secure access to outsourced data -...
TRANSCRIPT
![Page 1: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/1.jpg)
Secure Access to Outsourced Data
Dr. Kui Ren
University at Buffalo The State University of New York
![Page 2: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/2.jpg)
Disclaimer!
The lecture slides are partially collected from the Internet for the educational purpose only. The lecturer does not claim any credit for them and the copyrights belong to the original authors.
Special thanks to Prof. Robert Deng at Singapore
Management University for the slides used in Lecture 2.
![Page 3: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/3.jpg)
Outline • Access Control in Cloud Storage Systems
• Attribute-based Access Control
• Basic Construction
• Improving Granularity – Attribute Revocation
• Improving Efficiency – Decryption Outsource
• Improving Privacy – Policy Hidden
• Summary
![Page 4: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/4.jpg)
Lecture 2: Access Control in Cloud Storage Systems
![Page 5: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/5.jpg)
Cloud Storage Systems
![Page 6: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/6.jpg)
Traditional Access Control Model
Reference Monitor
Access Policies
Authentication Access Control Files
Pros: Flexible and scalable, MAC, DAC, RBAC Cons: Data vulnerable to compromise
Trusted to mediate Access control
Trusted to keep data confidential
![Page 7: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/7.jpg)
Biggest Examples of Data Breaches http://www.identityhawk.com/biggest-examples-data-breaches • Bank of New York Mellon Feb 2008: lost data
storage tapes containing information of 12.5 million people, led to an undisclosed amount of stolen funds…
• Heartland Payment Systems Early 2009:
hackers infiltrated its database and gained access to the more than 100 million credit card transactions it processes each month. The company paid more than $41.1 million to settle claims.
• ……
![Page 8: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/8.jpg)
It’s often unrealistic to assume that servers are trusted • Cloud computing for outsourced data storage:
hardware not under direct control of data owners
• Portable devices storing electronic medical records for emergency access: devices might be lost or stolen
• Software are not guaranteed to be bug-free
• Insider attacks
• ……
![Page 9: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/9.jpg)
Untrusted Servers
Reference Monitor
Access Policies
Authentication Access Control User Files
• General solution: Store data in encrypted form
• Good practice even for “trusted” servers à The principle of defense in depth
![Page 10: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/10.jpg)
Access Control by Encryption
Idea: Need secret key to access data • Ciphertexts stored on server; • Each user can decrypts its own data
SK
![Page 11: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/11.jpg)
Sharing Encrypted Data with Others
• Public key solution - Large overhead in public key certificate
management • Symmetric key solution
- Online key distribution
![Page 12: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/12.jpg)
A Wishlist for Storing Encrypted Data on Untrusted Servers
• Key management is scalable and offline
• No need for an online trusted party to mediate access control
• Expressive and scalable access control polices
Attribute-Based Encryption (ABE) does this!
![Page 13: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/13.jpg)
Attribute-based Access Control
![Page 14: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/14.jpg)
Identity-Based Encryption
Fuzzy Identity-Based Encryption
Ciphertext-Policy Attribute-Based Encryption
Attribute-Based Encryption
Key-Policy Attribute-Based Encryption
Functional Encryption
Evolution of Attribute Based Encryption
![Page 15: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/15.jpg)
Attribute-Based Encryption (ABE) [Sahai, Waters CCS’05] • Encrypt data to users with certain attributes • One-to-many public key encryption • Built-in access control mechanism
This is a Key-Policy Attribute-Based Encryption!
“All professors, CS PhD”
Professor
CS PhD
EE PhD
ü ü Alice
Bob
Charlie
![Page 16: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/16.jpg)
Key-Policy Attribute-Based Encryption (KP-ABE) [Sahai, Waters CCS’05]
• Ciphertext has a set of attributes
• Keys reflect a tree access
structure
• Decrypt iff attributes
from Ciphertext satisfy key’s policy
OR
AND
CS PhD
“Bob”
“All professors, CS PhD”
![Page 17: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/17.jpg)
Access Control via KP-ABE
PK MSK
SKBob: “CS Dept.” “Professor”
SKKevin: “CS Dept.” “Master”
ü ü ü û Professor
AND
CS Dept. Master
AND
CS Dept.
