Computer Science and Engineering 2017, 7(1): 1-11 DOI: 10.5923/j.computer.20170701.01 Access Control of Medical Images using Elliptic Curve Cryptography through Effective Multi-Key Management in a Mobile Multicasting Environment Tmkk Jinasena 1,* , Rgn Meegama 1 , Rb Marasinghe 2 1 Department of Computer Science, University of Sri Jayewardenepura, Sri Lanka 2 Department of Medical Education and Health Sciences, University of Sri Jayewardenepura, Sri Lanka Abstract Access control is so vital in eHealth, because compromised sensitive medical data often leads to severe consequences for both patients and health workers, resulting in financial losses or even patient death. In this paper, we propose a technique to implement a dynamic and flexible access control mechanism to ensure present access rights of sensitive medical data in a collaborative medical discussion in a mobile environment. Initially, a symmetric and public key encryption using elliptic curve cryptography is used to encrypt a user session. At this stage, the elliptic curve is defined in a prime finite field with the characteristic of p where p is a prime and p > 3. Curve parameters a and b are carefully chosen to avoid vulnerable curves. Subsequently, unique public and private key pairs are generated for all the users in the session. Results show the importance of having optimal elliptic curve implementations for mobile usage. Keywords Access Control, Elliptic Curves, Cryptography, Privacy, eHealth 1. Introduction Digital content access control is one of the key concerns in computer security today, and it is more important than ever before. A huge amount of digital data is constantly flowing through the internet, mobile networks, and cable and satellite televisions, and electronic medical data exchanged among large groups through public networks, especially in mobile environments, is especially vulnerable. In most cases, it is necessary to protect data from unauthorized and inappropriate access and changes by defining what information users can view and modify. Access criteria are generally associated with roles, groups, locations, or times. However, there are three main types of access control methods: Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Non-Discretionary (Role-Based) Access Control (RBAC) [1]. Furthermore, access control methods are classified as military or commercial based on their usage. MAC is based on Bell-LaPadula’s 1973 multilevel security model, which is more concerned with confidentiality than integrity. In MAC, security policies are defined regardless of user operations. Thus, it is more suitable for military applications. On the other hand, DAC is the most used * Corresponding author: kasun@dscs.sjp.ac.lk (Tmkk Jinasena) Published online at http://journal.sapub.org/computer Copyright © 2017 Scientific & Academic Publishing. All Rights Reserved access control method. It is used in many operating systems, including UNIX, Windows 2000, and FreeBSD. The main disadvantage of DAC is the fact that its three-dimensional access control matrix has O(n2) growth. Finally, RBAC proposed by Ferraiolo and Kuhn in 1992 [1] blends MAC and DAC. It can be customized for individual applications regardless of policies [2-6]. In our case, we need to facilitate collaborative medical discussion over mobile devices where sensitive medical data, possibly large content, is shared through public networks while guaranteeing its C-I-A (Confidentiality, Integrity, and Availability) properties [3]. Moreover, we need to have a dynamic and flexible access control method to ensure the right access by the right user at the right time. However, there are no fixed access levels or roles for users. The one who initiates the communication becomes the coordinator of that session. Thus, s/he defines the access levels of the subordinates of the session. In another session, s/he can be a subordinate with low access privileges. Therefore, access control needs to be provided through the content. Moreover, we need to multicast the same content for multiple users with different access levels. 2. Background Symmetric key cryptography is faster than asymmetric key cryptography mainly due to its small key sizes. However, it can only guarantee the confidentiality of the data. In a distributive environment, there are many security