access control in distributed systems: merging theory with...
TRANSCRIPT
Access Control in Distributed Systems: Merging Theory with Practice
Ivan Stojmenovic University of O4awa
h4p://www.site.uo4awa.ca/~ivan
Content Access control
Attribute Based Encryption ABE Centralized: Identity-Based Encryption IBE
Sahai & Waters 2005 Centralized: Key Policy ABE Goyal, Pandey, Sahai, Waters 2006 Distributed: Key policy ABE
Chase & Chou 2009 Distributed: Ciphertext policy ABE
Lewko & Waters 2011 Applications
Ruj, Nayak, Stojmenovic 2011
Presenta>on issues • Math content: mathematical symbolism is by its
nature INTIMIDATING, even to mathematicians. • Use English descriptions and text in preference to
mathematical symbolism wherever possible • Violate with good reason • Avoid ‘it is easy to see that..’ • Follow algorithmic style: from input to output • I. Stojmenovic, How to write research articles in
computing and related engineering disciplines, www.site.uottawa.ca/~ivan
Example: Pay-per-view TV
Discovery Ch CNN
Mtv
History HBO BBC
ESPN
BBC,ESPN,History
Subscribers cannot access a channel he/she has not paid for
Discovery Ch
How to provide selective access rights ?
Pay-per-view TV: no collusion
Discovery Ch CNN
Mtv
History HBO BBC
ESPN
BBC,ESPN,History
Users should not be able to collude = combine their keys and gain access to channel(s) that none of them individually has access to
Discovery Ch
History
What is access control?
Giving access to authorized users • Preventing unauthorized user to access • Making the access control mechanism collusion
secure = • Two or more users cannot collude and access
records, which each cannot access individually • Different applications have specific requirements
How to achieve access control • To each data, attach a list of authorized users • Difficult in networks with large number of users, like
clouds! • Give each user a public/secret key pair • Encrypt each message with public key of authorized
user, s.t. only the specific user is able to decrypt it • same data has to be encrypted multiple times. • Some applications do not know which specific
users to grant access • E.g. any physician in a particular hospital
ATTRIBUTE BASED ENCRYPTION ABE
• Select set of attributes • Assign some attributes to each user by
delivering corresponding keys • Decide the structure of access mechanism • Give access to users whose assigned
attributes satisfy the access mechanism • No need to address individual users unless
particular user needs to be revoked by changing some attribute keys
Attributes
Encrypted medical data
Patient
Hospital staff Insurance company
Researcher Orthopedist
Med. Data
Researcher, Neurologist
ATTRIBUTES
Neurologist
Attribute Based Encryption • Fuzzy Identity-based encryption. Sahai and Waters, Eurocrypt 2005 • Users have multiple attributes • Public /secret key is constructed using these
attributes • Message is encrypted with public key • user needs at least d attributes to decrypt
the message, using its secret key • Applied for error-tolerant biometrics
Bilinear Pairings • Used in all ABE algorithms • G, GT are multiplicative groups of order N • N is a prime power, or product of 3 prime
numbers • e : G x G -> GT is a bilinear map if: • Non degenerate
g generates G => e(g,g) generates GT • Bilinear: e(ga,gb) = e(g,g)ab , a,b ε Z, g ε G • e can be computed efficiently by existing
software • e map selection depends on application.
