Data Security using Identity-Based Encryption Schemes and Key Management

Research Area: Data Security using Identity-Based Encryption Schemes and Key Management in Cloud Environment

Identity and Attribute-based encryption schemes are viable alternative to PKI based cryptosystemsas they help in devising ACP using personal identifiers(PID), hierarchy and validity-period. The multi-tenant cloud environment have broad array of threat vectors compared to on-premise software. The present schemes can be complex (if not limiting) to share and control the data due to complexity involved in certificate management and cost. Our research work involved study of ID-PKC, ABE schemes and related key management techniques. As part of research we devised access control mechanism  suitable for cloud environment. Techniques like searchable encryption help to leverage third-party services without compromising on privacy of data. We have improvised methods for data transmission, efficiency of key management schemes and evaluated them using network telemetry datasets.

---------

Let G be a cyclic group of prime order p generated by g ∈ G. Let e : G × G → G_t be a function mapping pairs of elements of G to elements of some group G_t also of order p. We use a multiplicative notation for the group operations in G and G_t. In practice G will be a subgroup of the group of points on a curve defined over some finite field, while G_t will be a multiplicative subgroup in some extension of the field. Note that it will not be feasible to compute a homomorphism from G_t to G without violating complexity assumptions. Suppose that e satisfies the bilinearity condition that ∀u, v ∈ G, ∀a, b ∈ Z, e(u^a, v^b) = e(u, v)^ab, and the non-degeneracy condition that (g, g) generate G_t. Suppose also that the group operations in G and G_t, as well as the pairing e, can all be computed efficiently (which requires that the elements of G and t have compact representations). In this case, it is said that G is a bilinear group, and that the map e is a symmetric bilinear map or pairing in the group G. The symmetry refers to the invariance of the bilinear map upon interchange of its arguments.

A.2 Asymmetric Bilinear Groups

Let G and Ĝ be a pair of cyclic groups of prime order p respectively generated by g ∈ G and ḡ ∈ Ĝ. Let e : G×Ĝ → G_t be a function mapping pairs of elements in (G, Ĝ) to elements of some group G_t also of order p. Group operations are written multiplicatively in G, Ĝ, and G_t. Suppose that e satisfies the bilinearity condition that ∀u ∈ G, ∀v ∈ Ĝ, ∀a, b ∈ Z, e(u^a, v^b) = e(u, v)^ab, and the non-degeneracy condition that e(g, ḡ) generate Gt. Suppose also that the group operations in G, Ĝ, and G_t, as well as the pairing e, are all efficiently computable. In this case, it is said that (G, Ĝ) form a bilinear group pair, and that the map e is an asymmetric bilinear map, or pairing, in (G, Ĝ). The asymmetry refers to the non interchangeability of the bilinear map’s arguments. Finally, let φ : Ĝ → G be the group homomorphism such that φ(ḡ) = g; this homomorphism always exists but is not always efficiently computable. When the homomorphism φ is efficiently computable, the bilinear group pair (G, Ĝ) is of type 2, otherwise it is of type 3.

A.3 Types of Security Attacks on ID-PKC schemes

There are six general categories of attacks that the use of encryption can protect against. In each of these cases, an attacker attempts to either determine a key needed to decrypt a message or the plaintext message that was encrypted.

1. Ciphertext-only attack. A ciphertext-only attack is carried out by an adversary who has access to only ciphertext. This is the most difficult attack to carry out, and any system needs to be resistant to such an attack to provide any level of security at all.
2. Known-plaintext attack. A known-plaintext attack is carried out by an adversary who has access to both plaintext and corresponding ciphertext. The matching plaintext and ciphertext need not comprise all of an encrypted message. This type of attack is very easy for an adversary to carry out, and protection against known-plaintext attacks is essential for any useful cryptographic system. Almost any type of information that is transmitted electronically has enough structure to guarantee some level of matching plaintext and ciphertext. Bytes representing ASCII text have some fixed bits while others can be guessed with a high probability, for example.
3. Chosen-plaintext attack. A chosen-plaintext attack is carried out by an adversary who can select the plaintext and then be given the corresponding ciphertext. For example, to create a list of all possible plaintext-ciphertext pairs and then decrypt any other encrypted messages that he observes by looking up the correct plaintext in this table. One way to counter such a capability is to include random information with the plaintext that gets encrypted, so that a single plaintext message will get encrypted to a different ciphertext each time it is encrypted.
4. Adaptive chosen-plaintext attack. In an adaptive chosen-plaintext attack, an adversary selects an initial plaintext message to encrypt and then selects the next plaintext messages that he encrypts based on the ciphertext that he receives from the previous encryption. He can repeat this process as often as needed to gather more information about the key being used. Otherwise, this attack has the same properties as a chosen-plaintext attack.
5. Chosen-ciphertext attack. In a chosen-ciphertext attack, an adversary selects a ciphertext and is able to obtain the corresponding plaintext. If an algorithm encrypts a particular plaintext to the same ciphertext every time it is encrypted then it is vulnerable to a chosen-ciphertext attack, so many encryption algorithms add a random input to the plaintext to make such an attack infeasible. Portable devices like smartcards may be susceptible to chosen-ciphertext attacks, because they can often be obtained by an adversary. Being secure against chosen ciphertext attacks is the standard level of security that is currently expected of public-key systems.
6. Adaptive chosen-ciphertext attack. In this, an adversary selects an initial ciphertext message to decrypt and then selects the next ciphertext messages that he decrypts based on the plaintext that he receives from the previous decryption.

