Professional Documents
Culture Documents
332-340
ISSN 2001-5569
Abstract
Ever since the evolution of internet, privacy of information is the main concern and the access of this
information is the most important issue in privacy preserving. The existing system provides just access
based on roles. To overcome the issue of excess use of data by the subjects Purpose Based Access Control
has been proposed. This system also allows client to restrict the exposure of personal information to the
different subjects who request the information to process the query. This system can be considered as the
next generation access control. It enables the Finer-grained access control for the subjects who wants to
access the information and provides access based upon the purpose for what they need to access the data.
This work provides a foundation for developing appropriate security solutions for organizations secures
information and contributes to the highest security.
Keywords: IP, AIP, PIP, Access, Policy, Purpose.
1. Introduction
The current information technologies allows users to perform their business task virtually anytime and
anywhere and also allows to store all kinds of information which client reveals during their activities.
Nowadays the demand is increasing for more effective healthcare services, since these E-Healthcare service
portals contains a lot of useful and sensitive information about the user. The fact that this private
MD Arif,
IJRIT
332
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340
information of user can be attacked by a false user and can be collected and stored. And this information
can be used against the user without even his consent. E-healthcare centers provide very good information
to the user about medical issues but it is very risky since it contains very large or huge amount of data
internationally to provide accurate service. The risk also increases with it, especially when the patients
information is concerned as the most private information. Securing the privacy is a very big concern. In this
proposed system the privacy is maintained according to the purpose defined by the service provider. The
policies should be created in such a manner that no particular single user of the data information can make
out any private information from the data.
MD Arif,
IJRIT
333
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340
1.5 Objective
In this paper the data users (employees) are restricted according to the purpose defined by the Admin of the
service provider in order to process respective query of the client. Even the client should also be able to
restrict these employees from how much they can access the data of client.
2. Proposed System
The System proposes a Purpose Based Access Control which gives user or the customers the option to
restrict their personal data according to their own policy Privacy Policy. The Admin then decides the
access policies for the employees. The admin also defines the purpose definition; which purpose needs how
much data to be accessed.
And based upon these three things that is, IP (Intended purpose/purpose definition), AIP (Allowed intended
purpose/Access policy) and PIP (Prohibited intended Purpose/privacy policy). A compliance check
happens between these three things and finally employees get the access to only what remains; in this way
the clients privacy is preserved to a large extent.
2.2 Algorithm
Input: Subject s needs to access right on object o with access purpose (pu)
Output: Accept or deny accesses
Method
1) Verify the compliance between ip and pu, If ip aip and ip pip go to the next step; otherwise the
access purpose is not compliant and the ACCESS is denied;
2) endif;
3) Verify pre-Authorization;
4) if preA(ATT(s), r) = false; The process in pre-Authorization is not successful
5) ACCESS denied;
6) endif;
7) SOP SP IP (subject object purpose) ; Subjects with the access purpose can access the private
Information.
8) ACCESS accepted
Verify ongoing Authorization
9) if onA(ATT(s), ATT(o),ip, r) = false; The process in Authorization is failed, don't need further
verification;
10) Application denied;
11) endif;
12) if ip > Pu
ap is not compliant to pu any longer
13) Application denied;
Subjects with access purpose can continue to access the private information.
The above algorithm shows how the access of the object can be controlled or restricted based upon the
purpose for which the subject wants to access the data/object.
2.3 Modules
1) Authorization
2) Cryptography
3) Purpose definition
4) Policies
5) Compliance check.
MD Arif,
IJRIT
334
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340
1) Authorization
Whenever any subject needs access to the data the authorization will be provided to the subject based upon
the compliance check.
2) Cryptography
Cryptography usually consists of encryption and decryption. Hence AES (Advanced Encryption Standards)
is the technique used here for encryption and decryption.
3) Purpose definition
The admin defines the purpose which means the access rights required to process the particular data or
query which is also known as the intended purpose (IP).
4) Policies
Policies are the set of protocols or rules which needs to be applied in order to achieve the planned outcome.
Here two types of policies being used in this system:
Access policy
Privacy policy
Access policy (AIP) is defined by the Admin like which employee of its organization can use how much of
the data from his database.
Privacy policy (PIP) is defined by the client himself. This is done to restrict the usage of his personal data
in order to provide the service.
5) Compliance check
Once the IP, AIP and PIP is defined then before giving authorization to the employee; compliance check
happens which checks whether the employee is authorized or not based upon the algorithm mentioned
above.
