通信学报 ›› 2015, Vol. 36 ›› Issue (12): 200-211.doi: 10.11959/j.issn.1000-436x.2015329

• 数据安全 • 上一篇    下一篇

基于PBAC模型和IBE的医疗数据访问控制方案

张怡婷1,2,傅煜川1,杨明1,罗军舟1   

  1. 1 东南大学 计算机科学与工程学院,江苏 南京 210096
    2 南京邮电大学 计算机学院,江苏 南京 210023
  • 出版日期:2015-12-25 发布日期:2017-07-17
  • 基金资助:
    国家自然科学基金资助项目;国家自然科学基金资助项目;国家科技支撑计划课题基金资助项目

Access control scheme for medical data based on PBAC and IBE

Yi-ting ZHANG1,2,Yu-chuan FU1,Ming YANG1,Jun-zhou LUO1   

  1. 1 School of Computer Science and Engineering,Southeast University,Nanjing 210096,China
    2 School of Computer Science & Technology,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
  • Online:2015-12-25 Published:2017-07-17
  • Supported by:
    The National Natural Science Foundation of China;The National Natural Science Foundation of China;The National Key Technology R&D Program of China

摘要:

医疗卫生领域形成的医疗大数据中包含了大量的个人隐私信息,面临着外部攻击和内部泄密的潜在安全隐患。传统的访问控制模型没有考虑用户访问目的在侧重数据隐私的访问控制中的重要作用,现有的对称、非对称加密技术又都存在密钥管理、证书管理复杂的问题。针对这些问题,提出了综合应用PBAC模型和IBE加密技术的访问控制方案,支持针对医疗数据密文的灵活访问控制。通过加入条件目的概念对PBAC模型进行扩展,实现了对目的树的全覆盖;以病患 ID、条件访问位和预期目的作为 IBE 身份公钥进行病患数据加密,只有通过认证并且访问目的符合预期的用户才能获得相应的私钥和加密数据,从而实现对病患信息的访问。实验结果证明,该方案达到了细粒度访问控制和隐私保护的目的,并具有较好的性能。

关键词: 隐私保护, 访问控制, 基于目的, 基于身份加密

Abstract:

Due to the large amount of personal privacy information contained,the medical big data formed in the health care industry was faced with potential threats of both external attacks and internal data leakages.However,traditional access control technology didn’t take into account the important role of user access purpose in the access control schemes that emphasized data privacy,and existing symmetric and asymmetric encryption technologies both face problems such as the complexity of key and certificate management.To address these problems,a novel access control scheme based on PBAC model and IBE encryption technology was proposed,which could provide flexible access control of encrypted medical data.By introducing the concept of conditioned purpose,the PBAC model was extended to achieve full coverage of purpose trees.Furthermore,the scheme used patient ID,conditioned bit and intended purpose as the IBE public key,with which patients’ data were encrypted.Only users who pass the authentication and whose access purposes conform to the intended purposes can obtain the corresponding private keys and the encrypted data,thereby achieving access to patients’ information.Experimental results prove that the scheme can achieve the goals of fine-grained access control and privacy protection with high performance.

[1] 刘伯涛. 移动回传的融合之路[J]. 电信科学, 2009, 25(11): 91 -93 .
[2] 鲜永菊,董灿,张祖凡,吴东伟. LTE-A载波聚合下的载波切换分析[J]. 电信科学, 2009, 25(12): 46 -50 .
[3] 曾 益,胡 波,冯 辉. 用于传感器网络的高效分时洪泛时钟同步协议[J]. 通信学报, 2007, 28(5): 2 -14 .
[4] 王俊波,陈 明. 单业务TDD-CDMA系统上行用户容量分析[J]. 通信学报, 2007, 28(6): 8 -53 .
[5] 张 静,胡华平,刘 波,肖枫涛. 基于ASPQ的LDoS攻击检测方法[J]. 通信学报, 2012, 33(5): 10 -84 .
[6] 牛德华,马建峰,马卓,李辰楠,王蕾. 基于属性的安全增强云存储访问控制方案[J]. 通信学报, 2013, 34(Z1): 37 -284 .
[7] 欧智慧,赵亚群. 一类对称布尔函数的研究[J]. 通信学报, 2013, 34(1): 10 -95 .
[8] 刘 龙,宋琦军,赵太飞,元向辉. 基于运动矢量时-空特性的快速运动估计算法研究[J]. 通信学报, 2013, 34(1): 14 -127 .
[9] 王亚石,闵丽娟,周严. OSS/BSS一体化及其与ITSM的融合[J]. 电信科学, 2014, 30(6): 17 -23 .
[10] 彭俊宇,蔡孙增,朱正航,徐景,周婷. 基于MIMO-OFDM的高频段Gbit/s通信系统设计和实现[J]. 电信科学, 2014, 30(6): 95 -101 .