Software Implementation of BP • Choosing pairing friendly curves • Weil and Tate pairings on Elliptic curves • Computed using Miller’s algorithm • Intricate Maths • Pairing Based Cryptography (PBC) • C library built on GMP (GNU Math Precision) library • In built algorithms for pairings • choose the group size (e.g. elliptic curve, group size 159) • Type of curve (Type d) • Pairing takes 14ms on Intel Pentium D, 3.0Ghz CPU
IBE (Sahai-Waters) details Total w Attributes (fixed):
1=Researcher, 2=Neurologist, 3=Orthopedist, …, w-1=Hospital A, w=Hospital B W={1,2,…,w}
Authority selects secret keys: t1, t2, …tW , y chosen at random from {0,1,…,N-1} same for all users, and
d-1 degree polynomial q at random s.t. q(0)=y, separate for each user. Public parameters (keys): Private key to an user: for selected attributes i in W’: Di= W’ is a subset of W Polynomial q itself is not given (only values Di after calculation)
T1=g t1
Y=e(g,g)y
gq(i)/t
i
T3=g t3T2=g t2 Tw=g tw…
IBE Encryption
• Choose a random number s in {0,1,…,N-1}
• Send ciphertext
Ei=g st i E’=e(g,g)ys M W’ for each i in W’
‘identity’ W’ is included in the message
= set of attributes user has
Access policy: d out of attributes from W’ needed
IBE decryption choose set S of d attributes from W’ Langrange coefficients
for x=0:
The first line above calculates M because enough Di’s are available to apply bilinear mappings and eventually make use of Σ q(i)Δi,S(0) =q(0)=y .
Decoder node does not know coefficients of q
However above equality will hold by choice of y and Langrange polynomial property
If node has <d attributes then private key does not have enough ingredients to arrive at Σ for q(0)=y (missing secret keys indirectly carry missing q(i)).
Collusion attacks are prevented because different users are given private keys based on different polynomials q
ABE: Modifications to IBE
• Goyal, Pandey, Sahai, Waters, ACMCCS’06 : Monotonic Access tree instead of threshold structure Access tree generalizes ‘d out of w’ access policy
8 2 7 6 3 10 9 5 4
AND
AND
AND
OR
OR
2-out-of-3
Attributes 1
Key policy ABE (Goyal): setup Total w Attributes: W={1,2,…,w}
Researcher, Neurologist, Orthopedist, …, Hospital A, Hospital B Secret keys of authority: t1, t2, …tW , y chosen at random from {0,1,…,N-1}, same for all users To each user separately: access tree with a polynomial p on each tree node
for receiving, and secret keys from a subset W’ of W for sending Public parameters (keys): Private key to a user, for receiving: Di= g
for each leaf node i of associated access trees W’= set of leaves of access tree= set of assigned attributes
gt1 g t2 gtw-1 g t w Y=e(g,g)y
pi(0)/ti
Attributes access trees: private keys
Med. Data
Researcher, or Neurologist in Hospital A
OR
Researcher AND
Neurologist Hospital A
Secret keys and access tree delivered by authority=KDC (key distribution center) to senders (data providers) and receivers (consumers), respectively.
Attributes at the leaves do not repeat
Goyal et al, ACMCCS’06 • Key-policy ABE: • Sender: ciphertexts are simply labeled with a set of
descriptive attributes • Receiver can decrypt if it has matching set of
attributes in the assigned access tree
1 821 763 10954
AND
AND
AND
OR
OR
2-out-of-3
Attributes Sender
5
1
62
7
Receiver
Goyal et al, ACMCCS’06 • Key-policy ABE: • Sender: ciphertexts are simply labeled with a set of
descriptive attributes • Receiver can decrypt if it has matching set of
attributes in the assigned access tree
1 821 763 10954
AND
AND
AND
OR
OR
2-out-of-3
Attributes
Sender
5
62
7
Receiver
ABE Encryption
• Choose a random number s in {0,1,…,N-1}
• Send ciphertext
Ei=g st i E’=e(g,g)ys M W’ for each i in W’
‘identity’ W’ is included in the message
Same encryption as in IBE
Private Key construction • Each access tree node has an unique arbitrary index in {0,1,
