Department of Computer Science and Technology

Technical reports

Cassandra: flexible trust management and its application to electronic health records

Moritz Y. Becker

October 2005, 214 pages

This technical report is based on a dissertation submitted September 2005 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Trinity College.

DOI: 10.48456/tr-648


The emergence of distributed applications operating on large-scale, heterogeneous and decentralised networks poses new and challenging problems of concern to society as a whole, in particular for data security, privacy and confidentiality. Trust management and authorisation policy languages have been proposed to address access control and authorisation in this context. Still, many key problems have remained unsolved. Existing systems are often not expressive enough, or are so expressive that access control becomes undecidable; their semantics is not formally specified; and they have not been shown to meet the requirements set by actual real-world applications.

This dissertation addresses these problems. We present Cassandra, a role-based language and system for expressing authorisation policy, and the results of a substantial case study, a policy for a national electronic health record (EHR) system, based on the requirements of the UK National Health Service’s National Programme for Information Technology (NPfIT).

Cassandra policies are expressed in a language derived from Datalog with constraints. Cassandra supports credential-based authorisation (eg between administrative domains), and rules can refer to remote policies (for credential retrieval and trust negotiation). The expressiveness of the language (and its computational complexity) can be tuned by choosing an appropriate constraint domain. The language is small and has a formal semantics for both query evaluation and the access control engine.

There has been a lack of real-world examples of complex security policies: our NPfIT case study fills this gap. The resulting Cassandra policy (with 375 rules) demonstrates that the policy language is expressive enough for a real-world application. We thus demonstrate that a general-purpose trust management system can be designed to be highly flexible, expressive, formally founded and meet the complex requirements of real-world applications.

Full text

PDF (1.4 MB)

BibTeX record

  author =	 {Becker, Moritz Y.},
  title = 	 {{Cassandra: flexible trust management and its application
         	   to electronic health records}},
  year = 	 2005,
  month = 	 oct,
  url = 	 {},
  institution =  {University of Cambridge, Computer Laboratory},
  doi = 	 {10.48456/tr-648},
  number = 	 {UCAM-CL-TR-648}