Research Area: Data Security using
Identity-Based Encryption Schemes and Key Management in Cloud
Environment
Identity and Attribute-based encryption schemes are viable alternative to PKI based cryptosystemsas they help in devising ACP using personal identifiers(PID), hierarchy and validity-period. The multi-tenant cloud environment have broad array of threat vectors compared to on-premise software. The present schemes can be complex (if not limiting) to share and control the data due to complexity involved in certificate management and cost. Our research work involved study of ID-PKC, ABE schemes and related key management techniques. As part of research we devised access control mechanism suitable for cloud environment. Techniques like searchable encryption help to leverage third-party services without compromising on privacy of data. We have improvised methods for data transmission, efficiency of key management schemes and evaluated them using network telemetry datasets.
---------
Let G be
a cyclic group of prime order p
generated by g
∈
G. Let e
: G ×
G →
Gt
be a function mapping pairs of
elements of G to elements of some group Gt
also of order p.
We use a multiplicative notation for the group operations in G and
Gt.
In practice G will be a subgroup of the group of points on a curve
defined over some finite field, while Gt
will be a multiplicative subgroup in
some extension of the field. Note that it will not be feasible to
compute a homomorphism from Gt
to G without violating complexity
assumptions. Suppose that e satisfies
the bilinearity condition that ∀u,
v ∈
G,
∀a,
b ∈
Z,
e(ua,
vb)
= e(u,
v)ab,
and the non-degeneracy condition that (g,
g) generate Gt.
Suppose also that the group operations in G and Gt,
as well as the pairing e,
can all be computed efficiently (which requires that the elements of
G and t have
compact representations). In this case, it is said that G is a
bilinear group,
and that the map e is
a symmetric bilinear map
or pairing in the group G. The symmetry refers to the invariance of
the bilinear map upon interchange of its arguments.
A.2 Asymmetric Bilinear
Groups
Let G
and Ĝ be a pair of cyclic groups of prime order p
respectively generated by g
∈
G and ḡ
∈
Ĝ. Let e
: G×Ĝ
→ Gt
be a function mapping pairs of
elements in (G, Ĝ)
to elements of some group Gt
also of order p.
Group operations are written multiplicatively in G, Ĝ, and Gt.
Suppose that e satisfies
the bilinearity condition that ∀u
∈
G,
∀v
∈
Ĝ,
∀a,
b ∈
Z,
e(ua,
vb)
= e(u,
v)ab,
and the non-degeneracy condition that e(g,
ḡ) generate Gt.
Suppose also that the group operations in G, Ĝ, and Gt,
as well as the pairing e,
are all efficiently computable. In this case, it is said that (G,
Ĝ) form a bilinear
group pair, and that the map e
is an asymmetric
bilinear map, or pairing, in (G,
Ĝ). The asymmetry refers to the non
interchangeability of the bilinear map’s arguments. Finally, let φ
: Ĝ →
G be the group homomorphism such
that φ(ḡ)
= g;
this homomorphism always exists but is not always efficiently
computable. When the homomorphism φ
is efficiently computable, the
bilinear group pair (G, Ĝ)
is of type 2, otherwise it is of type 3.
A.3 Types of Security
Attacks on ID-PKC schemes
There
are six general categories of attacks that the use of encryption can
protect against. In each of these cases, an attacker attempts to
either determine a key needed to decrypt a message or the plaintext
message that was encrypted.
-
Ciphertext-only
attack. A ciphertext-only attack is
carried out by an adversary who has access to only ciphertext. This
is the most difficult attack to carry out, and any system needs to
be resistant to such an attack to provide any level of security at
all.
-
Known-plaintext
attack. A known-plaintext attack is
carried out by an adversary who has access to both plaintext and
corresponding ciphertext. The matching plaintext and ciphertext need
not comprise all of an encrypted message. This type of attack is
very easy for an adversary to carry out, and protection against
known-plaintext attacks is essential for any useful cryptographic
system. Almost any type of information that is transmitted
electronically has enough structure to guarantee some level of
matching plaintext and ciphertext. Bytes representing ASCII text
have some fixed bits while others can be guessed with a high
probability, for example.
-
Chosen-plaintext
attack. A chosen-plaintext attack
is carried out by an adversary who can select the plaintext and then
be given the corresponding ciphertext. For example, to create a list
of all possible plaintext-ciphertext pairs and then decrypt any
other encrypted messages that he observes by looking up the correct
plaintext in this table. One way to counter such a capability is to
include random information with the plaintext that gets encrypted,
so that a single plaintext message will get encrypted to a different
ciphertext each time it is encrypted.
-
Adaptive
chosen-plaintext attack. In an
adaptive chosen-plaintext attack, an adversary selects an initial
plaintext message to encrypt and then selects the next plaintext
messages that he encrypts based on the ciphertext that he receives
from the previous encryption. He can repeat this process as often as
needed to gather more information about the key being used.
Otherwise, this attack has the same properties as a chosen-plaintext
attack.
-
Chosen-ciphertext
attack. In a chosen-ciphertext
attack, an adversary selects a ciphertext and is able to obtain the
corresponding plaintext. If an algorithm encrypts a particular
plaintext to the same ciphertext every time it is encrypted then it
is vulnerable to a chosen-ciphertext attack, so many encryption
algorithms add a random input to the plaintext to make such an
attack infeasible. Portable devices like smartcards may be
susceptible to chosen-ciphertext attacks, because they can often be
obtained by an adversary. Being secure against chosen ciphertext
attacks is the standard level of security that is currently expected
of public-key systems.
