Access control and privacy in MANET emergency

environment

Asmidar Abu Bakar Department of System and Networking

College of Information Technology,Universiti Tenaga Nasional

603-89212352 Asmidar@uniten.edu.my Azimah Abdul Ghapar

Department of System and Networking College of Information Technology,Universiti Tenaga

Nasional 603-89212328

azimah@uniten.edu.my

Roslan Ismail Department of Software Engineering, College of Information Technology,

Universiti Tenaga Nasional 603-89212338

Roslan@uniten.edu.my

Abstract— Mobile ad hoc networks (MANETs) cultivate a

new research trend in today’s computing. With some unique features such as scalability, fault tolerant and autonomous system enable a network to be setup with or without any trusted authority. This makes MANET suitable for the emergency and rescue operations. During an emergency situation, there is a need for the data to be shared with the rescuers. However, there are some of the personal data cannot be shared to all rescuers. Thus, the privacy and security of data becomes a main concern here. This paper addresses these issues with a combination of access control mechanism and privacy policy to ensure that the privacy and security of personal data is protected accordingly.

Keywords—Access Control, Privacy, MANET, Emergency

I. INTRODUCTION Mobile ad-hoc network (MANET) has been used as a

network structure for supporting communication and information sharing during emergency situations [1]. Organizations involved in rescue operations such as fire departments, police departments and medical organizations acknowledged that the flow of information throughout the disaster cycle is extremely crucial for effective humanitarian operation [2]. Therefore, the individuals involved in the operations within these organizations require collaboration among themselves to allow information to be effectively shared during the rescue operation. Scalavino et al. [3] quoted an example of a massive car accident which happened in Mont Blanc Tunnel in 1999 which has caused the death of 39 people. In the rescue operation many agencies gathered and formed rescue teams to handle the situation. In such an emergency incident, information that rescuers need to exchange and must be protected among various agencies include personal and medical information of the victims, information on the tunnels and sewer plants,

information on affected housing areas, information on the state of accidents and details of the rescue operations itself. The information received from the center of operation or gathered and collected during a rescue mission must be secured and made private among the rescuers and cannot be simply broadcasted to the public. This is crucial in order to avoid any panic situation and the spreading of rumors which lead to information inconsistency.

According to Yao [4] during emergency situations either natural or technological disasters, traditional central command or control model are either unavailable or too rigid for urgent information sharing. Hence it fails to support adequate data access across organizations. Furthermore, conventional authorization system is designed to support the need for intra-domain information access. In the case of crisis situation, the need for inter-organizational information sharing is high since many organizations need to use the information from others to do the rescue works. Furthermore, information is required to make a decision. Access to sensitive information may come from the outside of the organization and from unknown nodes. Restricting access to information during a disaster is very appealing since in a chaotic environment like disaster, a proper restriction on what can be accessed, who can access and how to access information securely are really required. For example, a doctor requires access to victim’s records to know the victim’s health history, so that proper treatment can be given. The doctor may be from Hospital A, and does not have access to the victim’s record that is kept by another Hospital B. In order to allow the doctor from Hospital A to get access to the information required, a proper access control model with privacy features is required so that the victim’s record will not be exposed to malicious nodes. Why privacy? This is because privacy is related to one’s

978-1-4799-0059-6/13/$31.00 ©2014 IEEE.

sensitive data also known as Personal Identifiable Information (PII) or Personal Health Information (PHI) such as blood type, medical report and etc. It’s relates to an individual’s right to determine how, when and to what extent the information about the person can be released to another person or organization [5]. Table 1 shows the security services for emergency response communication based on MANET [1] nevertheless, based on this literature none of the current works provide the security services such as privacy, data integrity, authentication and access control.