“CS Dept.” “Professor”
û ü
![Page 18: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/18.jpg)
Scenarios: Database (e.g., e-Health System) Pro: Data associated with some attributes Con: Users hold multiple secret keys for different access policies Securing Personal Health Records in Cloud Computing: Patient-Centric and Fine-Grained Data Access Control in Multi-owner Settings. [Li, Yu, Ren, Lou SecureComm'10] Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing. [Yu, Wang, Ren, Lou INFOCOM’10]
Access Control via KP-ABE
But…In real cloud storage systems, users may associated with some attributes. How about defining access policy on users’ attributes?
CP-ABE (Ciphertext-Policy Attribute-Based Encryption) !!!
![Page 19: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/19.jpg)
Ciphertext-Policy Attribute-Based Encryption (CP-ABE) [Bethencourt, Sahai, Waters S&P’07]
• Ciphertext is associated with an access policy
• Secret key is associated with attributes - Attributes are mathematically incorporated into the key
(CS AND PhD) OR Prof
{EE, Prof}
Alice SK
Bob
{CS, PhD}
OR
AND
CS PhD
Prof
![Page 20: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/20.jpg)
• No 3rd party explicitly evaluates the policy and makes access decision. Policy checking done inside the crypto
• Decrypt iff attributes in the key satisfy the policy of Ciphertext
{EE, Prof}
Message
(CS AND PhD) OR Prof Satisfies
Alice
Ciphertext-Policy Attribute-Based Encryption (CP-ABE) [Bethencourt, Sahai, Waters S&P’07]
![Page 21: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/21.jpg)
Access Control via CP-ABE
PK MSK
SKBob: “CS Dept.” “Professor”
SKKevin: “CS Dept.” “Master”
OR
Professor AND
CS Dept. PhD
ü û
û ü
ü û
û
![Page 22: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/22.jpg)
Advantages of Attribute-Based Access Control Access policy is defined by owners
Access policy is enforced by the cryptography • nobody explicitly evaluates the policies and makes an
access decision Only one copy of ciphertext is generated for each file
![Page 23: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/23.jpg)
Access Control in Cloud Storage Systems CP-ABE is more suitable than KP-ABE for access control in cloud storage systems. Because:
• Owners can define access policy for each file based on user’s attributes
• Users only hold one secret key
• Owners can change the access policies without changing public keys and secret keys
![Page 24: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/24.jpg)
Basic Construction
![Page 25: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/25.jpg)
Elliptic Curve Techniques • G : multiplicative of prime order p. (Analogy: Zq*)
• Bilinear map e: G×G → GT Def: An admissible bilinear map e: G×G → GT is:
– Non-degenerate: g generates G ⇒ e(g,g) generates GT .
– Bilinear: e(ga, gb) = e(g,g)ab ∀a,b∈Zp, g∈G
– Efficiently computable
• Intuitive Hardness Discrete Log: Given: g, ga Hard to get: a
![Page 26: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/26.jpg)
CP-ABE Algorithms
Setup(λ) -> MSK, PK PK MSK
Encrypt(PK ,M, Access policy) -> CT
KeyGen(MSK, Attrs.) -> SK “CS Dept.” “PhD”
SK
Decrypt(SK, CT) -> M “CS Dept.” “PhD”
SK
OR
Professor AND
CS Dept. PhD
OR
Professor AND
CS Dept. PhD
![Page 27: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/27.jpg)
System Setup [Bethencourt, Sahai, Waters S&P’07]
PK = ( g, gb, e(g, g)a , H: {0,1}* → G )
MSK = a MSK
Public Key
Authority
a, b ∈R ZP
![Page 28: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/28.jpg)
Key Generation [Bethencourt, Sahai, Waters S&P’07]
