Difference between revisions of "Journal:Registered data-centered lab management system based on data ownership security architecture"

Full article title	Registered data-centered lab management system based on data ownership security architecture
Journal	Electronics
Author(s)	Zheng, Xuying; Miao, Fang; Udomwong, Piyachat; Chakpitak, Nopasit
Author affiliation(s)	Chiangmai University, Chengdu University
Primary contact	Email: nopasit at cmuic dot net
Year published	2023
Volume and issue	12(8)
Article #	1817
DOI	10.3390/electronics12081817
ISSN	2079-9292
Distribution license	Creative Commons Attribution 4.0 International
Website	https://www.mdpi.com/2079-9292/12/8/1817
Download	https://www.mdpi.com/2079-9292/12/8/1817/pdf?version=1681215589 (PDF)

This article should be considered a work in progress and incomplete. Consider this article incomplete until this notice is removed.

Abstract

University and college laboratories are important places to train professional and technical personnel. Various regulatory departments in colleges and universities still rely on traditional laboratory management in research projects, which are prone to problems such as untimely information and data transmission. The present study aimed to propose a new method to solve the problem of data islands, explicit ownership, conditional sharing, data security, and efficiency during laboratory data management. Hence, this study aimed to develop a data-centered lab management system that enhances the security of laboratory data management and allows the data owners of the labs to control data sharing with other users. The architecture ensures data privacy by binding data ownership with a person using a key management method. To achieve secure data flow, data ownership conversion through the process of authorization and confirmation was introduced. The designed lab management system enables laboratory regulatory departments to receive data in a secure form by using this platform, which could solve data sharing barriers. Finally, the proposed system was applied and run in different server environments by implementing data security registration, authorization, confirmation, and conditional sharing using SM2, SM4, RSA, and AES algorithms. The system was evaluated in terms of the execution time for several lab data with different sizes. The findings of this study indicate that the proposed strategy is secure and efficient for lab data sharing across domains.

Keywords: university laboratory management, data sharing, data ownership safety architecture, conditional sharing, security and efficiency

Introduction

The importance of knowledge for organizations is now widely recognized, being one of the resources whose management influences the success of organizations through the exchange and sharing of information, knowledge, and experience among its members. Numerous challenges are associated with the management of laboratory data, as labs generate a lot of experimental and management data on a daily basis. Frequent experimental accidents and the leakage of hazardous chemicals is worthy of attention. Supervision departments, such as the Education Bureau, Emergency Bureau, and Public Security Department, need various types of laboratory management data to report while supervising laboratory safety.

At present, existing laboratory management systems used by each university, regulatory department, and even various laboratories are different, which leads to obvious problems when lab data collection or emergency response is needed. For example, which laboratory management data are classified confidential, and which data can be handed over to relevant departments? Who must claim the ownership of laboratory-related data? Which departments can view or use the data? Could lab data be transferred to other departments? These questions raised laboratory data ownership issues. Secondly, some data that relate to laboratory management need to be kept confidential. Where and how can we best secure this data? Is it safe for different departments to transmit data? How can we guarantee that there will be no data transfer to others? These can be summarized as data security storage and transmission questions. In recent years, frequent university laboratory accidents have occurred; in such cases, emergency responding units and other regulatory departments need to collect real-time lab-related data. If it is still a regular report retrieval process, it cannot meet the requirements of time efficiency. So, we need to find efficient and trustworthy methods to solve this problem of obtaining data in a timely manner.

The main reason for the above problems is that laboratory management data ownership is unclear, and the existing laboratory information management systems (LIMS) of each branch are independent. It is impossible to collect real-time, tamper-free, statistically accurate data when it is needed. To deal with these problems, we intend to adopt data ownership security architecture (DOSA) to securely circulate laboratory management data and cultivate an ecological and sustainable forest from the “flowerpot” of each independent system. [1]

Laboratories are currently using LIMS frequently. [2] A university may also have multiple management systems, including an equipment management system, a chemical management system, a safety examination system, etc. Related systems comprise relevant departments of the laboratory, such as the experiment management department of the Education Bureau, the accident handling department of the Emergency Bureau, and the hazardous chemicals supervision department of Public Security. Such complicated systems make it difficult to obtain information accurately and quickly when the same report requires the cooperation of different departments or laboratories. Compared to traditional manual records, the LIMS used by a specific business unit or company can be easily outdated and has high maintenance costs. Once the database needs major updates related to its data source, the existing system cannot meet the demand, and a new system must be designed so that all data can be transferred, resulting in increased costs. The linkage between different systems is weak, the efficiency is relatively low, and the security is not uniform and difficult to guarantee when it is necessary to submit data.