…N-1} • One polynomial pn(x) for each node n in the tree • If n is c-out-of-d threshold gate then pn (x) has degree c-1 • For root r, pr(0) = y • For node n (with index i), pn(0) =pparent(n)(i) • For leaf n with index i calculate v = pparent(n)(i) • Private key = { gv} for each leaf attribute v
Access tree construction: example
• Assume n=i for simplicity (in BFS traversal) • N=11, y =3 • Generate polynomials
A C B D F E
AND
OR 3-out-of-4 1 2
4 5 6 7 8
0
3
p0(x)=6x+3
p1(x) = 9 p2(x) = x2 + 3x+4
9 9 0 3 8 4
Degree of root = 1 p0(0) = 3
Degree of p1(x) is 0 p1(0) = pr(1) =9
p2(0) = p0(2) =15=4 (mod 11)
Evaluate p1(x) at 3 and 4
Evaluate p2(x) at 5,6,7,8
KDC sends private key g9/t1, g9/t2 , g0 , g3/t4 , g8/t5 , g4/t6 to user
ABE: encryption and decryption
F
0
A C B D E
AND
OR 3-out-of-4 1 2
4 5 6 7 8 3
9 9 0 3 8 4 private keys g9/t1 g9/t2 g0 g3/t4 g8/t5 g4/t6
gst1 gst2 gst4 gst5 gst6
e(g,g)9s e(g,g)9s e(g,g)8s e(g,g)4s
e(g,g)4s e(g,g)9s
e(g,g)3s Ciphertext = « gst1 , gst2 , gst4 , gst5 , gst6 , e(g,g)3sM »
e(g,g)3s
M
spn(0)
Ciphertext:
e(g,g) calculated by Langrange polynomials bottom to top
Polynomial interpolation
• Very similar to the basic scenario of d-out-of-w attributes (d=1 for OR, AND is d-out-of-d)
• Same algorithms applied at each node • Needs sufficient #of items to apply Lagrange • Fz=Decryptnode(E,D,x) for all children z of x
spx(0) = e(g,g)
z are attributes of selected sufficient number d of children nodes to apply Lagrange
x is node in the access tree (x=n)
ABE: encryption and decryption
F
0
A C B D E
AND
OR 3-out-of-4 1 2
4 5 6 7 8 3
9 9 0 3 8 4 private keys g9/t1 g9/t2 g0 g3/t4 g8/t5 g4/t6
gst1 gst2 gst5 gst6
e(g,g)9s e(g,g)9s e(g,g)8s e(g,g)4s
e(g,g)4s cannot be calculated. Not enough attributes
e(g,g)9s
e(g,g)3s
cannot be calculated
New Ciphertext = « gst1 , gst2 , gst4 , gst5 , gst6 , e(g,g)3sM »
Decryption fails
Ciphertext:
Collusion secure • Polynomial different for different users • Two users cannot combine attributes
and calculate:
• and at the root:
spx(0) e(g,g)
sy e(g,g)
Centralized to decentralized ABE • Centralized key distribution center (KDC) is a single
point of failure • Multi-authority ABE: Chase, TCC 2007 - several authorities coordinated by a
trusted central authority • Multi-authority ABE with no central authority:
Chase and Chow, ACM CCS 2009 • Limited to AND policy over a pre-determined set of
authorities (global coordination needed) • Requires at least one attribute from each KDC • Both KP ABE (key policy - access tree at receiver)
Wireless Sensor Networks Ruj, Nayak, Stojmenovic, IEEE IPDPS 2011 • Several key distribution centers (DC1, DC2, DC3…) • based on Chase-Chow with AND as access structure • Sensors sense information, valid users can decrypt • Each KDC assigns attributes to sensors and corresponding
public and secret keys
Access control in WSN Each user is given an access structure in the form of a tree with AND at the root, and one subtree per each KDC Users (receivers) have higher computing power than sensors Each KDC may assign simple access policy on its attributes, DC1: AND of fire and vibration DC2: OR of road and sand DC3: 4-out-of-6 from ten regions
Ciphertext Policy ABE • Bethencourt et al. IEEE Security and Privacy, 2007 • Access structure changed from receiver to sender • access tree encrypted by sender • receiver with valid attribute set can decrypt • Decentralized ABE: Lewko, Waters, Eurocrypt 2011 • No global coordination other than the creation of
initial set of reference parameters
821 763 10954
AND
AND
AND
OR
OR
2-out-of-3
Attributes
5
1
62
7
Sender Receiver
Can decrypt
Lewko, Waters 2011 follows CP ABE • A party can simply act as ABE authority by creating a
public key and issuing private keys to different users that reflect their attributes