Authority
Authority issues secret keys for users who have attributes
Kevin Bob James
“CS Dept.” “Professor”
“CS Dept.” “Master”
“EE Dept.” “PhD”
![Page 29: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/29.jpg)
Central Issue: Prevent User Collusions Users must not be able to collude by combining their
attributes
“EE Dept.” “PhD”
James Kevin
“CS Dept.” “Master”
OR
AND
CS Dept. PhD
Prof
![Page 30: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/30.jpg)
SK = ( ga+bt, gt, H(“PhD”)t, H(“CS Dept.”)t, H(“TA”)t )
Key Generation [Bethencourt, Sahai, Waters S&P’07]
‘t’ ties components together
‘t’: random number in Zp
Authority
MSK = a Bob has attributes: {“PhD”, “CS Dept.”, “TA”}
Personalization! Collusion Resistance
![Page 31: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/31.jpg)
Key Personalization (Intuition)
SK
SK
Kevin: “CS Dept.” …
James: “PhD” …
Random t
Random t’ Components are incompatible (Formal security proofs in papers)
ga+bt, gt, H(“CS Dept.”)t,
ga+bt’, gt’, H(“PhD”)t’
![Page 32: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/32.jpg)
M
Given a file M and an access policy, data owner will perform the following
OR
AND
CS Dept. PhD
Prof
Data Owner
Encryption [Bethencourt, Sahai, Waters S&P’07]
PK = ( g, gb, e(g, g)a , H: {0,1}* → G )
![Page 33: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/33.jpg)
Encryption [Bethencourt, Sahai, Waters S&P’07]
Ciphertext: CT = ( M•e(g,g)as, gs,
C1 = (gbs1H(“Prof”)r1, gr1), C2 = (gbs2H(“PhD”)r2, C3 = (gbs3H(“CS Dept.”)r3, gr3) )
M
Data Owner generates random s, then computes
OR
AND
CS Dept.
PhD
Prof
s
s
s3=r s2=s-r
s1=s
Data Owner
OR
Professor AND
CS Dept. PhD
![Page 34: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/34.jpg)
Decryption [Bethencourt, Sahai, Waters S&P’07] Ciphertext CT
Secret Key SK
CT = ( M•e(g,g)as, gs, C1= (gbs1H(“Prof”)r1, gr1),
C2 = (gbs2H(“PhD”)r2, gr2), C3 = (gbs3H(“CS Dept.”)r3, gr3) )
SK = ( ga+bt, gt, H(“Prof”)t, H(“PhD”)t, H(“CS Dept.”)t )
e(g,g)bts = e(gbs1H(“Prof”)r1, gt)
e(gr1, H(“Prof”)t) = e(g,g)bts2 e(g,g)bts3 = e(g,g)bts
e(gbs2H(“PhD”)r2, gt)
e(gr2, H(“PhD”)t) • e(gbs3H(“CS Dept.”)r3, gt)
e(gr3, H(“CS Dept.”)t)
e(ga+bt, gs) = e(g,g)as e(g,g)bts
“Prof”� “PhD” AND “CS Dept.” OR
![Page 35: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/35.jpg)
Security [Bethencourt, Sahai, Waters S&P’07]
Theorem: System is (semantically) secure under chosen key attack
Number Theoretic Assumption: Bilinear Diffie-Hellman Exponent [BBG05]
Given ga,gb,gc distinguish e(g,g)abc from random
![Page 36: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/36.jpg)
Improving Granularity – Attribute Revocation
![Page 37: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/37.jpg)
Efficient Revocation User Revocation
When one attribute is revoked, the user loses all the decryption privilege of all the ciphertexts (e.g., a user is leaving a company)
Attribute Revocation
When one attribute is revoked, the user still can use its other attribute to decrypt ciphertexts (e.g., a user is degraded from PM to Developer)
![Page 38: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/38.jpg)
Requirements of Efficient Revocation • Protecting Previous Encrypted Data
- Once an attribute is revoked from the user, it cannot use this revoked attribute to decrypt the previous encrypted data
Dynamic Credentials and Ciphertext Delegation for Attribute-Based Encryption[Sahai, Seyalioglu, Waters CRYPTO’12]
- Assume the user may access the files necessary for his work and not download all files he has access to (e.g., enforced by access logs).