-
Adaptive
chosen-ciphertext attack. In this,
an adversary selects an initial ciphertext message to decrypt and
then selects the next ciphertext messages that he decrypts based on
the plaintext that he receives from the previous decryption.
A.4 Criteria for Ideal
Identity-Based Encryption scheme
-
Data
confidentiality: Before uploading
data to the cloud, the data was encrypted by the data owner.
Therefore, unauthorized parties including the cloud cannot know the
information about the encrypted data.
-
Fine-grained
access control: In the same group,
the system granted the different access right to individual user.
Users are on the same group, but each user can be granted the
different access right to access data. Even for users in the same
group, their access rights are not the same.
-
Scalability:
When the authorized users increase, the system can work efficiently.
So the number of authorized users cannot affect the performance of
the system.
-
User
accountability: If the authorized
user is dishonest, he would share his attribute private key with the
other user. Due to that illegal key may be created among
unauthorized users.
-
User
revocation: If the user quits the
system, the scheme can revoke his access right from the system
directly. The revocable user cannot access any stored data.
-
Collusion
resistant: Users cannot combine
their attributes to decipher the encrypted data. Since each
attribute is related to the polynomial or the random number,
different users cannot collude each other.
A.5 Identity-Based
Encryption and Security Analysis
An IBE system consists of four
algorithms Setup, KeyGen, Encrypt and Decrypt.
Setup generates Private
Key Generators parameters params and a master key master-key. Key-Gen
uses master-key and user identity parameters to generate private key
for that identity. Encrypt takes message, identity and params
as input and outputs a ciphertext while Decrypt uses
ciphertext for the identity using a identity private key.
Boneh and Franklin define
chosen ciphertext security using chosen identity attack using
following game.
Setup: The challenger
runs the Setup, and sends the params to the adversary
Phase 1: The adversary
issues queries q1, q2, q3, ..qm where qi is one of following
Key generation query:
the challenger runs KeyGen on IDi and forwards the resulting private
key to the adversary
Decryption query: the
challenger runs the KeyGen on IDi decrypts ci using private key and
sends the result to the adversary
Challenge: The
adversary submits two plaintexts M0, M1 Є M and an identity ID. Only
condition is that ID should not have been used in Phase1 key
generation query. The challenger selects a random bit b Є {0, 1},
sets C = Encrypt(params, ID, Mb), and sends C to the adversary as its
challenge ciphertext.
Phase 2: Same as Phase
1 except that adversary may not request a private key for ID or the
decryption of (ID, C)
Guess: The adversary
submits a guess b` Є {0, 1} and adversary wins if b = b`
The adversary A in above same
is called IND-ID-CCA adversary.
The advantage of adversary A
is defined as probability
Adv (A)= |Pr[b= b']- 1/2 |
…(A.1)
Definition A.3: An
ID-PKC system is (t, qID, qC, Є) IND-ID-CCA
secure if all t-time IND-ID-CCA adversaries making at most qID
private key queries and at most qC chosen ciphertext
queries have advantage at most Є in winning the game.
IND-ID-CPA security is defined
similarly but with restriction that adversary cannot make decryption
queries.
Definition A.4: An
ID-PKC system is (t, qID, Є) IND-ID-CPA secure if it is
(t, qID, 0, Є) IND-ID-CCA secure.
A.6 Ciphertext-Policy
Attribute-Based Encryption
Ciphertext Attribute based
encryption scheme constitutes of four algorithms:
Setup: the algorithm is
run by PKG authority which generates master public key PK and
master key MK
KeyGeneration: Key
generation is performed by PKG authority considering the attribute
set S provided by user and generates a secret key SK
Encrypt: Encryption is
performed by sender or data owner which encrypt the plaintext message
M
Decrypt: Decryption is
performed by receiver which decrypts ciphertext CT using user
secret key
The access policy constitutes
expressions with boolean variables and threshold gates. AND and OR
gates describe relationship between the variables. Access policy rule
validates the access structure based on state of the attribute set S
and returns 1 or 0 depending on whether attribute set S satisfies R
or not.
A.7 CP-ABE Scheme Security
Analysis
Definition: CPA
security of CP-ABE scheme. If there is no probabilistic polynomial
time algorithm within which adversaries can get advantage. The CP-ABE
scheme is said to be secure against chosen plaintext attacks.
Security of CP-ABE scheme is
explained using a game between challenger and adversary model.
Initial: The
adversary chooses an access structure resembling the original access
policy and submits to the challenger
Setup: The
Challenger runs the Setup algorithm in CP-ABE
Phase1 - The
adversary makes secret key query to the KeyGeneration algorithm using
attribute set S, with a restriction that S not equal to the access
structure.
Challenge: The
adversary submits two plaintexts M0 and M1
of equal length to the challenger. The task for challenger is to
choose μ Є {0,1} randomly and encrypt Mμ under the access
structure to obtain ciphertext CT. Finally CT is passed
to adversary
Phase2, same as
Phase1
Guess, the adversary
guesses the value of μ as μ'
In the above CPA security
game, the advantage of adversary A is defined as
AdvCP-ABECPA
(A)= |Pr[μ= μ']- 1/2 | …(A.2)