TABLE 1: SECURITY SERVICES FOR EMERGENCY RESPONSE COMMUNICATIONS[1]

Proposed Scheme Available service Required security services

Ambient Intelligent Framework

None Privacy, Data Integrity, Authentication, Access Control

Government Controlled safety system

None Privacy, Data Integrity, Authentication, Access Control

DUMBONET None Privacy, Data Integrity, Authentication, Access Control

SAFIRE None Privacy, Data Integrity, Authentication, Access Control

Public safety System None Privacy, Data Integrity, Authentication,

Post-Disaster Communication System

None Authentication

Based on these findings, we acknowledged the important

of incorporating privacy as part of the security services, together with other security services. Consequently, this research works on integrates privacy policy with access control model so that it can ensure the security of the information and preserve the privacy of user’s data at the emergency situations. The rest of the paper is organized as below. Section 2 covers on access control, while Section 3 presents information on privacy. Our proposed work is presented in Section 4. The summary of our work is presented in section 5.

II. ACCESS CONTROL Access control was one are successful in blocking out

unwanted viewers hence the security of data can be achieve using suitable access control model. Nevertheless, access control alone are lacking in protecting privacy of users in large [23],hence, a comprehensive solution for restricting access to information during emergency requires a privacy policy to be embedded with access control policies. This will ensure access to sensitive information is secure and preserved one’s privacy. Access control can be defined as “a process to determine who does what to what based on a policy” [6]. It also can be defined as restricting access to the

system or system resources based on something other than the identity of the user [6]. Hansen et al. [7] defined access control as restricting the availability of data and resources accessible by users in a system, and it is enforced to prevent unauthorized access that may breach an organization’s security objectives.The aim of access control is to ensure confidentiality and integrity of the information. This means that access cannot be simply given to anybody and the content cannot be simply modified illegally [8]. Access to information is vital regardless of location, time and computing environment [9]. In a wired environment where there are fixed infrastructure, controlling the access to information can be easily done since nodes are static and most of the time, nodes are known in advance. However, in wireless environment, nodes are mobile and dynamic thus making the controlling process harder. Why is it important to control access to information? The reason is that information is crucial for decision-making. Access to correct and verified information means that not just anyone can have access to the information storage. This is to prevent tampered and incorrect information from being deposited into the information storage, which will cause incorrect decision making due to the use of wrong information.

A. Access Control Techniques To access object in the access control model, it requires

an access control technique. Among the techniques are Access Control Matrix (ACM), Access Control List (ACL), Access Control Capability (ACC), Role-Based Access Control (RBAC), Policy/Rule Based Access Control (PBAC), Restricted Interface (RI) and Content-Dependent Access Control (CDAC). Apart from that, there are also techniques that are derived from the military which are Discretionary Access Control (DAC), Mandatory Access Control (MAC), Context Based Access Control (CBAC), View Based Access Control (VBAC) and Identity/User based access Control (IBAC) [6]. Recently, a technique on accessing object based on trust which is known as Trust based access control (TBAC) has been introduced by many researchers [10][11][12][4][8]. TBAC is proposed to work in distributed systems, pervasive computing and mobile environments where using identity alone as node identification to gain access to resources or information is no longer valid due to users’ anonymity and mobility features.

III. PRIVACY The vast amount of personal information available in

today’s global infrastructure has led to growing concerns about the privacy of the user. Privacy is defined as the “right to be alone” by Brandeis and Warren [14]. Alan [13] defines privacy as the ability of people to determine “when, how and to what extend information about themselves is communicated to others”. Brandeis and Warren were focusing on implications of the information being used while Alan was focusing on information access. Zhang’s define privacy as the assurance that certain information is

hidden from certain participants [15]. The concept of privacy can be classified into three aspects as below [16]:

• Territorial privacy which protect the close physical area surrounding a person such as workspace. • Privacy of the person which protects a person against undue interference such as physical searches or drug testing • Information privacy which controls whether and how personal data can be gathered, stored, processed or selectively disseminated.

A. Privacy requirements that should be incorporate in access control model [26]

• Openness – policies and privacy practices should be transparent and fully understandable for all parties. • Individual control – users should be able to specify who can see what information about them and when. • Collection limitation – parties collecting personal data for the purposes of a transaction must gather no more data than what strictly needed for carrying out the transaction itself. • Purpose specification – those who collect and disseminate personal data must specify the purposes for which they need these data. Collected data must therefore be used only for specified purposes. • Consent – users should be able to give their explicit and informed consent on how to use their personal data. • Data quality – those who collect and disseminate personal data must maintain accurate information. Users therefore should be able to verify their personal information and modify it when needed. • Data security – adequate security mechanisms for data protection have to be applied, according to the sensitivity of collected personal data.

