A System to Access Online Services with Minimal Personal Information Disclosure

The General Data Protection Regulation highlights the principle of data minimization, which means that only data required to successfully accomplish a given task should be processed. In this paper, we propose a Blockchain-based scheme that allows users to have control over the personal data revealed when accessing a service. The proposed solution does not rely on sophisticated cryptographic primitives, provides mechanisms for revoking the authorization to access a service and for guessing the identity of a user only in cases of need, and is compliant with the recent eIDAS Regulation. We prove that the proposed scheme is secure and reaches the expected goal, and we present an Ethereum-based implementation to show the effectiveness of the proposed solution.

[1]  Thomas Zefferer,et al.  Privacy-preserving attribute aggregation in eID federations , 2019, Future Gener. Comput. Syst..

[2]  Jongwoo Kim,et al.  Breaking the Privacy Kill Chain: Protecting Individual and Group Privacy Online , 2018, Information Systems Frontiers.

[3]  Ioannis Karamitsos,et al.  Design of the Blockchain Smart Contract: A Use Case for Real Estate , 2018 .

[4]  Dong-Hee Shin,et al.  The effects of trust, security and privacy in social networking: A security-based approach to understand the pattern of adoption , 2010, Interact. Comput..

[5]  André Ricardo Abed Grégio,et al.  ControlChain: Blockchain as a Central Enabler for Access Control Authorizations in the IoT , 2017, GLOBECOM 2017 - 2017 IEEE Global Communications Conference.

[6]  Rui Guo,et al.  Secure Attribute-Based Signature Scheme With Multiple Authorities for Blockchain in Electronic Health Records Systems , 2018, IEEE Access.

[7]  Hideki Imai,et al.  Dual-Policy Attribute Based Encryption , 2009, ACNS.

[8]  Xiaohui Liang,et al.  Attribute based proxy re-encryption with delegating capabilities , 2009, ASIACCS '09.

[9]  Dong-Hee Shin,et al.  The effects of security and traceability of blockchain on digital affordance , 2020, Online Inf. Rev..

[10]  Daniel Slamanig,et al.  PRISMACLOUD Tools: A Cryptographic Toolbox for Increasing Security in Cloud Services , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[11]  Laura Ricci,et al.  Blockchain Based Access Control , 2017, DAIS.

[12]  Jie Wu,et al.  Hierarchical attribute-based encryption for fine-grained access control in cloud storage services , 2010, CCS '10.

[13]  Yaling Zhang,et al.  A Blockchain-Based Framework for Data Sharing With Fine-Grained Access Control in Decentralized Storage Systems , 2018, IEEE Access.

[14]  Jae Kyu Lee,et al.  Reconciliation of Privacy with Preventive Cybersecurity: The Bright Internet Approach , 2020, Inf. Syst. Frontiers.

[15]  Don D.H. Shin,et al.  Blockchain: The emerging technology of digital trust , 2019, Telematics Informatics.

[16]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[17]  Anas Abou El Kalam,et al.  FairAccess: a new Blockchain-based access control framework for the Internet of Things , 2016, Secur. Commun. Networks.

[18]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[19]  Mohammed Ibahrine,et al.  The socio-technical assemblages of blockchain system: how blockchains are framed and how the framing reflects societal contexts , 2020 .

[20]  B. V. Alsenoy General Data Protection Regulation , 2019, Data Protection Law in the EU: Roles, Responsibilities and Liability.

[21]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[22]  Melanie Swan,et al.  Blockchain: Blueprint for a New Economy , 2015 .

[23]  Donghee Shin,et al.  Prospectus and limitations of algorithmic governance: an ecological evaluation of algorithmic trends , 2019, Digital Policy, Regulation and Governance.

[24]  Antonio F. Gómez-Skarmeta,et al.  Protecting personal data in IoT platform scenarios through encryption-based selective disclosure , 2018, Comput. Commun..

[25]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[26]  Dong Kun Noh,et al.  Attribute-Based Access Control with Efficient Revocation in Data Outsourcing Systems , 2011, IEEE Transactions on Parallel and Distributed Systems.

[27]  Hector Marco-Gisbert,et al.  Assessing Blockchain Consensus and Security Mechanisms against the 51% Attack , 2019, Applied Sciences.