• Global identifier GID needed to link private keys together (issued to same user by different authorities)
• Hash function H maps GID to a (bilinear) group element • Largest technical hurdle is to make it collusion resistant
821 763 10954
AND
AND
AND
OR
OR
2-out-of-3
Attributes
5
1
62
Sender
Receiver
Cannot decrypt
Main idea • Divide secret s into secret shares λx • Divide 0 into secret shares wx • Structure the decryption algorithm at each node x in
the access tree s.t. a user will recover a target group element of the form
• Shares λx are ‘blinded’ by shares wx • Reconstruct the main secret and unblind in parallel • E(g,H(GID)) terms will cancel out • Intuitively, two users with different GIDs cannot
collude because wx shares will have different bases
Global setup
• Based on desired security level, choose global parameters GP:
• bilinear group G of order N (N=p1p2p3 3 primes), • generator g1 of subgroup Gp (p1 divides N). • hash function H that maps GIDs (as binary
strings) to G
Authority setup and key generation • Each authority takes GP as input and produces its own
secret and public key pair, SK and PK
• For each attribute i belonging to the authority • αi and yi are random from {0,1,2,…,N-1}. • Key assigned to user GID for attribute i is
Encrypt • Input: public keys, global parameters, msg M • Access tree converted to access matrix A • Mapping ρ from rows of A to attributes • Output: ciphertext CT (including access matrix) • Choose random s & random v=(s,v2,…vl) • λx=Ax
.v, Ax is x-th row of A • Choose random w=(0,w2,…,wl), wx=Ax
.w • Choose random rx for each row x of A • CT= • plus A and • ρ
Conversion of access tree to matrix
• Root has vector (1) • If node x is AND, then -left child is (v[x]|1) -right child is (00..0|-1)
(increase length by 1) • If node x is OR, then -left child = right child = v[x]
542 763
AND
AND
OR
OR
OR
(1)
(1,1) (1,1) (0,0,-1)
(0,-1,1)
(0,-1)
(1,1) (0,-1)
(0,-1) (0,-1)
(0,-1)
Conversion of access tree to matrix
• Pad with 0 in front, such that all vectors are of equal length
542 763
AND
AND
OR
OR
OR
(1,0,0)
(1,1,0) (1,1,0) (0,0,-1)
(0,-1,1)
(0,-1,0)
(1,1,0) (0,-1,0)
(0,-1,0) (0,-1,0)
(0,-1,0)
Access matrix A
1 1 0 1 1 0 0-1 0 0-1 0 0-1 1 0 0-1 Rows are obtained vectors at leaf nodes = attributes
542 763
AND
AND
OR
OR
OR
(1,0,0)
(1,1,0) (1,1,0) (0,0,-1)
(0,-1,1)
(0,-1,0)
(1,1,0) (0,-1,0)
(0,-1,0) (0,-1,0)
(0,-1,0)
Decrypt • Input: GP, CT, assigned keys • Output: M • Compute own H(GID) • Find rows of A corresponding to assigned keys • (1,0,…,0) is linear combinations of these rows ? • No: decryption impossible • Yes: c1A1+c2A2+…+cmAm=(1,0,…,0); hints: • Σcxλx= ΣcxAx
.v =(ΣcxAx).v = (1,0,…,0).v=s • Σcxwx= ΣcxAx
.w =(ΣcxAx).w = (1,0,…,0).w=0 • Reconstruct secret s and unblind w in parallel
Decryption algorithm • Compute on the left, what it is on the right • rx self-cancels during a special ‘division’
Applications • Medical databases in clouds • Vehicular networks • Smart power grids • Wireless sensor networks • Online transactions • Online social networks
Requirements in applications
• Different applications require different computing and storage resources and levels of security
• Sender and receiver within the same application can have different computing powers
• Administration could be centralized or distributed
Access control in clouds • Ruj, Nayak, Stojmenovic IEEE TrustCom 2011 • Based on Lewko-Waters scheme • Revocation of a user based on replacing and
transmitting some keys to affected users and replacing stored information
ü Medical records Sensitive data: cloud stores ecrypted form,
and should not be able to decrypt data
Storage of medical records
Medical data
Encrypted medical data
in cloud
Patient
Hospital staff Insurance company
Researcher Doctor
Assign secret key directly ?
