Log in / Register
Home arrow Computer Science arrow Social Informatics
< Prev   CONTENTS   Next >

4.2 Limitations of Privacy Enhancing Services

Typically, privacy protection would be added by a separate layer or module implementing e.g. access control mechanisms. This approach has benefits when existing systems need to be extended with privacy preserving features. The downside is, that circumvention of the mentioned module allows raw access to the unprotected data (e.g. the database files on the server). In consequence the effectiveness of privacy preservation does not only depend on the given mechanism but also on the security of the overall server infrastructure.

4.3 Logically Distributed EMS Based on CP-ABE and Virtualization

Our approach to create an EMS architecture with privacy by design is based on the idea to combine CP-ABE with isolation offered by hardware virtualization. Above architecture can simply be extended after the combiner, see Fig. 3.

Fig. 3. Privacy by Design EMS Architecture

In order to allow processes acting for a specific user to find accessible data elements, CP-ABE encrypted index structures are created for every user. A pointer as well as a random AES key are created and appended to this index document. In the cipher text, a policy is embedded which makes sure that only a specific BU, e.g., Dave, and (EM Dave), the EM of the company Dave belongs to will be able to decrypt the data element. In the example Dave and (EM Dave) would both get their own index document containing the same key and a pointer. After the combiner assigned a data element to a BU, the encrypter component encrypts the data using AES and the AES key. The encrypted data element is then stored within a database using the pointers as (unencrypted) index fields. By sharing the AES key, each data point has only to be stored once, even if multiple users are allowed to retrieve it. Other incoming data elements are processed


While a process with a valid private key is able to find encrypted data blocks, it is not possible to do reverse queries. Therefore, one cannot gain information on who may decrypt a specific data block. This is an important feature, because otherwise it would be possible to link appearance of persons to specific points in time (e.g. Dave and Bob were present in the same room).

Here the strategy of data hiding is applied: The energy data itself is protected from unauthorized access as well as the access policy.

Hardware virtualization is used to isolate processes concerned with above processing of incoming data from processes that analyze data. For every user of this system an individual VM is provided. Within a VM, the private CP-ABE key of the user resides, which allows the analysis processes to decrypt data elements accessible by this user. Please note, data analysis might also be performed on a different physical machine. This allows the desired separation of critical data.

Aggregation of data elements, e.g., to provide data needed by the EA, is also performed within a separate VM. After assigning an incoming data element to a BU, the combiner sends the unencrypted data element to the responsible aggregation process. This process understands that the element belongs to a BC it is responsible for and adds the new value to the sum of energy spent by all BUs that belong to the BC. The element itself is then discarded. After the applicable aggregation period is over, the aggregation process encrypts the aggregated value for the EA and stores the result in the database. This part realizes the aggregation of data to remove undesired fine-granularity of information. This approach also supports, to a small degree, the minimization of the amount of persisted data.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science