Abstract
In this paper we discuss implementation issues of a distributed privacy enforcement scheme to support Owner-Retained Access Control for digital data repositories. Our approach is based on the Java Security Framework. In order to achievepolicy enforcement dependent on the accessed data object, we had to implement our own class loader that supports instance-level policy assignment. Access policies are described using XACML and stored together with the data as sticky policies. Enforcement of generic policies over sticky policy objects required the extension of XACML with XPath specific functions. Our use-case scenario is the user-controlled distribution of Electronic Health Records.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Anderson, J.P.: Computer security technology planning study. Technical Report ESD-TR-73-51 (October 1972)
Apitzsch, F., Liske, S., Scheffler, T., Schnor, B.: Specifying Security Policies for Electronic Health Records. In: Proceedings of the International Conference on Health Informatics (HEALTHINF 2008), vol. 2, pp. 82 – 90. Funchal/Madeira, Portugal (January 2008)
Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.2) (November 2003). URL http://www.w3.org/Submission/2003/SUBMEPAL-20031110/
Bertino, E., Braun, M., Castano, S., Ferrari, E., Mesiti, M.: Author-X: A Java-Based System for XML Data Protection. In: Proceedings of the IFIP TC11/ WG11.3 Fourteenth Annual Working Conference on Database Security: Data and Application Security, Development and Directions, pp. 15–26. Kluwer, B.V. (2001)
Bundesgesundheitsministerium: Gesetz zur Modernisierung der gesetzlichen Krankenversicherung, SGB V, \S 291a. In: Bundesgesetzblatt, vol. 55 (2003)
CEN/TS-15211: Health informatics - Mapping of hierarchical message descriptions to XML. European Committee for Standardisation (2006). URL http://www.cen.eu
Cranor, L., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J.: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification (April 2002). URL http://www.w3.org/TR/2002/REC-P3P-20020416/
Damiani, E., De Capitani di Vimercati, S., Paraboschi, S., Samarati, P.: A fine-grained access control system for XML documents. ACM Transactions on Information and System Security 5(2), 169–202 (2002)
DeRose, J.C.S.: XML Path Language (XPath). W3C Recommendation (1999). URL http://www.w3.org/TR/1999/REC-xpath-19991116
Gong, L., Ellison, G., Dageforde, M.: Inside Java 2 Platform Security - Second Edition. Addison-Wesley, Boston (2003)
Gong, L., Mueller, M., Prafullchandra, H., Schemers, R.: Going Beyond the Sandbox: An Overview of the New Security Architecture in the Java Development Kit. In: USENIX Symposium on Internet Technologies and Systems. Monterey, California (1997)
Gupta, R., Bhide, M.: A Generic XACML Based Declarative Authorization Scheme for Java, Lecture Notes in Computer Science: Computer Security - ESORICS 2005, vol. Volume 3679/2005. Springer Berlin / Heidelberg (2005)
Imamura, T., Dillaway, B., Simon, E.: XML Encryption Syntax and Processing. W3C Recommendation (2002). URL http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/
ISO/HL7-21731: Health informatics - HL7 version Reference information model Release 1) (2006)
Karjoth, G., Schunter, M., Waidner, M.: Platform For Enterprise Privacy Practices: Privacyenabled Management Of Customer Data. In: 2nd Workshop on Privacy Enhancing Technologies (PET2002), vol. Lecture Notes in Computer Science 2482, pp. 69–84. Springer Verlag (2003)
Lehmann, K., Thiemann, P.: Field access analysis for enforcing access control policies. In: Proceedings of the International Conference on Emerging Trends in Information and Communication Security (ETRICS 2006), Lecture Notes in Computer Science, vol. 3995, pp. 337–351. Springer-Verlag, Berlin, Heidelberg (2006)
McCollum, C.J., Messing, J.R., Notargiacomo, L.: Beyond the pale of MAC and DACdefining new forms of access control. In: IEEE Computer Society Symposium on Research in Security and Privacy, pp. 190–200 (1990)
Mont, M.C., Pearson, S., Bramhall, P.: Towards accountable management of identity and privacy: Sticky policies and enforceable tracing services. In: Proceedings of the 14th International Workshop on Database and Expert Systems Applications, p. 377. IEEE Computer Society (2003)
Moses, T.: eXtensible Access Control Markup Language (XACML) Version 2.0. XACML Core Standard (2005). URL http://www.oasis-open.org/committees/xacml
Sevincç, P.E., Basin, D.: Controlling Access to Documents: A Formal Access Control Model. Technical Report No. 517, Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland, (May 2006)
SUN: Sun’s XACML implementation (2005). URL http://sunxacml.sourceforge.net/
XACML-2.0: eXtensible Access Control Markup Language (XACML). OASIS-Standard (2005). URL http://www.oasis-open.org/committees/xacml
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Scheffler, T., Geiß, S., Schnor, B. (2008). An Implementation of a Privacy Enforcement Scheme based on the Java Security Framework using XACML Policies. In: Jajodia, S., Samarati, P., Cimato, S. (eds) Proceedings of The Ifip Tc 11 23rd International Information Security Conference. SEC 2008. IFIP – The International Federation for Information Processing, vol 278. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-09699-5_11
Download citation
DOI: https://doi.org/10.1007/978-0-387-09699-5_11
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-09698-8
Online ISBN: 978-0-387-09699-5
eBook Packages: Computer ScienceComputer Science (R0)