security of the protocol are defined and analyzed. The properties that the protocol should satisfy are verified with the model checking method
which finally proves that the design of this paper can comply with personal information protection regulations from the perspective of access control.
关键词
Keywords
references
BARTOLINI C , DAOUDAGH S , LENZINI G , et al . Towards a lawful authorized access: A preliminary GDPR-based authorized access [C]// Proceedings of the 14th International Conference on Software Technologies . Setubal : SciTePress , 2019 : 331 - 338 .
DAOUDAGH S , MARCHETTI E , SAVARINO V , et al . How to improve the GDPR compliance through consent management and access control [C]// Proceedings of the 7th International Conference on Information Systems Security and Privacy . Setubal : SciTePress , 2021 : 534 - 541 .
BARTOLINI C , DAOUDAGH S , LENZINI G , et al . GDPR-based user stories in the access control perspective [M]// Communications in Computer and Information Science . Cham : Springer International Publishing , 2019 : 3 - 17 .
DROZDOWICZ M , GANZHA M , PAPRZYCKI M . Semantic access control for privacy management of personal sensing in smart cities [J]. IEEE Transactions on Emerging Topics in Computing , 2022 , 10 ( 1 ): 199 - 210 .
NI Q , BERTINO E , LOBO J , et al . Privacy-aware role-based access control [J]. ACM Transactions on Information and System Security , 2010 , 13 ( 3 ): 1 - 31 .
WANG H A , CAO J L , ZHANG Y C . Building access control policy model for privacy preserving and testing policy conflicting problems [M]// Access Control Management in Cloud Environments . Cham : Springer International Publishing , 2020 : 225 - 247 .
BYUN J W , LI N H . Purpose based access control for privacy protection in relational database systems [J]. The VLDB Journal , 2008 , 17 ( 4 ): 603 - 619 .
PEYRONE N , WICHADAKUL D . Formal models for consent-based privacy [J]. Journal of Logical and Algebraic Methods in Programming , 2022 , 128 : 100789 .
DAVARI M , BERTINO E . Access control model extensions to support data privacy protection based on GDPR [C]// 2019 IEEE International Conference on Big Data (Big Data) . Piscataway : IEEE , 2020 : 4017 - 4024 .
WU G J , WANG S P , NING Z L , et al . Blockchain-enabled privacy-preserving access control for data publishing and sharing in the Internet of medical things [J]. IEEE Internet of Things Journal , 2022 , 9 ( 11 ): 8091 - 8104 .
KABIR M E , WANG H . Conditional purpose based access control model for privacy protection [C]// Proceedings of the Twentieth Australasian Conference on Australasian Database - Volume 92 . New York : ACM , 2009 : 135 - 142 .
COLOMBO P , FERRARI E . Efficient enforcement of action-aware purpose-based access control within relational database management systems [J]. IEEE Transactions on Knowledge and Data Engineering , 2015 , 27 ( 8 ): 2134 - 2147 .
MAJEED A , LEE S . Anonymization techniques for privacy preserving data publishing: A comprehensive survey [J]. IEEE Access , 2020 , 9 : 8512 - 8545 .
VOIGT P , VON DEM BUSSCHE A . The EU General Data Protection Regulation (GDPR): A Practical Guide [M]. 1st Ed . Cham : Springer International Publishing , 2017 .
IT Governance Privacy Team , I T Governance . EU General Data Protection Regulation (GDPR) — An Implementation And Compliance Guide [M]. 4th edition . Ely : IT Governance Ltd , 2020 .
ČTVRTNÍK M . Data Minimisation—Storage limitation—archiving [M]// Archives and Records . Cham : Springer International Publishing , 2023 : 197 - 240 .
SANDHU R S , COYNE E J , FEINSTEIN H L , et al . Role-based access control models [J]. Computer , 1996 , 29 ( 2 ): 38 - 47 .
SANDHU R , BHAMIDIPATI V , MUNAWER Q . The ARBAC97 model for role-based administration of roles [J]. ACM Transactions on Information and System Security , 1999 , 2 ( 1 ): 105 - 135 .
FERRAIOLO D F , SANDHU R , GAVRILA S , et al . Proposed NIST standard for role-based access control [J]. ACM Transactions on Information and System Security , 2001 , 4 ( 3 ): 224 - 274 .
TRUONG N B , SUN K , LEE G M , et al . GDPR-compliant personal data management: A blockchain-based solution [J]. IEEE Transactions on Information Forensics and Security , 2019 , 15 : 1746 - 1761 .
TOKAS S , OWE O . A formal framework for consent management [C]// Formal Techniques for Distributed Objects, Components, and Systems—FORTE 2020 . Lecture Notes in Computer Science . Cham : Springer International Publishing , 2020 : 169 - 186 .
COLOMBO P , FERRARI E . Enhancing MongoDB with purpose-based access control [J]. IEEE Transactions on Dependable and Secure Computing , 2017 , 14 ( 6 ): 591 - 604 .
LAMPORT L, Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [M]. Boston : Addison-Wesley Longman Publishing Co, Inc , 2002 .
纪业 , 魏恒峰 , 黄宇 , 等 . CRDT协议的TLA+描述与验证 [J]. 软件学报 , 2020 , 31 ( 5 ): 1332 - 1352 .
JI Y , WEI H F , HUANG Y , et al . Specifying and verifying CRDT protocols using TLA+ [J]. Journal of Software , 2020 , 31 ( 5 ): 1332 - 1352 . (in Chinese)
0
浏览量
11
下载量
0
CSCD
- 网络PDF下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies