Privacy-preserving attribute-based access control for grid computing

In Attribute- Based Access Control (ABAC), access is granted based on the attributes of the requesting user. ABAC is a highly flexible and scalable access control scheme which can deal with diverse security requirements in a grid computing environment. However, in ABAC the user attributes published by the identity providers for authorisation decision may cause some privacy violation. We developed an attribute release control mechanism to publish an optimal set of user attributes that are essential to access a desired resource (or service), while exposing the least amount of sensitive user information. To facilitate the selection of an optimal set of user attributes, we also developed a Web service, named Security Policy Publication Service (SPPS), which retrieves the access condition from the access control policies in eXtensible Access Control Markup Language (XACML) and converts it into a Disjunctive Normal Form (DNF) of user attributes. For the implementation of our privacy- preserving ABAC, we used the Globus Toolkit and modified the Shibboleth Identity Provider and GridShib. Our performance analysis shows that the overhead of the proposed system is very small.