Architectures for anonymous authorizations and audit data
Audit data is necessary to detect misuse. The privacy-friendly processing can be achieved by anonymization or pseudonymization. Based on models, desirable properties of anonymisation are explained. Well-known approaches for the subsequent anonymization of audit data are briefly presented.
A visit to the zoo
Security measures in the digital world are usually nachempfun¬den already existing security measures of the real world. This may be because confidence is ultimately always grounded in the real world and security measures are necessary, especially in the absence of stakeholder confidence. How we deal with confusion in the real world can be demonstrated by the example of a student who wants to visit the zoo. The zoo appears here as a service (leister) and offers free entrance to students. Non-students could try to get a cash benefit by introducing themselves as students at the zoo box office. The student card acts as a certified property statement by assigning the name of the statement subject to the property of students. The Zoo-Kasse accepts this certified property statement if the noted university is accepted as an exhibitor, the photo fits the person presenting, the student ID has not yet expired and looks “real”.
When the zoo cashier accepts the student ID, it authorizes the presenter to pass the zoo entrance. The Zoo-Kasse issues an authorization in the form of an admission ticket. This authorization contains a ticket number assigned to the customer, it is noted that the authorization authorizes zoo entry, from which fund it was issued, and it bears validation information such as a period of validity and hard-to-fake authenticity features. Since the ticket contains no information for the authentication of the person entitled to admission, it is in principle transferable.
After the entrance to the zoo, the visitor will notice a sign indicating what behavior is prohibited in the zoo. First and foremost, do not annoy the monkeys, probably because they could take revenge on banana peelings. At critical points (in the monkeys), the zoo can post a watchman who reacts sensibly to detected rule violations.
In authorization architectures, individuals, computers, and other actors in a distributed IT system are referred to as entities. A principal is a bit string which is uniquely assigned to exactly one entity as its surrogate in its application domain. An entity can have properties that are formulated in security policies as decision-making conditions. The term authentication in the model refers to the process and the result when a responsible agent as an attester verifies a statement about properties that are related to the entity and not related to the service. As an example of the certification of the student status, the student ID card appeared in section 1. The term authorization in the model designates the process and the result when a responsible agent as an authorizer certifies a statement about service-specific permissions. As an example of a zoo entry-entitled authorization, section 1 of the entry ticket was issued.
In the basic model (see Fig. 1), in the evaluation of certified property statements by their receivers, the responsible agent is first determined on the basis of the component of the same name. The recipient first decides whether to trust the agent to check the properties described in the attribute component and to correctly associate them with the principal of the correct entity. Then the validity statement determines if the property statement is valid. The receiver then uses the authentication component to check whether the presenting entity corresponds to the subject component. Finally, the receiver interprets the attributes according to his own politics. The actors shown in Fig. 1 are the administration, an attester, a carer and a service. They correspond e.g. Kerberos the client, the Authenticati¬on server, the ticket granting server and the service server.
Audit data is kept in stock, stored and analyzed with the aim of detecting abuse and attributing it to the author for the purpose of legal prosecution (guard or intrusion detection). Due to the complex legal situation and the data protection restrictions in the collection, storage and processing of personal data, the legally compliant use of audit-data-based protection measures such as intrusion detection is difficult for many service providers . ,
There is a field of tension between the interest of individual users in data protection and anonymity on the one hand and imputability on the other, in order to be able to protect the interests of other involved parties in the event of abuse. As the discussion in [5, 6, 7] makes clear, a satisfactory solution for the parties involved can not be to completely abandon one of the two requirements in favor of the other. Rather, a fair balance of the interests of all parties involved, considering the respective application situation, seems desirable (multi-sided security).
The central concept of personal reference in this context is relative, since the personal relation of an information depends on the respective additional knowledge at the respective time. Accordingly, the data protection laws only apply to those data users who can establish the relationship of the data to the data subject through additional knowledge. Thus, the above-described conflict of objectives between imputability and anonymity can be solved fairly by the use of the service under pseudonyms, by distinguishing between the control of additional knowledge between rule (no imputability) and exceptional case (imputability possible).
By means of pseudonyms, personal data are changed in such a way that they can only be assigned to a specific or determinable natural person with a disproportionately large expenditure of time, costs and labor force without knowledge of the associated assignment rule, but for the exceptional case by means of the Allocation rule to allow identification of the person . Thus, pseudonyms represent a key concept for the multi-sided safe handling of audit data, indeed they allow in many environments only the law-compliant collection and storage of audit data. Pseudonymization refers to the process of replacing the principals with pseudonyms according to an assignment rule.