- Ciphertexts Update - Key Update
![Page 39: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/39.jpg)
Requirements of Efficient Revocation • Protecting Previous Encrypted Data
- Once an attribute is revoked from the user, it cannot use this revoked attribute to decrypt the previous encrypted data
Attribute based data sharing with attribute revocation [Yu, Wang, Ren, Lou AsiaCCS’10]
- Re-generate Secret Keys - Re-encrypt Ciphertexts (Proxy Re-encryption)
![Page 40: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/40.jpg)
Requirements of Efficient Revocation • Protecting Newly Encrypted Data
- Once an attribute is revoked from the user, it cannot use this revoked attribute to decrypt the newly encrypted data
- Key Update
• Guaranteeing Newly Joined Users - The newly joined users should still be able to
decrypt previous encrypted data, if they has sufficient attributes
- Ciphertexts Update
![Page 41: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/41.jpg)
Attribute-based fine-grained access control with efficient revocation in cloud storage systems [Yang, Jia, Ren AisaCCS’13] - Each attribute is assigned a version number - To revoke an attribute, the authority updates
the version number and generates an update key - Secret key update only by non-revoked users (Protecting newly encrypted data) - Ciphertext update by cloud servers (Guaranteeing newly joined users)
Attribute-based Access Control with Efficient Revocation
![Page 42: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/42.jpg)
Revocation for Multiple Authorities Systems
AND
CS dept. OR
manager marketing Authority in UB
Authority in Google
![Page 43: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/43.jpg)
Revocation for Multiple Authorities Systems
DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems [Yang, Jia, Ren, Zhang, INFOCOM 2013] - Idea similar to [Yang, Jia, Ren AisaCCS’13] - But deal with the multi-authority scenario
Main Challenge: Revocation of attributes from one authority should not affect attributes from other authorities
![Page 44: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/44.jpg)
Improving Efficiency – Decryption Outsource
![Page 45: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/45.jpg)
Naïve Approach
We have to trust the cloud!
Data Cloud
SK
![Page 46: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/46.jpg)
Access Policies in ABE • May use arbitrary numbers of AND, OR, and t-out-n
Threshold gates • May support integer comparison operators <, > = by
converting them into a Boolean circuit composed of OR and AND gates
• Comparing an attribute to a fixed n-bit integer adds about n components to the policy • Key_Expiry_Date > X (Unix time) increases
policy size by about 32 components • Decryption with 100 policy leaves on iPhone 3G
(412Mhz ARM) takes 30s
![Page 47: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/47.jpg)
Outsourcing ABE Decryption [Green, Hohenberger, Waters, UNSNIX Security’11】
Authority issues a Transform Key (TK) and a Secret Key (SK) to Alice
(SK, TK) Authority
![Page 48: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/48.jpg)
Outsourcing ABE Decryption (2) [Green, Hohenberger, Waters, UNSNIX Security’11]
SK (TK, CT)
CT
CT’ ßTransform(TK, CT)
Dec(SK, CT’) à Data
Storage
Proxy Cloud
Most computation done here Little computation
done here
![Page 49: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/49.jpg)
SK = z
How It Works?
Proxy: Transform(TK, CT) = CT’ = (M·e(g,g)as, e(g,g)as/z)
Ciphertext CT
Alice:TK = ( g(a+bt)/z, gt/z, H(“PhD”)t/z, H(“CS Dept.”)t/
z )
Alice computes: M·e(g,g)as/(e(g,g)as/z)z = M
Alice: SK
= ( ga+bt, gt, H(“PhD”)t, H(“CS Dept.”)t )
OR
AND
CS Dept. PhD
Prof
CT = ( M•e(g,g)as, gs, C1= (gbs1H(“Prof”)r1, gr1), C2 = (gbs2H(“PhD”)r2, gr2), C3 = (gbs3H(“CS Dept.”)r3, gr3) )
![Page 50: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/50.jpg)
SK (TK, CT)
CT’ ßTransform(TK, CT)
Dec(SK, CT’) à Data. Is the decryption correct?