Blockchain poses one potential solution. The medical industry uses the blockchain system to manage medical imaging data, and the banking system uses blockchain as a new type of financial technology. [3] Blockchain has high energy consumption, expensive development costs, but relatively high security. At present, some scholars have produced a framework diagram of the blockchain management in university education, but there is no corresponding technical means. [4]

Considering the problems mentioned above, the lab industry would require a technology that allows data to flow securely and efficiently. This article’s contributes discussion about potential technology to solve such problems. In our work, experiment-related data management is based on the data ownership security architecture. This security technology is built such that data ownership binds with a person and it can be safely registered on this platform; meanwhile, ownership of data can be determined, and data users and owners can conditionally share or trade using ownership conversion across domains and across borders efficiently and securely. Our proposed laboratory data management architecture is shown in Figure 1.

Figure 1. Proposed data ownership security architecture (DOSA) to manage the laboratory.

The current study has been organized as follows. The next section explains related theories and key management. After that, we present the core strategies used, including laboratory data encrypted registration and an authorized transfer method for conditional sharing. We then detail the whole lab management framework and the incident searching case study based on DOSA using the above ownership conversion method. We then discuss and verify the effectiveness of the data flow process using key management based on proposed core strategies. Finally, we provide our conclusions.

Related work

Data ownership security architecture

As data has a tendency to not be securely circulated and shared, Miao et al. proposed a data ownership security architecture (DOSA) that contains one body with two wings. [5] The body represents data binding ownership, while one wing is the key and the other wing signifies value.

To solve the problem of data transfer barriers, DOSA proposes a global, cross-border, comprehensive, collaborative, secure, and efficient data architecture system. The whole field is no longer the cross-domain data of the head industry or a single system as previous, but all industry-related data are registered. Integration and collaboration mean that data are retrieved and used by different industry sources. This architecture has efficient security technologies for data security from source, registration, circulation, and use to supervision.

DOSA is composed of a data registration center (DRC), a data authorization center (DAC), a data exception center (DEC), data application units (DAUs), a key system, and other components. Safety and efficiency are the core of DOSA. Similar DOSA-like framework applications have been implemented in tourism, lab education, and data product trading processes. [9,10]

DRC

The DRC stores the data in an encrypted form, which is invisible even to the administrator. It not only confirms the ownership of the data but also keeps it safe and confidential. After the data are registered, the directory is automatically generated, which is convenient for data users to view and find relevant data sources. It can register the data of relevant units or laboratories to DRC or link to DRC through an application programming interface (API). [6]

DAC

To ensure the relationship between people and data ownership, DAC is responsible for the process of data ownership confirmation and authorization. [7] By guaranteeing the interests of data owners, they are confident to put their data on the platform. The owner of the data divides data-related personnel into data owners, data producers, and data users. In the current study, a design was proposed to save all the related public keys to the DAC, and the private key is kept by their client, without placing it on any platform or cloud, to ensure security.

DEC

To protect the interests of data owners, DEC needs to supervise during the data flow process. From the point of data register and data conditional sharing, even after the trading process, we took blockchain-related technical means, such as watermarks and timestamps, and added them to the data authorization process to ensure data users cannot transmit data again without the owner’s permission. [8]

Laboratory management technology

Existing laboratory management usually uses a LIMS that collects related data through various laboratories. Some benefits of using a LIMS are the ability to track individual data items or samples from reported results. [11] Some limitations of a LIMS for this specific application exist, as they may not be specialized for specific equipment, or applicable to certain chemistries. [12] Some LIMS chemistry systems are only available to connect with the Public Safety department. It is rare to find a LIMS system for chemistry widely used in related departments. There is also a high price for many commercial LIMS systems. Various systems’ costs are expensive for labs, and customization is limited to what the system offers. [13] Additionally, experimental data are private to external parties, yet it still needs to be shared among the research team.

