Anonymity in Attribute-Based Access Control: Framework and Metric

• Published in: IEEE transactions on dependable and secure computing Vol. 21; no. 1; pp. 1 - 14
• Main Authors: Zhang, Runnan, Liu, Gang, Kang, Hongzhaoning, Wang, Quan, Wan, Bo, Luo, Nan
• Format: Journal Article
• Language: English
• Published: Washington IEEE 01.01.2024; IEEE Computer Society
• Subjects: Access control; Anonymity metric; anonymous access; attribute-based access control; Authorization; Encryption; Measurement; Optimization; Policies; Prediction algorithms; Privacy; re-identification
• ISSN: 1545-5971; 1941-0018
• DOI: 10.1109/TDSC.2023.3261309

Anonymous access is an effective method for preserving privacy in access control. This study assumes that anonymous access control requires both frameworks and policies. Numerous solutions have been proposed for anonymous access at the framework level. In this study, these solutions are analyzed and quantified using a unified attribute-based access control (ABAC) anonymous access reference framework. Anonymous access at the framework level is the first line of defense, and inappropriate policies may undermine subject anonymity. An anonymity metric is proposed at the policy level to prevent authorization authority from re-identification using specific attributes and policies. The anonymity metric evaluates the risk of re-identifying a subject due to inappropriate access requests, as well as subject attribute assignment schemes and policies. This study is the first to focus on anonymity at the policy level in ABAC. Furthermore, a formal definition of anonymity suitable for ABAC is proposed. The feasibility of the proposed anonymity metric is verified through simulations.