CiphertextPolicy AttributeBased Encryption - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

CiphertextPolicy AttributeBased Encryption

Description:

none – PowerPoint PPT presentation

Number of Views:532

Avg rating:5.0/5.0

Slides: 35

Provided by: hpcus1191

Category:

more less

Transcript and Presenter's Notes

Title: CiphertextPolicy AttributeBased Encryption

1
Ciphertext-Policy Attribute-Based Encryption

John Bethencourt
Carnegie Mellon University
Amit Sahai
University of California, LA
Brent Waters
SRI International
The 28th IEEE Symposium on Security and Privacy
(Oakland) , May 2007
Presented by Sonia Jahid
Qualifying Exam Feb 18, 2008

2
Server Mediated Access Control
Alice

Server compromise results in data compromise
Harder with replication
Encrypt data

Alice, Bob
Alice, read file1
Bob, read file 1
Storage Server
Alice has enough credentials
Bob does not have enough credentials
What are the problems with this approach?
3
Data Storage with Encryption

Should the same key be used to encrypt all the
files?
Coarse access control
Should a different key be used to encrypt each
file?
Key management problem
What about users having common properties?

Alice, Bob
Bob
Storage Server
Owner encrypts each file before storing
Attribute Based Encryption
4
Attribute Based Messaging

Use encryption to provide confidentiality
Using each recipients public key
Unknown users
Using policy over the attributes

ABM
To Professor OR (RA AND Security)
b_at_uiuc.edu
a_at_uiuc.edu
Attribute Based Encryption
5
Contribution

Ciphertext Policy Attribute Based Encryption
(CP-ABE)
Encrypt the data under a policy over some
attributes
Key having enough attributes can decrypt the data
The data is self-protective

6
Outline

Overview of the Mechanism
Design
Discussion
Other Attribute Based Encryption Systems

7
Overview of CP-ABE
PK
MSK
Key Authority

Message1 can be viewed by
Professor OR (RA AND Security)
Professor OR (RA AND Security)

PK
SKSarah Attribute Professor, Architecture
Professor OR (RA AND Security)
SKSam Attribute RA, Networking
Professor OR (RA AND Security)
Professor OR (RA AND Security)
8
Policy Representation

Policy represented as tree
Leaves are attributes
Other nodes are k of n threshold gates
Easy to understand
Negation not supported
Use not attribute as another attribute
Should be able to decrypt using SKStudent, Music

Professor OR (Student AND Not CS)
?
Student, Music
Student, Not CS
Student, Not Math
9
Secret Key

KeyGen(MK, S) ? SK

The Key
SK
SKr,r1
SKr,r2
SKr,r3
SKr,r4
SKr,r5
Key Components
Attributes
S1
S2
S3
S4
S5
10
Encryption

Encrypt (PK, M,T) ? CT
M x secret ? CT

11
Decryption

Decrypt (CT, SK) ? M
M x secret ? CT
SK RA, Security

SK
q(x)
SKr,r1
SKr,r1
SKr,r2
SKr,r1
SKr,r2
SKr,r2
x
12
Collusion Resistance
OR
SK
AND
Professor
Security
RA
SKr,r1
SKr,r2
SKr,r3
SKr,r4
SKr,r5
SKSam RA, Networking
SKLars TA, Security
13
Key Revocation

Problem
Implicit key distribution
No explicit certification
Solution
Encrypt the message under an additional date
attribute, Y, e.g., Dec 26, 2007
Add Expiry date to the key as an attribute X,
e.g., Mar 26, 2008

Problem still exists
14
Key Revocation A Scenario

Professor AB leaves on Feb 26, 2008
Attribute is updated but key can not be revoked
A vulnerability window of 29 days in the previous
example Key expires on Mar 26, 2008
So, key validity period should be based on
the sensitivity of the message, and
VW it is willing to tolerate
Example
Only valid Professors get data but the data is
not so sensitive and can be tolerated to be read
by the left Professor till Oct 26, 2008
Otherwise, give new key to everyone
Becomes a scalability issue for Key Authority

15
Central Key Authority

Works in a single domain
Example
Issue a key for the attribute
Student at UIUC, Driving License at 2008
Not Possible
Attributes are from different domains
UIUC KA can issue key for Student at UIUC
DMV KA can issue key for Driving license at
Illinois
There should be connection between these two
components, which is not possible with two KAs

16
Other Attribute Based Systems

Sahai and Waters 2005 Fuzzy Identity Based
Encryption
ABE originates from this idea
Uses biometric identities as users attributes
Goyal, Pandey, Sahai, Waters 2006 Attribute
Based Encryption for Fine-Grained Access Control
of Encrypted Data
Policy is in key
Idea is, user Xs key can access data a,b,c,d
CP-ABE resembles ACL (who has access)
KP-ABE is capability (what can be accessed)

Thank You!

Backup Slides

19
Basics

Pairing Based Cryptography
Construct a mapping between two useful
cryptographic group reducing one problem in one
group to a different easier problem in other
group
Group
If a,b e G then ab e G
(ab)c a(bc)
Ia aI a
Every aeG has an inverse, aa-1 a-1a I
Example
Z51,2,3,4 is multiplicative cyclic group, I
1, g2
mG, am I

20
Non Monotonic Access Structure

Proposed for Key Policy Attribute Based
Encryption (KP-ABE)
Adopted for CP-ABE
Check for absence of Networking in Bobs
attributes

OR
AND
Professor
RA
NOT
Networking
Ostrovsky, Sahai, Waters
21
Notation Details

G0, G1
Multiplicative Cyclic Groups of prime order p
G0 ltggt
g is a generator of G0
e G0 x G0 ? G1
Bilinear mapping
e(ua,vb) e(u,v)ab u,v e G0,a,b e Zp
Zp0,1,2, , p-1
e(g,g) generates G1
H0,1 ? G0
Map string attribute to random G0 element

22
Setup Details

Setup ? PK, MK

23
Secret Key Details
SK
SKr,r1
SKr,r2
SKr,r3
SKr,r4
SKr,r5
S1
S2
S3
S4
S5
a, ß e Zp
24
Encryption Details
a, ß e Zp
25
Decryption Details Simplified
Polynomial of degree kx-1, where kx is
threshold D is the secret
q(x) 2x 5 q(x) ax D
AND
Security
RA
q1(0) q(1) 7 q1(x) 7
q2(0) q(2) 9 q2(x) 9
Having key for RA means to know q(1) 7 a
D Having key for Security means to know q(2) 9
2a D Solve and get D 5
26
Decryption Details
CT
SK
For each leaf node x