B. Related work on access control and privacy Many authors integrate purpose in straitening their

access control model in order to express privacy [17][18][19][20][21][22]. Sun et.al [17] in their papers use the notion purpose as a major role in their proposed access control model and an appropriate metadata model was developed to support privacy. Byun et.al [18, 19] in their work preserved privacy using the notion of purpose. In this model, purpose information with a given data element specifies the intended use of the data element and the key features in the model is that it is allows multiple purposes to be associated with each data element in order to achieve privacy. Emilin et al. [20], emphasize that traditional access control cannot provide privacy and proposed a solution based on intended purposes in object relational database systems. Another researcher, Yang et al. [21][22], focused on preserving privacy in a data sharing computing environment. They proposed a notion purpose and have divided purpose into two categories which are intended purpose and access purpose. There claimed that the privacy policy should ensure that data can only be used for its intended purpose and the access purpose should be compliant with the data’s intended purpose. However, both works does not show how the privacy policy is successfully

proof. Ardagna et. al [26] proposed a privacy-aware access control system that integrates access control policies together privacy policies called data handling policy. This policy regulates how PII will be handled at the receiving parties. Their work restrict access by ensuring that the desired level of privacy of information exchanged between different parties and controlling the access to services or resources according to this situation. They also ensure that all secondary uses of information disclose for the purpose of access control enforcement. Askarova et al [27] on the other hand use purpose to investigate how access control policies can be defined and how it can be enforced during the requirements modeling.

IV. PROPOSED WORK In our work, MANET is defined as a a temporary

network structure which is setup by groups of existing rescue personnel such as policeman, firemen, an army or paramedic during emergency services (ERM). Nodes in the groups were initially configured before the actual network is established. This network has gateways to fixed infrastructure. This is ilusstrated in Figure 1 below.

Fig 1: Gateway MANET

We enhanced our work on access control model, known as Group Based Access Control (GBAC)[24][25] by incorporating the privacy policies together with the access policy. The goal is to achieved privacy with regards to achieving sensitive data such as PII or PHI. In this work, we are focusing on Group Medical since this group handling the sensitive data. We defined privacy as below;

Definition 1: Privacy is the ability of the sensitive data either PII or PHI to be accessed with valid authentication and authorized requester within the timeframe of the emergency.

We use time as the main contexts to determine the accessibility for the PII or PHI data. Time is crutial factor in emergency hence we added this requirements to the existing requirements stated in [26].Time to accessed data and data accessed in timely manners are two important features with regards to emergency [28]. The first features indicated that during emergency, data that is accessible must be within the timeframe of the emergency and the second feature, data must be able to retrieve as fast as possible during emergency. Below, brief explanation on GBAC is presented.

A. The Group Based Access (GBAC) Model The GBAC model extend the idea of role in RBAC by

introducing the group–role and user-role concept. In

RBAC, users are grouped into roles and each such group is associated with a number of privileges /permissions. In GBAC, the group-role (G_R) refers to the role that each group is assigned with prior to temporary network setup at the ERM. These groups already exist prior to ERM such as groups of army, policemen, firemen and also paramedics. For example, Group medical their roles is to give early treatments to the victims at the disaster area while Group Policemen, their role is to ensure the disaster area are well protected from unwanted scene. Hence, in GBAC, the rescue groups are differentiated or grouped based on their tasks during ERM.

The user-roles (U_R) determine the roles that each user in the group performs based on their core task in the group. In the this model, there are two types of users which are the leader known as Master Group (MG) and the members (M) in each group. These users are differentiated based on user-role relationship. For example, the role of MG in each group is to coordinate and monitor members that belong to the group. MG is also responsible for storing all information related to a group role. Besides that, MG is responsible for attaining request for information from its own groups and other groups in the network. The information refers to those which have been collected by its own members or members from other group during ERM, and the existing information received /obtained prior network setup at ERM. MG also acts as a central authority (CA) or root authority (RA) for each group similar to the wired network.