A.4 Criteria for Ideal Identity-Based Encryption scheme

1. Data confidentiality: Before uploading data to the cloud, the data was encrypted by the data owner. Therefore, unauthorized parties including the cloud cannot know the information about the encrypted data.
2. Fine-grained access control: In the same group, the system granted the different access right to individual user. Users are on the same group, but each user can be granted the different access right to access data. Even for users in the same group, their access rights are not the same.
3. Scalability: When the authorized users increase, the system can work efficiently. So the number of authorized users cannot affect the performance of the system.
4. User accountability: If the authorized user is dishonest, he would share his attribute private key with the other user. Due to that illegal key may be created among unauthorized users.
5. User revocation: If the user quits the system, the scheme can revoke his access right from the system directly. The revocable user cannot access any stored data.
6. Collusion resistant: Users cannot combine their attributes to decipher the encrypted data. Since each attribute is related to the polynomial or the random number, different users cannot collude each other.

A.5 Identity-Based Encryption and Security Analysis

An IBE system consists of four algorithms Setup, KeyGen, Encrypt and Decrypt.

Setup generates Private Key Generators parameters params and a master key master-key. Key-Gen uses master-key and user identity parameters to generate private key for that identity. Encrypt takes message, identity and params as input and outputs a ciphertext while Decrypt uses ciphertext for the identity using a identity private key.

Boneh and Franklin define chosen ciphertext security using chosen identity attack using following game.

Setup: The challenger runs the Setup, and sends the params to the adversary

Phase 1: The adversary issues queries q1, q2, q3, ..qm where qi is one of following

Key generation query: the challenger runs KeyGen on IDi and forwards the resulting private key to the adversary

Decryption query: the challenger runs the KeyGen on IDi decrypts ci using private key and sends the result to the adversary

Challenge: The adversary submits two plaintexts M0, M1 Є M and an identity ID. Only condition is that ID should not have been used in Phase1 key generation query. The challenger selects a random bit b Є {0, 1}, sets C = Encrypt(params, ID, Mb), and sends C to the adversary as its challenge ciphertext.

Phase 2: Same as Phase 1 except that adversary may not request a private key for ID or the decryption of (ID, C)

Guess: The adversary submits a guess b` Є {0, 1} and adversary wins if b = b`

The adversary A in above same is called IND-ID-CCA adversary.

The advantage of adversary A is defined as probability

Adv (A)= |Pr[b= b']- 1/2 | …(A.1)

Definition A.3: An ID-PKC system is (t, q_ID, q_C, Є) IND-ID-CCA secure if all t-time IND-ID-CCA adversaries making at most q_ID private key queries and at most q_C chosen ciphertext queries have advantage at most Є in winning the game.

IND-ID-CPA security is defined similarly but with restriction that adversary cannot make decryption queries.

Definition A.4: An ID-PKC system is (t, q_ID, Є) IND-ID-CPA secure if it is (t, q_ID, 0, Є) IND-ID-CCA secure.

A.6 Ciphertext-Policy Attribute-Based Encryption

Ciphertext Attribute based encryption scheme constitutes of four algorithms:

Setup: the algorithm is run by PKG authority which generates master public key PK and master key MK

KeyGeneration: Key generation is performed by PKG authority considering the attribute set S provided by user and generates a secret key SK

Encrypt: Encryption is performed by sender or data owner which encrypt the plaintext message M

Decrypt: Decryption is performed by receiver which decrypts ciphertext CT using user secret key

The access policy constitutes expressions with boolean variables and threshold gates. AND and OR gates describe relationship between the variables. Access policy rule validates the access structure based on state of the attribute set S and returns 1 or 0 depending on whether attribute set S satisfies R or not.

A.7 CP-ABE Scheme Security Analysis

Definition: CPA security of CP-ABE scheme. If there is no probabilistic polynomial time algorithm within which adversaries can get advantage. The CP-ABE scheme is said to be secure against chosen plaintext attacks.

Security of CP-ABE scheme is explained using a game between challenger and adversary model.

Initial: The adversary chooses an access structure resembling the original access policy and submits to the challenger

Setup: The Challenger runs the Setup algorithm in CP-ABE

Phase1 - The adversary makes secret key query to the KeyGeneration algorithm using attribute set S, with a restriction that S not equal to the access structure.

Challenge: The adversary submits two plaintexts M₀ and M₁ of equal length to the challenger. The task for challenger is to choose μ Є {0,1} randomly and encrypt Mμ under the access structure to obtain ciphertext CT. Finally CT is passed to adversary

Phase2, same as Phase1

Guess, the adversary guesses the value of μ as μ'

In the above CPA security game, the advantage of adversary A is defined as

Adv_CP-ABE^CPA (A)= |Pr[μ= μ']- 1/2 | …(A.2)