SLIDE 1
Dynamic Credentials and
Amit Sahai, Hakan Seyalioglu, Brent Waters
2
Attribute-Based Encryption
[S-Waters 2005, GPSW’06, BSW’07] Different users will have credentials (attributes). Top Secret, Forensics
Dynamic Credentials and Ciphertext Delegation for ABE Amit Sahai, - - PowerPoint PPT Presentation
Dynamic Credentials and Ciphertext Delegation for ABE Amit Sahai, - - PowerPoint PPT Presentation
Dynamic Credentials and Ciphertext Delegation for ABE Amit Sahai, Hakan Seyalioglu, Brent Waters Attribute-Based Encryption [S-Waters 2005, GPSW06, BSW07] Different users will have credentials (attributes). Top Secret, Forensics 2
SLIDE 2
SLIDE 3
3
Attribute-Based Encryption
[S-Waters 2005, GPSW’06, BSW’07] Different users will have credentials (attributes). Top Secret, Forensics Attribute set = Top Secret, Forensics
SLIDE 4
4
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR
Attribute-Based Encryption
Top Secret Forensics
SLIDE 5
5
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
SLIDE 6
6
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR can decrypt
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
ü ü
SLIDE 7
7
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR can decrypt
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
ü ü
SLIDE 8
8
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR can decrypt
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
ü ü
û
ü
SLIDE 9
9
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR can decrypt
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
ü ü
û
ü
SLIDE 10
10
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR can decrypt
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
ü ü
û
ü ü
SLIDE 11
11
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR can decrypt
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
ü ü
û
ü ü
SLIDE 12
12
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR can decrypt
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
ü ü
û
ü ü
SLIDE 13
13
has a message, wants to send it to everyone authorized to receive it. Encryption takes as input a policy.
POTUS
AND OR can decrypt
Attribute-Based Encryption
Top Secret Forensics
Top Secret, Forensics
ü ü
û
ü ü
SLIDE 14
14
This work: Dynamic Credentials
Users’ credentials change over time
If a user’s credentials change, his old key is revoked and he is issued a new key
SLIDE 15
15
This work: Dynamic Credentials
Users’ credentials change over time
If a user’s credentials change, his old key is revoked and he is issued a new key
(Usual) Framework to make this possible:
SLIDE 16
16
This work: Dynamic Credentials
Users’ credentials change over time
If a user’s credentials change, his old key is revoked and he is issued a new key
(Usual) Framework to make this possible:
- Periodic broadcasts by key authority
SLIDE 17
17
This work: Dynamic Credentials
Users’ credentials change over time
If a user’s credentials change, his old key is revoked and he is issued a new key
(Usual) Framework to make this possible:
- Periodic broadcasts by key authority
- Unrevoked keys can be updated and can
decrypt data encrypted at new time
SLIDE 18
18
This work: Dynamic Credentials
Users’ credentials change over time
If a user’s credentials change, his old key is revoked and he is issued a new key
(Usual) Framework to make this possible:
- Periodic broadcasts by key authority
- Unrevoked keys can be updated and can
decrypt data encrypted at new time
SLIDE 19
19
This work: Dynamic Credentials
Users’ credentials change over time
If a user’s credentials change, his old key is revoked and he is issued a new key
(Usual) Framework to make this possible:
- Periodic broadcasts by key authority
- Unrevoked keys can be updated and can
decrypt data encrypted at new time
SLIDE 20
20
This work: Dynamic Credentials
Users’ credentials change over time
If a user’s credentials change, his old key is revoked and he is issued a new key
(Usual) Framework to make this possible:
- Periodic broadcasts by key authority
- Unrevoked keys can be updated and can
decrypt data encrypted at new time Are the security concerns the same as standard revocation? No: standard revocation is for broadcast: you
- nly care about protecting the future
We illustrate with a motivating example: Inspired by a wonderful conversation with Thomas King and Daniel Manchala (Xerox LA) Our thanks to them for inspiring this work!
SLIDE 21
21
Normally, employee only accesses files he needs (enforced by access logs).
Motivation
Setting: Company with ABE based access control
SLIDE 22
22
Employee Termination: Employee’s key is revoked. Standard guarantee: he can’t access files added in the future.
