Realizing Fine-Grained and Flexible Access Control to Outsourced Data with Attribute-Based Cryptosystems

Realizing Fine-Grained andFlexible Access Control to

Outsourced Data withAttribute-Based Cryptosystems

Fangming Zhao, Takashi Nishide, and Kouichi Sakurai

International Conference on Information Security Practice and ExperienceGhuangzhou, China, May 2011

SWIM SeminarMarch 9, 2016Mateus Cruz

Introduction ABE/ABS Proposal Performance Analysis Conclusion

OUTLINE

1 Introduction

2 ABE/ABS

3 Proposal

4 Performance Analysis

5 Conclusion


OUTLINE

1 Introduction

2 ABE/ABS

3 Proposal


5 Conclusion


BACKGROUND

Outsourcing of data storageI Cloud storage

Privacy concernsI Untrusted server

Encrypt data before uploadingI Access controlled by keys

1 / 21


CONTRIBUTIONS

Flexible and fine-grained access controlI read-only and read-write differentiation

Data confidentialityLower cost of key distributionIntegrity verification

2 / 21


SECURITY ASSUMPTIONS

Semi-trusted storage serversI Tries to obtain informationI Does not tamper with the data

Trusted attribute authority (TA)I Manage attributes and related keys

UsersI Readers (read-only )I Writers (read-write)I Can collude to obtain more information

3 / 21


SYSTEM OVERVIEW

4 / 21


OUTLINE

1 Introduction

2 ABE/ABS

3 Proposal


5 Conclusion


ATTRIBUTE-BASED ENCRYPTION

Private key associated with attributesAccess tree Tdecrypt

I Defines access policies over attributesI Encrypt using access structureI Decrypt if structure is satisfied

Example

“Directors or managers ora specifically appointedperson (trustee) canaccess the data”

5 / 21


ATTRIBUTE-BASED SIGNATUREUsers can sign resources

I Signatures are based on users’ attributes

Users verify signatures

Example

“Only director-managerusers or a specificallyappointed person (trustee)can access the data”

6 / 21


OUTLINE

1 Introduction

2 ABE/ABS

3 Proposal


5 Conclusion


DATA ACCESS PROCEDURES

Create fileI Encrypt phaseI Sign phaseI Upload phase

Read fileI Verify phaseI Decrypt phase

Update file

7 / 21


CREATE FILE

Encrypt phaseSign phaseUpload phase

8 / 21


ENCRYPT PHASEThe owner encrypts a file for sharing

I Based on ABEI Decryption policy based on the tree Tdecrypt

CT = Enc(PKE ,M,Tdecrypt)

Notation Description

CT : ciphertextEnc: encryption algorithmPKE : public key for encryptionM: message

Tdecrypt : access tree

9 / 21


SIGN PHASEThe owner signs the ciphertext using ABSUsed to differentiate readers and writers

SG = Sign(PKS,SKS,h(CT )||t ,Tsign)


SG: signatureSign: sign algorithmPKS: public key for signing

h: hash functionCT : ciphertextt : timestamp

Tsign: access tree

10 / 21


UPLOAD PHASEThe owner uploads CT , SG, tThe server checks signature

I Accept or reject upload

R0 = Verify(PKS,h(CT )||t ,Tsign,SG)


R0: boolean verification valueVerify : verification algorithmPKS: public key for signing


Tsign: access treeSG: signature

11 / 21


READ FILE

Verify phaseDecrypt phase

12 / 21


VERIFY PHASEA user obtains CT , SG, t , TsignObtain public key PKS from trusted authorityVerifies if the signature is valid

R1 = Verify(PKS,h(CT )||t ,Tsign,SG)


R1: boolean verification valueVerify : verification algorithmPKS: public key for signing


Tsign: access treeSG: signature

13 / 21


DECRYPT PHASE

Decrypts ciphertext using SKU

M = Decrypt(CT ,SKU)


M: messageDecrypt : decryption algorithm

CT : ciphertextSKU : key corresponding to attributes U

14 / 21


UPDATE FILE

A user...I Updates M to M1I Encrypts message:

CT1 = Enc(PKE ,M1,Tdecrypt1)I Signs ciphertext:

SG1 = Sign(PKS,SKS,h(CT1)||t1,Tsign)I Uploads CT1, SG1, t1, Tsign

The server...I Verifies the new signature

– Check writer’s attributesI Accepts or rejects the update

15 / 21


WRITER-READER DIFFERENTIATION

Users differentiated by ABSI Writers can produce a valid signature

Differentiation done at attribute levelI Scales better than at user level

16 / 21


INTEGRITY

ABS offers integrityI Hash ciphertext before signing

The integrity can be verified by...I ServerI Valid users

17 / 21


OUTLINE

1 Introduction

2 ABE/ABS

3 Proposal


5 Conclusion


COMPUTATIONAL OVERHEAD

Create and UpdateI One encryption operationI One sign operationI Cost grows with access structure matrix

ReadI One decryption operationI One verify operationI Cost grows with attributes satisfiedI Cost mainly generated by pairing computations

18 / 21


OUTLINE

1 Introduction

2 ABE/ABS

3 Proposal


5 Conclusion


SUMMARY

Secure data sharing schemeFine-grained accessMany-read-many-writeIntegrity verification

19 / 21


FUTURE WORK

Use search on encrypted dataI Many-read-many-write-many-search

Implementation to verify usability

20 / 21

Detailed Analysis

EXTRA SLIDES

Detailed Analysis

COMPLEXITY ANALYSIS

Create fileI O(E1 × log p) + O(l × E0 × log p)

Read fileI O(l×L)+O(|U|×E1× log p)+O(l×E0× log p)

Update fileI O(E1 × log p) + O(l × E0 × log p)


E0 Cost of exponentiation operations in G0E1 Cost of exponentiation operations in G1L Cost of bilinear pairingp Prime order of G0 and G1U The attribute set in the access treel , t The matrix l × t of the monotone span program which is con-

verted from its corresponding access structure

Internet

Realizing Fine-Grained and Flexible Access Control to Outsourced Data with Attribute-Based Cryptosystems