In order for GBAC to work smoothly in emergency, the following are required:

• All nodes in existing groups need to be registered with their CAs/R_CA prior to network setup. The registration is done off-line.

• In each group, MG is selected prior to ERM at the rescue area.

• The public key for each MG is known to all groups/members at ERM.

• Prior to network setup at ERM, MG for each group is selected by the R-CA

• MGs in ERM trust each other

• All MGs are accessible during ERM

At ERM, members of the group are required to re-register with selected MG. For example, in policeman group, (GP), members of GP re-registered with MG P. Registration is required to control and to monitor members who are involved during the rescue operation at the emergency area. This process also ensures trust will be obtained hierarchically from top to bottom as in HPKI approach. This re-registration also will allow members to request for information hold by each MG or by other MGs in the ERM. The registration process is conducted offline prior to ERM.

B. Access Control policy in GBAC model The access control policy (ACP) in the GBAC model is

derived based on group-role and user–role relationship. G_R determines which information is accessible between groups. U_R relationship determines action on information received between MG and M. Examples of actions (A) are “Read” (R), “Write” (W), and “Delete” (D). Members are assumed homogenous, means that there is no differentiation of user-role between members in the group. M can only “Read” the information. Only MG has the authorization on other actions. The policies are stated in the definitions below.

Definition 2: For all members in Group P or Group F they can READ object related to security and general info.

• ∀ M ∈ GP GF A= R (O= (Os Og))

Definition 3: For all Master Group in Group P or Group F, they can READ and WRITE object related to security and general info.

• ∀ MG ∈ GP GF A= R W (O= (Os Og))

Definition 4: For all members in Group M, they can READ only object related to medical and general info.

• ∀ M ∈ GM A= R (O =(Os Og))

Definition 5: For all Master Group in Group M, they can READ and WRITE object related to medical and general info.

• ∀ MG ∈ GM A= R W (O = (Os Og))

These policies are kept by each MG in a group. MG assigned READ access to members, means a copy of information is given to member for doing the rescue works. Any new information on territorial/security/medical or general collected during ERM is updated by MG of the groups using WRITE actions. Any changes made to the object will erase the old contents and only MG has this authorization. These policies will ensure the information integrity is preserved in ERM.

C. Privacy policy As stated earlier, MG collects all related information to

their group prior network setup at ERM. To allow dynamic access to PHI and at the same time preserved the privacy of PHI govern by local hospital where ERM took place (we assumed that local hospital will keep the victim’s records at the disaster area), there is a need to added new policy. Resquest for PHI data is from MG of the medical group to the hospital where the victims are registered with. Admin at the hospital need to check the time of the emergency occurred. If the request made from MG to the admin is within the emergency timeframe, and MG is proven authenticated hence access to PHI/PII will be allowed. The new policy is stated below.

Definition 1: For MG in Group Medical (GM) at ERM, they can access (R)/(W) the medical data of the victims if MG is valid /authenticated MG and accessed /request to PHI/PII is within the timeframe of the emergency.

• ∀ MG ∈ GM t= Emergency

For members in GM, the policy is amended by adding the timeframe of the emergency to the existing access control policy. This is stated in definition 2 below.

Definition 2: For all members in Group M, they can READ only object related to medical and general info within the timeframe of the emergency.

• ∀ M ∈ GM A= R (O =(Os Og)) t= Emergency

D. Access scenario for Group Medical The scenario below illustrated the access for PHI during

ERM.

“Doctor A, (Doc A) belong to GM at ERM request for Patient A record from Hospital X (Hos X) “. Hos X needs to verify Doc A is a valid doctor and Hos X also need to verify that accessed to requested information is within the timeframe of the emergency“

In our case, we assumed Doc A is registered with local hospital where ERM took place and Doc A is the MG of Group Medical (GM). The interaction between Admin (Hos X) and Doc A (MG) is illustrated in figure 2 below.