Encrypted medical data
Patient
Hospital staff Insurance company
Researcher Orthopedist
OrthopedistNurses
Arthritis
SK
Encrypted medical data
in cloud
Storage of medical records: no KDC Encrypted medical data 1
Hospital staff Insurance company
Researcher
Orthopedist
Record 1
OrthopedistNurses
SK 1
Record 2
OrthopedistNurses
Patient 1
Encrypted medical data 2
SK 2
Each patient could give key for same field access
Many patients => many keys. Unmanagable
Patient 2
Storage of medical records with KDCs (independent from cloud)
Encrypted medical data
Patient
3. Hospital staff Insurance company
2. Researcher
1. Orthopedist
OrthopedistNurses
Arthritis
KDC 1
KDC 2
SK
SK
SK
SK SK
SK
1,2
1,3
2,3
1,1
2,1
2,2
attributes
attributes
attributes
attributes
attributes
attributes
Encrypted medical data
in cloud
Vehicular ad hoc networks VANET
Selective access of information A car might send information only to selected cars (e.g. same taxi company, pick a customer at certain location)
Static and dynamic attributes STATIC: Loaded at registration • Type: Emergency vehicle, petrol car, truck, taxi, private vehicle • Location: City, province • Group: Emergency vehicle(fire/ambulance), Cab company
DYNAMIC: Loaded by the nearest RSU • Road: highway number, street number • Road segment: segment of highway/street • Lane number • Approximate geographic location • Nearest intersection
access control in VANET • ASPE: Huang-Verma, 2009, Ad Hoc Networks • Assumption: Vehicles belonging to different RSUs
do not need to communicate • Basic Sahai-Waters ABE is used • Drawbacks: Congestion in one highway segment
(monitored by a RSU) affects traffic at another segment (monitored by a different RSU)
• If there is no taxi at current RSU then taxi from nearby RSUs should be called
• Coordination among RSUs often needed
Decentralized access control in VANET
• Ruj-Nayak-Stojmenovic: AdHocNow, 2011 • RSUs can act as KDCs, in addition to CA (central authority) • RSU distributes attributes and keys • Some keys (of static attributes) are preloaded • Senders (vehicles or RSUs) decide access trees • RSUs coordinate • Use Lewko-Waters decentralized ABE
Smart grid access control
Smart grid access control SCADA: Supervisory Control and Data Acquisition Centralized security access control user= system engineer, maintenance officer, auditor, policy maker,
researcher Ruj, Nayak, Stojmenovic: … access control in smart grids. submitted
User
Data Collector Data Collector Data Collector
Central Repository
Sender Sender
Sender
Receiver
User Receiver
Encrypted data, attribute access structure
Valid attributes Aggregate Encrypted data
Aggregate Encrypted data
Security architecture RTU= Remote Terminal Unit; KDCs for type of users, appliances, power sources ..
Privacy preserving data aggregation: Paillier additive homomorphic encryption
Access control: Lewko-Waters
Future research
• Integrating Pay-per view TV with smart grid
• Integrating electric vehicles in smart grids
Conclusion: Future work
• Privacy issues: Ø How to hide the identity of sender ? Ø How to hide the access policies of sender from
the receiver ?
• Authentication along with access control Ø E.g. apply attribute based signatures schemes