摘要
将用户同意与访问控制相结合是解决隐私保护的主要方法之一.然而,现有的隐私保护访问控制方法仅从数据控制者的角度,不考虑个人对访问决策的参与,无法满足自主可控的需求.为了解决这个问题,本文提出了一种基于用户同意的隐私保护访问控制协议,将用户同意转化为一种同意权限,形成一种同意加授权的双重访问控制机制.本文给出协议的语法、语义及安全性定义和分析,并采用模型检测的方法对协议应满足的性质进行验证,最终证明本文的设计可以从访问控制的角度满足个人信息保护法规的要求.
The combination of user consents and access control is one of the main approaches to address privacy pro⁃tection today.However,most of privacy protection access control approaches are from the perspective of the data control⁃ler,without considering individual participation in access decisions,and can not meet the need for privacy protection in terms of autonomy and control.In order to solve this problem,this paper proposes a privacy-preserving access control pro⁃tocol based on user consents,which transforms user consents into a kind of consent authority and forms a dual access con⁃trol mechanism of consent plus authorization.The syntax,semantics and security of the protocol are defined and analyzed.The properties that the protocol should satisfy are verified with the model checking method,which finally proves that the de⁃sign of this paper can comply with personal information protection regulations from the perspective of access control.
作者
马丽
姜火文
彭云
MA Li;JIANG Huo-wen;PENG Yun(School of Big Data Science,Jiangxi Science&Technology Normal University,Nanchang,Jiangxi 330038,China;School of Digital Industry,Jiangxi Normal University,Nanchang,Jiangxi 330022,China)
出处
《电子学报》
EI
CAS
CSCD
北大核心
2023年第7期1842-1849,共8页
Acta Electronica Sinica
基金
江西省社会科学基金项目(No.21TQ08D)
江西省高校人文社会科学研究项目(No.JC22115)
江西省自然科学基金项目(No.20224BAB202013)。
