Journal of the Korea Institute of Information Security & Cryptology (정보보호학회논문지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지
DOI QR코드

DOI QR Code

A Policy-based Privacy Authorization System in the Internet Environment

인터넷 환경용 정책 기반 프라이버시 인가 시스템

  • Published : 2006.12.31
Download PDF
⟨ Previous Next ⟩

Abstract

In the Internet era, enterprises want to use personal information of their own or other enterprises' subscribers, and even provide it to other enterprises for their profit. In this paper, a privacy authorization system for personal information based on privacy policies of users and enterprises is designed and implemented. Privacy policies of users and enterprises are described in XACML. Also, components of policy in XACML 2.0 such as Purpose, Obligation are suitable for expressing privacy policy. A prototype of privacy authorization system is implemented by modifying and extending the SUNXACML 1.2, a Sun's implementation of XACML 1.0 and some features of XACML 2.0, and GUI tools for composing and verifying are also developed.

인터넷에서 기업의 정보시스템은 기업이 보유하고 있는 개인정보와 다른 기업에 저장 유지되는 개인정보를 개인이나 기업의 이익을 위해 사용한다. 본 논문은 개인정보 제공자인 사용자와 개인정보 활용자인 기업의 프라이버시 정책을 기반으로 개인정보에 대한 접근을 통제하는 프라이버시 인가 시스템을 설계하고 구현한다. 제안된 프라이버시 인가 시스템은 OASIS에서 제정한 인가정책 기술언어 표준인 XACML을 이용하여 프라이버시 보호 정책을 기술한다. 프라이버시 인가시스템은 XACML 1.0 스펙과 일부 XACML 2.0 스펙을 구현한 Sun사의 SUNXACML 1.2 패키지를 수정 및 확장하여 프라이버시 인가 시스템은 구현되었으며 프라이버시 보호 정책 설정과 점검을 위한 GUI 개발 도구 및 시험 도구도 함께 개발되었다.

Keywords

References

  1. Christine Varney, Hogan & Hartson, 'Privacy and Security Best Prac tices,' Liberty Alliance Project, November 12, 2003
  2. Abdelmounaam Rezgui, Athman Bouguettaya, Mohamed Y. Eltowe issy, Virginia Tech, 'Privacy on the Web: Facts, Challenges, and Solu tions,' IEEE Security and Privacy (Vol. 1, No. 6), 2003
  3. Samuel D. Warren, Louis D. Brandeis, 'The Right to Privacy,' Harvard Law Review, 1980
  4. Lorrie Faith Cranor, 'Web Privacy with P3P,' AT&T, 2002
  5. Computer Science and Telecommuni cations Board (CSTB), 'Who Goes There?: Authentication Through the Lens of Privacy,' The National Academies, 2003. http://www.nap. ed u/catalog/10656.html
  6. Magnuson, G., Reid, P. 'Privacy and Identity Management Survey,' IAPP Conference, 2004
  7. Hyang-Chang Choi, Seung-Yong Lee, Hyung-Hyo Lee, 'PIMS: An Access-Control based Privacy Model for Identity Management Systems,' GESTS International Transaction on Computer Science and Engineering, Vol.9 and No.1(ISSN 1738-6438), 2005
  8. OASIS, 'eXtensible Access Control Markup Language (XACML) Version 1.0,' OASIS Committee Specification (T. Simon Godik, editor), 2003
  9. OASIS, 'eXtensible Access Control Markup Language (XACML) Version 2.0,' OASIS Committee Specification (T. Moses,editor), 2005
  10. Sun, 'Sun's XACML Implementa tion,' January 7, 2005. http:// sunxac ml.sourceforge.net/
  11. 'OECD: Guidelines on the Prote ction of Privacy and Transborder Flows of Personal Data,' Orga nisation for Economic Co-Operation and Development, 1981
  12. 'RAPID: Roadmap for Advanced Research in Privacy and Identity Management,' RAPID Project, 2001, http://www.ra-pid.org
  13. 'PRIME: Privacy and Identity Management for Europe Date of preparation,' PRIME Project, 2004, http://www.prime-project. eu.org/
  14. Paul Ashley, Satoshi Hada, Gunter Karjoth, Calvin Powers, Matthias Schunter 'Enterprise Privacy Authorization Language (EPAL 1.2),' W3C, 2003, http://www.w3. org /Submission/2003/SUBM-EPAL- 20031110
  15. Lorrie Faith Cranor, 'Web Privacy with P3P,' AT&T, 2002
  16. 'P3P 1.0: The Platform for Privacy Preferences 1.0 Specification,' W3C, 2002, http://www.w3.org/TR/P3P/
  17. G. Karjoth, M. Schunter, E. Van Herreweghen, and M. Waidner, 'Amending P3P for Clearer Privacy Promises,' 14th International Workshop on Database and Expert Sys tems Applications, 2003
  18. P. Ashley, S. Hada, G. Karjoth, M. Schunter, 'E-P3P: Privacy Policies and Privacy Authorization,' WPES, November 2002
  19. Anne Anderson, Sun Microsystems, 'XACML Profile for Role Based Access Control (RBAC),' OASIS, February 2004
  20. M. Mealing, R. Denenberg, Uniform Resource Identifiers(URIs), URLs, and Uniform Resource Names(URN s): Clarifications and Recommen dations, http://www. ietf.org/rfc/rfc33 05.txt, RFC 3305, August 2002
  21. 최향창, 이형효, 노종혁, 진승헌 '정책 기반 프라이버시 보호시스템 설계 및 구현,' 한국정보과학회 정보보호 연구회지, 2005
  22. 최향창, 이용훈, 노봉남, 이형효, 조상래, 진 승헌,' ID관리시스템에서의 프라이버시 보호,' 한국정보보호학회지 1598-3978 제14권6호, pp.82-93, 2004