Proxy
No Verifiability in Green et al’s Scheme
Verifiable Outsourced ABE Decryption [Lai, Deng, Guan, Weng, to appear in IEEE TIFS] Ability for user to verify the decryption is correct, i.e., Data is indeed decryption of CT Necessary condition: Dec(SK, CT, CT’) à Data
![Page 51: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/51.jpg)
Experiment Results • 224-bit MNT ECC • 2.53GHz Intel Core Duo, 4GB RAM, Linux • 800Mhz ARM-based, 278MB RAM, Android
50 40 30 20 10 0
0 20 40 60 80 100
Tim
e in
sec
onds
Number of policy attributes
5 4 3 2 1 0
0 20 40 60 80 100
Tim
e in
sec
onds
Number of policy attributes
0.2 0.18 0.04 0.02 0.00
0 20 40 60 80 100 Ti
me
in s
econ
ds
Number of policy attributes
≈
ABE Decryption Transformation Final Decryption
![Page 52: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/52.jpg)
Decryption Outsourcing for Multi-Authority Cloud Storage Systems
AND
CS dept. OR
manager marketing
Authority in UB
Authority in Google
DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems
[Yang, Jia, Ren, Zhang, INFOCOM 2013]
Token-based Decryption Outsourcing Mechanism for Cloud Storage Systems with Multiple Authorities
![Page 53: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/53.jpg)
Improving Privacy – Policy Hidden
![Page 54: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/54.jpg)
E-health System
Cloud Storage Provider
100-20-3456 University Hospital Cardiologist�
University Hospital
OR
Cardiologist�
123-45-6789� AND
123-45-6789 Google Programmer �
Access policy
Data Owner
User Kevin
User Bob
… … …Encrypted patient data
Access policies may leak lots of sensitive Information!!
![Page 55: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/55.jpg)
CP-ABE with Fully Hidden Access Policy
• One can obtain CP-ABE with fully hidden access policy from inner-product predicate encryption (IPE)
• Supporting access policies written in CNF or DNF form, which can result in a super-polynomial blowup in size for arbitrary formulas.
Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
[Katz, Sahai, Waters, J. Cryptology 2013]
![Page 56: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/56.jpg)
CP-ABE with Partially Hidden Access Policy [Lai, Deng, Li AsiaCCS’12]
• Each attribute includes two parts: attribute name and attribute value
“123-45-6789”, “University Hospital”, “Cardiologist”
Hidden:
Access Policy
SS#: 123-45-6789�
OR
Affiliation: University Hospital
Occupation: Cardiologist�
AND
Public:
SS#: *
OR
Affiliation: *� Occupation: *�
AND
![Page 57: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/57.jpg)
CP-ABE Encryption
e: G × G → GT g, gb, e(g,g)a, H: {0,1}* → G
Public Params
M
How about simply don’t release the attribute values in the access policy in standard CP-ABE?
Access Policy
SS#: 123-45-6789�
OR
Occupation: Cardiologist�
Affiliation: University Hospital
AND
CT = ( M•e(g,g)as, gs, C1= (gbs1H(“123-”)r1, gr1), C2 = (gbs2H(“UH”)r2, gr2), C3 = (gbs3H(“Cardio”)r3, gr3) )
![Page 58: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/58.jpg)
SS#:* �
OR
Affiliation:* Occupation:*�
AND PP: g, gb, e(g,g)a, F: {0,1}* → G
Dictionary Attack on Attribute Values
Ciphertext:
e(gbs2H(“UH”)r2, g)
e(gr2, H(“UH”))
e(gbs3H(“Cardio”)r3, g)
e(gr3, H(“Cardio”))
e(gs, gb)
•
e(gbs2, g) e(gbs3, g)x =
The guessed values UH & Cardio can be verified as above.
CT = ( M•e(g,g)as, gs, C1= (gbs1H(“123-”)r1, gr1), C2 = (gbs2H(“UH”)r2, gr2), C3 = (gbs3H(“Cardio”)r3, gr3) )
![Page 59: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/59.jpg)
Main Idea in [Lai, Deng, Li AsiaCCS’12] Using composite order bilinear group to hide attribute values in ciphertext
G, GT are cyclic groups of order N = p1p2p3p4
e: G × G → GT • Bilinear: ∀a, b∈ZN, ∀g∈G, e(ga, gb) =e(g, g)ab
• Non-degenerate: ∃g∈G such that e(g, g) has order N in GT
Orthogonality: e(hi, hj) = 1, hi∈Gpi and hj∈Gpj for i≠j
![Page 60: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/60.jpg)
Construction in [Lai, Deng, Li 2012] Based on e: G × G → GT, composite order p1p2p3p4 with Gp1 as the main working group