Motivation
SLIDE 23
23
Employee Termination: Employee’s key is revoked. Standard guarantee: he can’t access files added in the future. Problem: He hacks into server and uses old key to decrypt old files that he didn’t download earlier.
Motivation
SLIDE 24
24
Employee Termination: Employee’s key is revoked. Standard guarantee: he can’t access files added in the future.
Motivation
SLIDE 25
25
Employee Termination: Employee’s key is revoked. Standard guarantee: he can’t access files added in the future. Problem: He hacks into server and uses old key to decrypt old files that he didn’t download earlier.
Motivation
SLIDE 26
26
Employee Termination: Employee’s key is revoked. Standard guarantee: he can’t access files added in the future. Problem: He hacks into server and uses old key to decrypt old files that he didn’t download earlier.
Motivation
Serious problem: balance between strict security and ease of use: Necessitates broader access policies, with countermeasures against misuse of privilege. Preventing access to old files, even if they match
- ld access policy, is important security concern.
SLIDE 27
27
Motivation
What security property do we need?
SLIDE 28
28
Motivation
What security property do we need?
After termination, employee should not be able to access anything he doesn’t already have.
SLIDE 29
29
Motivation
What security property do we need?
After termination, employee should not be able to access anything he doesn’t already have. This breaks down into two guarantees.
SLIDE 30
30
Two Security Guarantees
- 1. Files encrypted in the past.
SLIDE 31
31
Two Security Guarantees
- 1. Files encrypted in the past.
Looked at only to a limited extent in the past for How can we protect old files that the employee could access with his old key in the past?
SLIDE 32
32
Two Security Guarantees
- 1. Files encrypted in the past.
Looked at only to a limited extent in the past for How can we protect old files that the employee could access with his old key in the past? First time considered to the best of our knowledge
SLIDE 33
33
Two Security Guarantees
- 1. Files encrypted in the past.
Looked at only to a limited extent in the past for How can we protect old files that the employee could access with his old key in the past? First time considered to the best of our knowledge
- 2. Files added to system in future
SLIDE 34
34
Two Security Guarantees
- 1. Files encrypted in the past.
Looked at only to a limited extent in the past for How can we protect old files that the employee could access with his old key in the past? First time considered to the best of our knowledge
- 2. Files added to system in future
SLIDE 35
35
Two Security Guarantees
- 1. Files encrypted in the past.
Looked at only to a limited extent in the past for How can we protect old files that the employee could access with his old key in the past? First time considered to the best of our knowledge
- 2. Files added to system in future
IBE/ABE [Boldyreva-Goyal-Kumar’08] Only weak notions of security achieved.
SLIDE 36
36
Two Security Guarantees
- 1. Files encrypted in the past.
Looked at only to a limited extent in the past for How can we protect old files that the employee could access with his old key in the past? First time considered to the best of our knowledge
- 2. Files added to system in future
IBE/ABE [Boldyreva-Goyal-Kumar’08] Only weak notions of security achieved. Main Result: First ABE scheme to address both of these problems simultaneously.
SLIDE 37
37
- Assume we have security for new files:
can only be decrypted by users with secret key for time ≥t.
- How can we get security for old files?
Two Security Guarantees
(e.g., user with credential for time t+2 can decrypt)
SLIDE 38
38
Decrypting and Re-encrypting: Every night, re-encrypt all files on server
Solution ideas
SLIDE 39
39
Decrypting and Re-encrypting: Every night, re-encrypt all files on server
Solution ideas
SLIDE 40
40
Decrypting and Re-encrypting: Every night, re-encrypt all files on server
Solution ideas
Decrypt and re-encrypt for time t+1
SLIDE 41
41
Decrypting and Re-encrypting: Every night, re-encrypt all files on server
Solution ideas
Decrypt and re-encrypt for time t+1 Problem: Maintenance requires master secret key. We do not want to trust the server with this.
SLIDE 42
42
Decrypting and Re-encrypting: Every night, re-encrypt all files on server
Solution ideas
Decrypt and re-encrypt for time t+1 Problem: Maintenance requires master secret key. We do not want to trust the server with this.