MD Arif,
IJRIT
335
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340
MD Arif,
IJRIT
336
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340
As shown in Figure 5, the admin can define the access policy for each of his employee of what details can
they access and till what extent they can access those.
MD Arif,
IJRIT
337
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340
References
[1] Challenges in eHealth From Enabling to Enforcing Privacy Naipeng Dong, Hugo Jonker, and Jun
Pang Faculty of Sciences, Technology and Communication, University of Luxembourg, Luxembourg.
[2] Int. J. Internet and Enterprise Management, Vol. 6, No. 4, 2010, Inderscience Enterprises Ltd.
Information security and privacy in healthcare current state of research Ajit Appari and M. Eric Johnson
[3] Access Control Requirements for Processing Electronic Health Records Bandar Alhaqbani and Colin
Fidge.
[4] Setting Access Permission through Transitive Relationship in Web-based Social Networks Dan Hong
and Vincent Y. Shen.
[5] Extensions to the Role Based Access Control Model for Newer Computing Paradigms Ramadan
Abdunabi and Indrajit Ray Colorado State University Computer Science Department.
[6] Privacy and Security in Electronic Health Dr. Stefan Brands Credentica Inc. brands@credentica.com
Version 1.0 of March 10, 2003
[7] A Role-based Access Control Security Model for Workflow Management System in an E-healthcare
Enterprise by Lang Zhao ,2008.
[8] Hung, P. C. K., "Towards a privacy access control model for e-Healthcare services", In Proceedings of
the third annual conference on privacy, security and trust, October pp. 12-14, 2005.
[9] Motta, G. H. M. B., Furuie, S. S., "A contextual role-based access control authorization model for
electronic patient record", IEEE Transactions on Information Technology in Biomedicine, vol. 7, no. 3,
pages 202- 207, 2003.
[10] Park, J., Sandhu, R., "Towards usage control models beyond traditional access control", In
Proceedings of the seventh ACM symposium on Access control models and technologies, ACM Press,
page 57-64. 2002.
[11] Park, J., Sandhu, R., Schifalacqua, J., "Security architectures for controlled digital information
dissemination", In Proceedings of 16th Annual Computer Security Application Conference, December
2003.
MD Arif,
IJRIT
338
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340
Authors Profile
.
MD Arif is currently pursuing M.Tech in Computer Network Engineering at Center for PG Studies, (VTU), Belgaum.
He received his Bachelor of Engineering in Computer Science from Dr. AIT Bengaluru. His areas of interests include
Cryptography and Mobile Computing.
arifmohammed2012@gmail.com
Mrs. Pushpalatha S is currently working as a Professor in Dept. of Computer Network and Engineering, Center for
PG Studies, VTU Belgaum. She has completed her Masters in Computer Network Engineering from the National
Institute of Engineering, Mysore, Karnataka and her Bachelors of Engineering in Electronics and Communication and
Engineering from Coorg Institution of Technology, Kodagu, Karnataka. She has an overall of 7 years of teaching
experience and handled subjects like Network Security, Computer Networks, Wireless Communication and Digital
Communication. Her recent interests include Network Security and Cryptography.
pushpalatha@vtu.ac.in
Henin Roland Karkada is currently pursuing M.Tech in Computer Science at Center for PG Studies, (VTU),
Belgaum. He received his Bachelor of Engineering in Computer Science from Mangalore Institute of Technology
(MITE) Mangalore. His areas of interests include Content Based image Retrieval, Cloud Computing, Cryptography and
Semantic Web.
henin.roland@gmail.com
Sunil Saumya is currently pursuing M.Tech in Computer Network Engineering at Center for PG Studies, (VTU),
Belgaum. He received his Bachelor of Engineering in Computer Science from Lovely Professional University, Punjab.
His areas of interests include Cryptography and Mobile Computing.
sunil.saumya007@gmail.com
MD Arif,
IJRIT
339
IJRIT International Journal of Research in Information Technology, Volume 1, Issue 7, July 2014, Pg. 332-340
Shilpa V is currently pursuing M.Tech in Computer Network Engineering at Center for PG Studies, (VTU), Belgaum.
She received her Bachelor of Engineering in Electronics and Communications from Dr. SMCE, Byranayakanahalli,
Bengaluru. Her areas of interests include Cryptography and Mobile Computing.
shilpav92 @gmail.com
MD Arif,
IJRIT
340