Secret Key ga+btR, gtR’, (H(Value1)tR1, ……,
Ciphertext M·e(g,g)as, gs, (gbs1H(“123..”)Zh)r1·Z1, gr1·Z1’),…
where g, h, u∈Gp1, R, R’ ∈Gp3, Z, Z1, Z1’ ∈Gp4,
Zi ∈ Gp4 are used to hide attribute values in ciphertext to prevent dictionary attack
Orthogonality property cancels effects of Zi in decryption
![Page 61: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/61.jpg)
Summary
• Traditional access control to data relies on trusted servers
• Attribute-based Access control of encrypted data on untrusted server - Expressive policy and scalable (one-to-many encryption) - Fine-grained (attribute revocation) - Efficient (decryption outsource) - Privacy-preserved (policy hidden)
![Page 62: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/62.jpg)
References [Boneh, Franklin Crypto’01] Dan Boneh, Matthew K. Franklin: Identity-Based
Encryption from the Weil Pairing. CRYPTO 2001: 213-229 [Sahai, Waters Eurocrypto’05] Amit Sahai, Brent Waters: Fuzzy Identity-
Based Encryption. EUROCRYPT 2005: 457-473 [Goyal, Pandey, Sahai, Waters CCS’06] Vipul Goyal, Omkant Pandey, Amit
Sahai, Brent Waters: Attribute-based encryption for fine-grained access control of encrypted data. ACM Conference on Computer and Communications Security 2006: 89-98
[Li, Yu, Ren, Lou SecureComm'10] Ming Li, Shucheng Yu, Kui Ren, Wenjing Lou: Securing Personal Health Records in Cloud Computing: Patient-Centric and Fine-Grained Data Access Control in Multi-owner Settings. SecureComm 2010: 89-106
[Yu, Wang, Ren, Lou INFOCOM’10] Shucheng Yu, Cong Wang, Kui Ren, Wenjing Lou: Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing. INFOCOM 2010: 534-542
[Bethencourt, Sahai, Waters S&P’07] John Bethencourt, Amit Sahai, Brent Waters: Ciphertext-Policy Attribute-Based Encryption. IEEE Symposium on Security and Privacy 2007: 321-334
![Page 63: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/63.jpg)
References [Lewko, Okamoto, Sahai, Takashima, Waters Eurocrypto’10] Allison B.
Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, Brent Waters: Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption. EUROCRYPT 2010: 62-91
[Sahai, Seyalioglu, Waters Crypto’12] Amit Sahai, Hakan Seyalioglu, Brent Waters: Dynamic Credentials and Ciphertext Delegation for Attribute-Based Encryption. CRYPTO 2012: 199-217
[Yu, Wang, Ren, Lou AsiaCCS’10] Shucheng Yu, Cong Wang, Kui Ren, Wenjing Lou: Attribute based data sharing with attribute revocation. ASIACCS 2010: 261-270
[Yang, Jia, Ren AsiaCCS’13] Kan Yang, Xiaohua Jia, Kui Ren: Attribute-based fine-grained access control with efficient revocation in cloud storage systems. ASIACCS 2013: 523-528
[Yang, Jia, Ren, Zhang INFOCOM’13] Kan Yang, Xiaohua Jia, Kui Ren, Bo Zhang: DAC-MACS: Effective Data Access Control for Multi-Authority Cloud Storage Systems. INFOCOM 2013
[Green, Hohenberger, Waters USENIX Security’11] Matthew Green, Susan Hohenberger, Brent Waters: Outsourcing the Decryption of ABE Ciphertexts. USENIX Security Symposium 2011
![Page 64: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/64.jpg)
References [Lai, Deng, Guan, Weng] Verifiable Outsourced ABE Decryption, to appear in
IEEE TIFS [Katz, Sahai, Waters J.Cryptology’13] Jonathan Katz, Amit Sahai, Brent
Waters: Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products. J. Cryptology 26(2): 191-224 (2013)
[Lai, Deng, Li AsiaCCS’12] Junzuo Lai, Robert H. Deng, Yingjiu Li: Expressive CP-ABE with partially hidden access structures. ASIACCS 2012: 18-19
![Page 65: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/65.jpg)
Acknowledgement of Contributors
Kan Yang City University of Hong Kong
Prof. Robert H. Deng
Singapore Management University
![Page 66: Secure Access to Outsourced Data - ustc.edu.cnstaff.ustc.edu.cn/~chizhang/ds2013/document/Lecture_2_access_control.pdf · DAC-MACS: Effective Data Access Control for Multi-Authority](https://reader030.vdocuments.mx/reader030/viewer/2022041123/5d2ba1c388c993c82f8b612b/html5/thumbnails/66.jpg)
Thank You!