SLIDE 43
43
Overwrite Encryption: Every night, re-encrypt all ciphertexts on server
Solution ideas
SLIDE 44
44
Overwrite Encryption: Every night, re-encrypt all ciphertexts on server
Solution ideas
Encrypt the ciphertext at time t+1
SLIDE 45
45
Overwrite Encryption: Every night, re-encrypt all ciphertexts on server
Solution ideas
Encrypt the ciphertext at time t+1 Problem: Overhead grows every night
SLIDE 46
46
Overwrite Encryption: Every night, re-encrypt all ciphertexts on server
Solution ideas
Encrypt the ciphertext at time t+1 Problem: Overhead grows every night
SLIDE 47
47
Overwrite Encryption: Every night, re-encrypt all ciphertexts on server
Solution ideas
Encrypt the ciphertext at time t+1 Problem: Overhead grows every night
SLIDE 48
48
Overwrite Encryption: Every night, re-encrypt all ciphertexts on server
Solution ideas
Encrypt the ciphertext at time t+1 Problem: Overhead grows every night We ask: Can we allow server to “refresh” the encryption without needing any secret keys, and without growing the ciphertext?
SLIDE 49
49
Our Approach
Directly Refreshing Ciphertext: Increment the time component using public data
SLIDE 50
50
Our Approach
We say such a scheme has Revocable Storage Directly Refreshing Ciphertext: Increment the time component using public data
SLIDE 51
51
Our Approach
We say such a scheme has Revocable Storage Directly Refreshing Ciphertext: Increment the time component using public data
SLIDE 52
52
Our Approach
We say such a scheme has Revocable Storage Ciphertext update Directly Refreshing Ciphertext: Increment the time component using public data
SLIDE 53
53
Our Approach
We say such a scheme has Revocable Storage Ciphertext update Directly Refreshing Ciphertext: Increment the time component using public data Note: new ciphertext is more restrictive than old ciphertext, so security is maintained.
SLIDE 54
54
Our Approach
We say such a scheme has Revocable Storage Ciphertext update Directly Refreshing Ciphertext: Increment the time component using public data Note: new ciphertext is more restrictive than old ciphertext, so security is maintained.
SLIDE 55
More generally, for standard ABE:
Our Approach
55
SLIDE 56
More generally, for standard ABE: We call this problem Ciphertext Delegation. where P’ is a more restrictive policy than P.
Our Approach
56
SLIDE 57
More generally, for standard ABE: We call this problem Ciphertext Delegation. where P’ is a more restrictive policy than P.
Our Approach
57
SLIDE 58
An example of ciphertext delegation in ABE [BSW07]:
Delegation
58
Key Generation.
SLIDE 59
An example of ciphertext delegation in ABE [BSW07]:
Delegation
59
Key Generation.
SLIDE 60
An example of ciphertext delegation in ABE [BSW07]:
Delegation
60
Key Generation.
SLIDE 61
An example of ciphertext delegation in ABE [BSW07]:
Delegation
61
Key Generation. (Only used in decryption)
SLIDE 62
Encryption.
Delegation
62
Take the ciphertext policy: “Has `top secret (ts.)’ and `accounting (ac.)’ attributes”
SLIDE 63
Delegation
63
Can we delegate this to the policy: “Has attributes `top secret (ts.)’ and `accounting (ac.)’ and `director (dir.)’ ” We are given the ciphertext: where: and the public key:
SLIDE 64
Delegation
64
Generate: Why is this a good ciphertext? Plus: Use re-randomization to prevent subtle attacks.
SLIDE 65
Types of Delegation
65
We show most current ABE schemes support a variety of efficient ciphertext delegation ops:
- Increasing node thresholds
- Increasing node thresholds and adding
nodes
- Deleting subtrees
We also conduct survey of delegation
- perations on LSSS matrix based schemes
[GPSW06, Waters11, LOSTW10].
SLIDE 66
66
Conclusion
- 1. We define ciphertext delegation and give a number
- f efficient methods for ciphertext delegation.
- 2. We use ciphertext delegation to solve the problem
- f revocable storage.
- 3. We also construct fully secure ABE schemes that
achieve revocation security vs. future encryptions.
- 4. We show how to combine these elements to
achieve the first fully secure ABE schemes for dynamic credentials.