1 / 42

Attribute-Based Encryption

Attribute-Based Encryption. Brent Waters SRI International. Server Mediated Access Control. File 1. Server stores data in clear Expressive access controls. Access list: John, Beth, Sue, Bob Attributes: “Computer Science” , “Admissions”. Distributed Storage. Scalability Reliability.

denniscombs
Télécharger la présentation

Attribute-Based Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Attribute-Based Encryption Brent Waters SRI International

  2. Server Mediated Access Control File 1 • Server stores data in clear • Expressive access controls Access list: John, Beth, Sue, Bob Attributes: “Computer Science” , “Admissions”

  3. Distributed Storage • Scalability • Reliability Downside: Increased vulnerability

  4. File 1 Owner: John File 2 Owner: Tim Traditional Encrypted Filesystem • Encrypted Files stored on Untrusted Server • Every user can decrypt its own files • Files to be shared across different users? Credentials? Lost expressivity of trusted server approach!

  5. File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” A New Approach to Encrypting Data Goal: Encryption with Expressive Access Control • Label files with attributes

  6. File 1 • “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” • File 2 • “Creator: Tim” • “History” • “Admissions” • “Date: 03-20-05” OR AND “Bob” “Computer Science” “Admissions” A New Approach to Encrypting Files Univ. Key Authority

  7. Attribute-Based Encryption[Sahai-Waters 05] • Start with monotonic access formulas [GPSW06] • Techniques from IBE [S84,BF01] • Challenge: Collusion Resistance • Further developments of ABE • Bringing into Practice

  8. “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” OR AND “Bob” “Computer Science” “Admissions” Attribute-Based Encryption • Ciphertext has set of attributes • Keys reflect a tree access structure • Decrypt iff attributes from CT satisfy key’s policy

  9. AND AND “Computer Science” “Admissions” “Hiring” “History” Central goal: Prevent Collusions • If neither user can decrypt a CT, then they can’t together Ciphertext = M, {“Computer Science”, “Hiring”}

  10. A Misguided Approach Public Parameters KHistory, KCS, KHiring , KAdmissions, … SKCS, SKAdmissions SKHistory, SKHiring CT= EKCS( R) , EKHiring(M-R) Neither can decrypt alone, but …

  11. Our Approach Two key ideas • Prevent collusion attacks • Bilinear maps “tie” key components together • Support access formulas • General Secret Sharing Schemes

  12. Bilinear Maps • G , GT : multiplicative of prime order p. • Def: An admissible bilinear mape: GG GTis: • Non-degenerate:g generates G  e(g,g) generates GT . • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Efficiently computable. • Exist based on Elliptic-Curve Cryptography

  13. y y r (y-r) Secret Sharing [Ben86] • Secret Sharing for tree-structure of AND + OR Replicate secret for OR’s. Split secrets for AND’s. y OR AND “Bob” “Computer Science” “Admissions”

  14. The Fixed Attributes System: System Setup Public Parameters gt1, gt2,.... gtn, e(g,g)y List of all possible attributes: “Bob”, “John”, …, “Admissions”

  15. File 1 • “Creator: John” (attribute 2) • “Computer Science” (attribute 3) • “Admissions” (attribute n) Encryption Public Parameters gt1, gt2, gt3,.... gtn, e(g,g)y Select set of attributes, raise them to random s Ciphertext gst2 , gst3 , gstn, e(g,g)sy M

  16. y OR AND “Bob” y “Computer Science” “Admissions” y1= y r yn= (y-r) y3= Key Generation Fresh randomness used for each key generated! Public Parameters gt1, gt2,.... gtn, e(g,g)y Ciphertext gst2 , gst3 , gstn, e(g,g)sy M Private Key gy1/t1 , gy3/t3 , gyn/tn

  17. Decryption Ciphertext gst2, gst3, gstn, Me(g,g)sy e(g,g)sy3 Private Key gy1/t1 , gy3/t3 , gyn/tn e(g,g)sy3e(g,g)syn = e(g,g)s(y-r+r)= e(g,g)sy (Linear operation in exponent to reconstruct e(g,g)sy)

  18. Security • Reduction: Bilinear Decisional Diffie-Hellman • Given ga,gb,gc distinguish e(g,g)abc from random • Collusion resistance • Can’t combine private key components

  19. The Large Universe Construction: Key Idea • Any string can be a valid attribute Public Parameters Public Function T(.), e(g,g)y Ciphertext gs, e(g,g)syMFor each attribute i: T(i)s e(g,g)syi Private Key For each attribute i gyiT(i)ri , gri

  20. OR Bob’s Assistant “Bob” Year=2006 Delegation • Derive a key for a more restrictive policy AND “Computer Science” “admissions”

  21. Making ABE more expressive • Any access formulas • Challenge: Decryptor ignores an attribute • Attributes describe CT, policy in key • Flip things around

  22. NOT “Computer Science” Supporting “NOTs” [OSW07] Example Peer Review of Other Depts. Bob is in C.S. dept => Avoid Conflict of Interest AND “Dept. Review” “Year:2007” Challenge: Can’t attacker just ignore CT components?