Fig 2: Message sequence between MG and Admin

MG will submit his tag that belong to the claimed hospital and Admin of the hospital will cross check the tag. If the tag is valid then, admin need to ensures that request to medical data is made within the emergency timeframe. For example, says that the emergency event occurs from 7 am to 7 pm, the access to PHI must be made within this timeframe. If the request sent beyond the timeframe of the event, the access will not be cosidered. This is applicable for both situations, MG to admin and member (M) to MG. As showed in Figure 3, member will get authenticated by their master group, request and access is given upon authentication and within the emergency timeline. The interaction, (send and receive) of information is encrypted to ensure data confidentiality and integrity is well preserved. This will ensure the proposed model meeting the security properties.

Fig 3: Message sequence between MG M and M

E. Result of the access In our work, privacy and security are achieved based on four main factors, which are listed below.

i. Firstly, users (MG and M) are trusted. MG are selected by R-CA prior network setup at ERM. Members of the groups are required to register with MG prior to ERM.

ii. Secondly, MG and M need to be authenticate prior granted access to the requested information/data. MG was registered with R-CA prior ERM, while M was registered with MG. Both are having tag which can be verified upon request to information.

iii. Thirdly, based on privacy defination, access to information is made within the emergency timeframe.This has been cater in the privacy policies.

iv. The process of acquiring and retrieving information are encrypted hence the security properties such as confidentiality and integrity are well determined.

Data security which is one of the privacy requirements

as stated in [26] is achieved via factors (i) and (ii) while data quality is achieved in factor (iv).Based on additional factor, time is crutial during emergency and it is achieved in factor (iii). In our work, we did not considered other factors such as purpose; which has been proposed by many reserachers since the purpose of the PHI/PII during an emergency is very clear to save the injured victims. Therefore purpose in emergency context is not relevant. We also did not consider location as an additional factor since the network is setup at the emergency place hence the location is known in advanced.Other factors such as openess are known to all parties involved during ERM via policies. Consent and collection limitation are the two factors that we need to do further reserach in our current solution. In our work also, we do not consider different level of access for M nor MG (either physician or nurse since during emergency, saving life is important rather than ‘who‘ can access the data. However, the restriction on which group that access what data is still applicable to ensure security and privacy are deliverable in this model.

V. SUMMARY We extend our GBAC model to incorporate privacy

policy with the access policy so that access to PHI/PII data will be secured and preserved one’s privacy. Time become an important factor in determine access to the PHI/sensitive data. We presented our case using Group Medical since there are handling PHI/sensitive data.