Recently, researchers have designed some LIMS for education labs or other specific applications. Focusing on education, there is Chaoqun and Lanlan's interactive LIMS, which incoporates experimental teaching management, experimental equipment management, laboratory open management, communication, and interactive management modules. [14] For specific disciplines, there are LIMS and other laboratory informatics solutions specifically designed for high-level biosafety labs or biobanks. [15,16] However, these systems only flow data inside the lab, in which data cannot flow quickly to supervision departments or related companies. Some researchers realized that the LIMS needs to be both secure and enhance efficiency in order to enable laboratory staff to conduct their research as freely as possible; therefore, the information on research, laboratory personnel, experimental materials, and experimental equipment is generally collected and utilized by only one system. [17] However, the current research mainly focuses on such a system's design, and there is no specific experimental technical means to verify it. Thus, we employed DOSA to rapidly and securely move data inside or outside the laboratory. In Table 1, we compare our proposed architecture to existing lab management systems.

Table 1. Comparison of the proposed architecture and existing lab management. Topic Proposed DOSA lab management system Existing lab management systems Data ownership Clear Undefined Data security The public key in DAC Key pair in systems Data source Global Specific service [18] Data register Encrypted, fully automatic Admin visible, semi-automatic entry Data search Authorization visible Collect systems to summarize Application For a variety of business For a single item [19]

However, DOSA-related studies have designed models for some domains such as tourism, which only have frameworks without practical implementation. [9] We propose to use technical methods to solve data ownership by binding persons that used a key management system to protect data privacy.

Key system methods

To ensure data registration and sharing security, this work adopted RSA and AES algorithms, as well as Chinese domestic commercial keys SM2 and SM4, to compare the aspects of addressing efficiency and security of data. Table 2 summarizes the pros and cons of these key algorithms.

Table 2. Comparison of the four key algorithms examined in this research. Algorithm Description Advantage Disadvantage RSA Asymmetric encryption that encrypts with public key; decrypts with private key [20] In the process of encryption and decryption, there is no need to transmit confidential keys through the network. The key management is better than the AES algorithm. The speed of encryption and decryption is relatively slow; usually it is not suitable for the encryption of a large number of data files. AES Symmetric encryption algorithm; encryption and decryption processes use the same set of keys The operation does not require a computer with very high processing power and significant memory. The operation resists attacks easily. It always maintains good performance in different operating environments; the encryption speed is relatively fast. It is required to secretly distribute the key before communication. The decrypted private key must be transmitted to the receiver of the encrypted data through the network. SM2 Asymmetric encryption algorithm which is an elliptic curve public key cryptography algorithm based on elliptic-curve cryptography (ECC) [21] Compared with RSA, the performance of SM2 is better and more secure. The password complexity is high, the processing speed is fast, and the computer performance consumption is comparatively small. Encryption and decryption take a relatively long time and are suitable for encrypting small amounts of data. SM4 Symmetric encryption algorithm; the key length and block length are both 128 bits SM4 is efficient and secure, while remaining easy to implement across software and hardware. It usually has a fast computing speed. The management and distribution of keys are relatively difficult and not secure enough.

SM2 and SM4 are cryptographic standards authorized to be used in China. Relevant studies have shown that the SM2 and SM4 algorithms are more secure than ECDSA and AES. [22] During a controlled experiment, AES outperformed SM4 by a significant margin. [23] Symmetric encryption is usually used when the message sender needs to encrypt a large amount of data. It has the characteristics of an open algorithm, a small amount of calculation, and fast encryption speed. The advantage of the symmetric encryption algorithm lies in the high speed of encryption and decryption, and the difficulty of cracking when using a long key. The disadvantages of symmetric encryption are that key management and distribution are difficult and insecure. Before the data are transmitted, the sender and the receiver must agree on a secret key, and both parties must keep the key. If the key of one party is leaked, the encrypted information is insecure, and its security cannot be guaranteed. [24]

The advantage of asymmetric encryption is its higher security. The public key is made available, and the private key is kept by itself so there is no need to give the private key to others. The disadvantage of asymmetric encryption is that its speed is relatively slow, so it is only suitable for encrypting a small amount of data.

Methodology

Laboratory-related data and persons

Managed laboratory information and data can be divided into unconditional and conditional sharing categories. For example, the opening hours of the laboratory represent unconditional sharing data. The transmission of the laboratory's inventory and usage of hazardous chemicals needs conditional sharing by the administrative department (data owners). Laboratory safety data, accident statistics, and related training data are transnational conditional sharing data. Lab-related data are also classified into a security level ranging from zero to five. [25] Class zero data is data that can be public, such as laboratory introductions and research group members’ profiles which do not need any security protection. Class five data is critical national scientific research experiment data which must be kept strictly confidential. Classes one through four refer to data that the laboratory needs to share or that are trade-protected.