  23. “Creator: John” • “History” • “Admissions” • “Date: 04-11-06” A Simple Solution • Use explicit “not” attributes • Attribute “Not:Admissions”, “Not:Biology” • Problems: • Encryptor does not know all attributes to negate • Huge number of attributes per CT • “Not:Anthropology” • “Not:Aeronautics” • … • “Not:Zoology”

  24. NOT OR NOT NOT Technique 1: Simplify Formulas Use DeMorgan’s law to propagate NOTs to just the attributes AND “Dept. Review” “Public Policy” “Computer Science”

  25. Applying Revocation Techniques • Broadcast a ciphertext to all but a certain set of users • Used in digital content protection • E.g. Revoke compromised players P1 P2 P3

  26. AND NOT “Dept. Review” “Year:2007” “Computer Science” Applying Revocation Techniques • Focus on a particular Not Attribute

  27. “Creator: John” • “Computer Science” • “Admissions” • “Date: 04-11-06” NOT “Computer Science” Applying Revocation Techniques • Focus on a particular ‘Not’ Attribute • Attribute in ‘Not’ as node’s “identity” • Attributes in CT as Revoked Users Node ID not in “revoked” list =>satisfied N.B. – Just one node in larger policy

  28. The Naor-Pinkas Scheme • Pick a degree n polynomial q( ), q(0)=a • n+1 points to interpolate • User t gets q(t) • Encryption: gs , ,Mgsa • Revoked x1, …, xn gsq(x1) , ..., gsq(xn) gsq(t) Can interpolate to gsq(0)=gsa iff t not in {x1,…xn}

  29. Applying Revocation to ABE • Use same S.S. techniques for key generation • Same techniques for pos. attributes • “Local” N-P Revocation at each Not-Attribute • Upshot: N-P Revocation requires to use each CT attribute

  30. “Professor”, “Discipline Committee”, “Age=33”, “History” OR AND “Counselor” Univ. Key Authority “Discipline Committee” “Professor” Ciphertext Policy ABE [BSW07] • Encrypt Data reflect Decryption Policies • Users’ Private Keys are descriptive attributes “Thinking” Encryptor

  31. Challenges in Practice [PTMW06] • Applications • Health Care • Netflow Logs (currently building) • How are CTs annotated? • Can we automate? • Convention for using Attributes? • “Prof.” or “Professor” • Does “T.A.” + “CS236” mean TAing CS236?

  32. Univ. Key Authority Individual’s Key Challenges in Practice • What group do Public Parameters represent?

  33. $ cpabe-setup $ cpabe-keygen -o sara_priv_key pub_key master_key \ sysadmin it_department 'office = 1431' 'hire_date = '`date +%s` $ cpabe-enc pub_key security_report.pdf (sysadmin and (hire_date < 946702800 or security_team)) or (business_staff and 2 of (executive_level >= 5, audit_group, strategy_team)) Projects at UIUC and MIT using ABE Advanced Crypto Software Collection • Goal: Make advanced Crypto available to systems researchers • http://acsc.csl.sri.com (8 projects)

  34. Conclusions and Open Directions • Attribute-Based Encryption for Expressive Access Control on Encrypted Data • Extending Capabilities • Delegation • Non-Monotonic Formulas • Ciphertext-Policy • Currently implemented

  35. s Univ. Key Authority F( ) Conclusions and Open Directions • Open: Can we express access control for any circuit over attributes? • What are limits of capability-based crypto? • Capability that evaluates any function F(s)

  36. Thank You

  37. Related Work • Identity-Based Encryption [Shamir84,BF01,C01] • Access Control [Smart03], Hidden Credentials [Holt et al. 03-04] • Not Collusion Resistant • Secret Sharing Schemes [Shamir79, Benaloh86…] • Allow Collusion

  38. NOT Ciphertext gs, gsq(x1), … , gsq(xn) Attributes: x1, x2… “Computer Science” Private Key grq(t), gr e(g,g)srq(t) e(g,g)srq(x1) e(g,g)srq(xn) System Sketch Choose degree n polynomial q(), q(0)=b Public Parameters Can compute gq(x) gq(0), gq(1),.... gq(n), If points different can compute e(g,g)srb =t

  39. Applications: Targeted Broadcast Encryption • Encrypted stream Ciphertext = S, {“Sport”, “Soccer”, “Germany”, “France”, “11-01-2006”} AND AND “Soccer” “Germany” “Sport” “11-01-2006”

  40. Extensions • Building from any linear secret sharing scheme • In particular, tree of threshold gates… • Delegation of Private Keys

  41. Threshold Attribute-Based Enc. [SW05] • Sahai-Waters introduced ABE, but only for“threshold policies”: • Ciphertext has set of attributes • User has set of attributes • If more than k attributes match, then User can decrypt. • Main Application- Biometrics

  42. AND “Hiring” “History” Central goal: Prevent Collusions • Users shouldn’t be able to collude AND “Computer Science” “Admissions” Ciphertext = M, {“Computer Science”, “Hiring”}

More Related