Attribute-Based Access Control with Efficient Revocation in Data Outsourcing Systems
ABSTRACT Some of the most challenging issues in data outsourcing scenario are the enforcement of authorization policies and the support of policy updates. Ciphertext-policy attribute-based encryption is a promising cryptographic solution to these issues for enforcing access control policies defined by a data owner on outsourced data. However, the problem of applying the attribute-based encryption in an outsourced architecture introduces several challenges with regard to the attribute and user revocation. In this paper, we propose an access control mechanism using ciphertext-policy attribute-based encryption to enforce access control policies with efficient attribute and user revocation capability. The fine-grained access control can be achieved by dual encryption mechanism which takes advantage of the attribute-based encryption and selective group key distribution in each attribute group. We demonstrate how to apply the proposed mechanism to securely manage the outsourced data. The analysis results indicate that the proposed scheme is efficient and secure in the data outsourcing systems.
- [show abstract] [hide abstract]
ABSTRACT: Revocation is a vital open problem in almost every cryp- tosystem dealing with malicious behaviors. In ciphertext policy attribute based encryption, unlike traditional public key cryptosystem, different users may hold the same func- tional secret keys related with the same attribute set leading to additional difficulties in designing revocation mechanism. In this paper, we propose the ciphertext policy attribute based encryption scheme with efficient revocation which can be proved secure in the standard model. Our construction uses linear secret sharing and binary tree techniques as the underlying tools. In addition to assigned attribute set, each user is also assigned with a unique identifier. Therefore, a user can be easily revoked by using his/her unique identifier; on the other hand, the encryption and decryption algorithms of ABE (Attribute Based Encryption) can be done without any involvement of these unique identifiers. Then, we prove the chosen plaintext security of our construction based on Decisional Bilinear Diffie-Hellman (DBDH) assumption in the standard model. Finally, we provide some discussion on the efficiency of our scheme and the extensions including delegation capability and chosen ciphertext security.
Conference Proceeding: A content-driven access control system.[show abstract] [hide abstract]
ABSTRACT: Protecting identity in the Internet age requires the ability to go beyond the identification of explicitly identifying infor- mation like social security numbers, to also find the broadly- held attributes that, when taken together, are identifying. We present a system that can work in conjunction with nat- ural language processing algorithms or user-generated tags, to protect identifying attributes in text. The system uses a new attribute-based encryption protocol to control access to such identifying attributes and thus protects identity. The system supports the definition of user access rights based on role or identity. We extend the existing model of attribute- based encryption to support threshold access rights and pro- vide a heuristic instantiation of revocation.IDtrust 2008, Proceedings of the 7th Symposium on Identity and Trust on the Internet, March 4-6, 2008, Gaithersburg, Maryland, USA; 01/2008
Conference Proceeding: Ciphertext-Policy Attribute-Based Encryption[show abstract] [hide abstract]
ABSTRACT: In several distributed systems a user should only be able to access data if a user posses a certain set of credentials or attributes. Currently, the only method for enforcing such policies is to employ a trusted server to store the data and mediate access control. However, if any server storing the data is compromised, then the confidentiality of the data will be compromised. In this paper we present a system for realizing complex access control on encrypted data that we call Ciphertext-Policy Attribute-Based Encryption. By using our techniques encrypted data can be kept confidential even if the storage server is untrusted; moreover, our methods are secure against collusion attacks. Previous Attribute- Based Encryption systems used attributes to describe the encrypted data and built policies into user's keys; while in our system attributes are used to describe a user's credentials, and a party encrypting data determines a policy for who can decrypt. Thus, our methods are conceptually closer to traditional access control methods such as Role-Based Access Control (RBAC). In addition, we provide an implementation of our system and give performance measurements.Security and Privacy, 2007. SP '07. IEEE Symposium on; 06/2007