Lab data producers can be one or several persons, such as laboratory administrators, experimental instructors, or relevant teachers. A data owner is usually a person or a unit, such as a person in charge of the laboratory team or the emergency department. Data producers can input data, but they do not have the authority to share or trade data. After the data user has found targeted data by querying the DRC category, they need to contact the data owner. If the data owner considers that the data user can apply to view or use these data sources, the owner finds the user’s public key from the DAC then encrypts these data with the user’s public key to complete the authorization. The data user opens encrypted lab data with their private key to finish the conditional sharing of data (Figure 2a,b).

Figure 2. Illustrates the relationship of data-related persons or branches (a) and the relationship between data user, producer, and owner (b).

Data encryption registration and application process

The laboratory data are uploaded to the DRC by the owner, and the owner’s public key is added to verify the ownership of the data. It can guarantee the privacy and security of the data at the source. The data are stored in the DRC, which the administrator cannot view without permission. The encrypted lab data are transmitted to the DRC, and the directory is automatically generated by keywords. The relevant users can apply for permission to obtain the data after searching in the data directory. Figure 3 shows the data owner encrypting the registration data, which automatically generates an index directory, then data users apply for the required data by viewing the catalog.

Figure 3. Data encryption registration process.

Confirmation and authorization of the data transmission process

Mutual trust - Single-layer encryption

After the data user searches the DRC catalog and queries the data they need, the data user communicates with the data owner. If the user obtains permission, the data owner encrypts the data with the user’s public key. Then, the data user can use their private key to decrypt data. Meanwhile, to ensure the interests of the data owner, the entire process has traceability technology in the DOSA lab management system. For example, time stamps and digital signatures are adopted, which can ensure that data users do not transmit data outside the authorized context. [26] If the mutual parties trust each other, the process of conditional sharing occurs, as shown in Figure 4.

Figure 4. Single-layer encryption.

Algorithm 1 shows how the lab data user retrieves data in the DRC during the process of data ownership conversion. Table 3 shows the definition of symbols used in the algorithm.

Algorithm 1. Encryption_Once ( ) Input: Lab data owner On with their lab data record Rn. Lab data user with their private key Uprkn. Output: Boolean(True or False) 1. #Function used to encrypt the lab data record. 2. For owner O query the user’s public key Upubkn from the DAC Dacvn 3. #Check the DAC’s data 4. if(role == “Owner”) then 5.   Encryption with the user’s public key Upubkn 6.   lab data record Rn→encrypted data 7.   encrypted data→Drcn 8.   return True 9.  else 10.   return False 11. end if 12.  end for 13. For user U query the data register center catalogue view Drcvn 14.  if(role == “User”) then 15.   Decryption using the user’s private key Uprkn 16.  Drcn→encrypted data 17.   encrypted data→lab data record Rn 18.   return True 19. else 20.  return False 21. end if 22. end for 23. end function

Table 3. The definition of symbols used in the algorith. Symbols Definition Un nth Lab Data User On nth Lab Data Owner Rn nth Lab Data Record Upubkn nth User Public Key Uprkn nth User Private Key Opubn nth Owner Public Key Oprkn nth Owner Private Key Drcn nth Data Register Center Drcvn nth Data Register Center Catalogue View Dacvn nth Data Authority Center View

Data users do not trust the data source — Double encryption

After checking the catalog in the DRC and communicating with the data owner about the data product’s price, the data user may doubt the authenticity of the data source and ownership. In this situation, the data owner will add this data product to the owner’s private key, then encrypt it by using the user’s public key, which is found in the DAC. As the next step, data owners input this encrypted data to the DRC and then inform the users.

Firstly, the data user finds the data owner’s public key from the DAC, and they use it to open the double-encrypted data product. As the next step, the data user utilizes their private key to decrypt the data. Figure 5 shows the transaction process of experimental data products when the data user questions the data authenticity or the data source’s ownership.

Figure 5. Double encryption.

Using a person-binding data owner method to finish conditional data sharing can break data barriers. We also resolve issues of the laboratory data class and ownership conversion process.

DOSA framework components - Managed laboratory data linked to rich soils

Overall framework

References

Notes

This presentation is faithful to the original, with only a few minor changes to presentation. In some cases important information was missing from the references, and that information was added.