REFERENCES [1] Channa M.I., Ahmed M.K., Emergency Response Communications and Associated Security Challenges, http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.174.8441, accessed on 5/10/2013 [2] Plagemann, T., Munthe-Kaas, E., S.Skjelsvik, K., Puzar, M., Goebel, V., Johansen, U., et al. A Data Sharing Facility for Mobile Ad-Hoc Emergency and Rescue Applications. Paper presented at the 27th International Conference on Distributed Computing System Workshops (ICDCSW'07) (2007). [3] Scalavino, E., Rusello, G., Ball, R., Gowadia, V., & C.Lupu, E. An Opportunistic Authority Evaluation Scheme for Data Security in Crisis Management Scenarions. Paper presented at the ASIACCS'10, Beijing, China (2010). [4] Yao, D. D. An Ad Hoc Trust Inference Model for Flexible and Controlled Information Sharing. Proceedings of the 2008 International Conference on Security Management (SAM 2008), Las Vegas, Nevada, USA (2008) [5] Hung, P. C. K. (2004). Towards a Privacy Access Control Model for e-Healthcare Services. Proceedings of Annual Conference on Privacy, Security and Trust (2004) [6] Kizza, J. M., Access Control and Authorization. Computer Network Security, III, pp. 209-232 (2005) [7] Hansen, F., & Oleshchuk, V.,. Spatial Role-Based Access Control Model for Wireless Networks. Paper presented at the Vehicular Technology Conference (2003) [8] Lang, B., Wang, Z., & Wang, Q. Trust Representation and Reasoning for Access Control in Large Scale Distributed Systems. Paper presented at the 2nd International Conference on Pervasive Computing and Applications 2007. [9] Back, T. P2P Information Sharing in Mobile Ad-hoc Networks. Paper presented at the HUT T-1 110.551 Seminar on Internetworking (2005) [10] Almenarez, F., Marin, A., Campo, C., & R, C. G. PTM: A Pervasive Trust Management Model for Dynamic Open Environments. First Workshop on Pervasive Security, Privacy and Trust PSPT'04 in Conjunction with Mobiquitous.(2004) [11] J.Adams, W., & J.Davis, N. Toward a Decentralized Trust-Based Access Control System for Dynamic Collaboration. Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, United States Military Academy,West Point,NY. (2005) [12] Giang, P. D., Hung, L. X., Lee, S., Lee, Y.-K., & Lee2, H. A Flexible Trust-Based Access Control Mechanism for Security and Privacy Enhancement in Ubiquitous Systems. Paper presented at the 2007 International Conference on Multimedia and Ubiquitous Engineering (MUE'07)(2007) [13] Alan F. Westin. Privacy and Freedom. The Bodley Head Ltd, (1970). [14] Samuel D.Warren and Louis D. Brandeis. The right to privacy. Harvard Law Review, 4(5):193–220, (1890). [15] Zhang,S., Privacy,Integrity and Incentive-compatibility in Computation with Untrusted parties, Phd Thesis, (2004). [16] Yang,N., Formalism of Privacy Preserving Access Control , Phd Thesis, (2010). [17] Sun,L., Wang,H., A purpose based usage access control model International Journal of Computer and Information Engineering, 4:1,(2010) [18] Byun, J.W., Bertino, E., Li,N., Purpose Based Access Control of Complex Data for Privacy Protection, SACMAT’05, June 1-3, Stockholm,Sweden (2005) [19] Byun, J.W, Li,N., Purpose based access control for privacy protection in relational database systems. The VLDB Journal (2008)

[20] Emilin,C., Shyni,C., Swamynanthan S.,Purpose based AC for privacy protection in object relational database systems, International conference on data storage and data engineering (2010) [21] Yang, N., Barringer,H., Zhang,N., A purpose –based access control model, Journal of information assurance and security 1, (2008) [22] Yang, N., Barringer,H., Zhang,N., A purpose –based access control model,3rd international symposium on information assurance and security (2007) [23] Kagal,L., Abelson,H., Access control is an inadequate Framework for privacy protection. W3C Privacy workshop, 12 July (2010) [24] Bakar, A. A., Ismail, R., Ahmad, A. R., & Manan, J.-l. A. (2009). Group Based Access Control Scheme (GBAC): Keeping Information Sharing Secure in Mobile Ad-Hoc Environment Paper presented at the Fourth International Conference on Digital Information Management (ICDIM 2009), Ann Arbor, Michigan, USA (2009) [25] Bakar, A. A., Ismail, R., Ahmad, A. R., & Manan, J.-l. A. (2009). Group Based Access Control Scheme: Proof of Method for Secure Access Control Architecture in Mobile Ad-Hoc Network. Paper presented at the The Fourth International Workshop on Broadband and Wireless Computing, Communication and Applications (BWCCA 2009) in conjunction with iiWAS 2009 and MoMM 2009, Kuala Lumpur, Malaysia.(2009) [26] Ardagna,C.A., Cremonini,M., Capitani,S.D., Samarati,P., A privacy-aware access control system Journal of Computer Security - 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec'06), Vol 16 Issue 4, Pages 369-397,IOS Press Amsterdam, The Netherlands, The Netherlands (2008) [27] Askarova,S., Mukhatov.,D., Sharipbayev., Satybaldina.,D., A framework for the Privacy access control model, The Eleventh International Conference on Business Process Management, Beijing, China, (2013) [28] Better faster emergency care, Improving emergency care and access in Victoria’s public hospitals. http://www.health.vic.gov.au-victoria, access on 1/4/2014