ABE Applications
description
Transcript of ABE Applications
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
ABE Applications
Present by Xiaokui Shu09/20/2011
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
2
Secret-Sharing SchemePrivacy Preserving EHR System Using
Attribute-based Infrastructure
Persona: An Online Social Networkwith User-Defined Privacy
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
3
Secret-Sharing Scheme
Privacy Preserving EHR System Using Attribute-based Infrastructure
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Overview Security Goal Assumptions System Features Operations Implementation
Content
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
5
Electronic Health Records
Cloud Computeri
ng
Attribute-
based
Encryption
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Confidentiality Adversaries cannot read patients’ files Cloud provider cannot read patients’ files
Privacy Cloud provider not be able to infer information about
the file’s content
Security Goal
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Trusted authority (TA) Generates keys Publishes public parameters
User ID and attributes Private key given by TA after verifying attributes
Cloud server Trusted for performing requested operations Should not read patients’ data
Assumptions
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Broadcast ciphertext-policy attribute-based encryption ABE Policy attached to the ciphertext Revocation function Search-index for encrypted keywords
The only not encrypted object The access policy
System Features
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Operations::Store File
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Operations::Set Access
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Operations::Revocation
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
12Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Delegate
Keyword Search The search is performed by the cloud provider on the
encrypted data such that the cloud provider learns nothing about w (keyword)
Other Operations
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Implementation::ABE
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Secure Channel Free Public-Key Encryptionwith Keyword Search (PEKS)
Implementation::Keyword Search over Encrypted Data
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
15
Secret-Sharing Scheme
Persona: An Online Social Networkwith User-Defined Privacy
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
16Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Overview Related Approaches Persona Basis Operations Applications Implementation Evaluation
Content
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
17Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Combine Public Key Cryptography (PKC) and ABE
Group-based access policies
Creative system design Browser extension Can be integrated into existing OSNs
Persona
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
18Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Define a group Group key: symmetric encryption
Distribute a message Encrypt n-1 times with different public keys
Key re-use Use the same group key for a session
Public Key Cryptography (PKC)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
19Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
What if we do not know exactlywho are in the group?
Attribute-based Encryption
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
20Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Use symmetric key to encrypt data Use ABE to manage access control Use PKC to aid ABE (e.g. authentication)
Persona Basis
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
21Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
DefineRelationship
DefineTransitiveRelationship
AssignRightsToIdentity
AssignRightsToGroup
GroupMembershipRevocation
Operations
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
22Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Alice confers the attribute “friend” upon Bob
Operation:: DefineRelationship
Alice
Bob
KABE, “friend” Bob.TPK
C = EBob.TPK(KABE, “friend”)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
23Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Alice defines “bob-friend” on Bob’s “friends” group
Operation::DefineTransitiveRelationship
Alice Bob
KABE, “bob-friend” Bob.APK
C = Ebob.APK(KABE, “bob-friend”)
David
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
24Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Alice grants Bob to put data on her storage service
Operation:: AssignRightsToIdentity
Alice
Bob
n
Bob.TPKC = Ebob.TSK(n, try)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
25Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Alice provides resource access to a group
Operation:: AssignRightsToGroup
Alice
attr
C = Egroup.attr(TPK, TSK)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
26Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Re-key all remaining group members must be given a new key nominal overhead is linear
Time Attribute Year < 2011 Year == 2011
Operation::GroupMembershipRevocation
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
27Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Every User has a storage service (SS)
Retrieving data Satisfy ABE access control with attributes Discovery group key Encrypt the group key with its TPK in its SS for future use
Publishing data Search its SS for previous group key Create a new group key Retrieve a pre-existing key on others’ SS
Publishing and Retrieving Data
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
28Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Trust a storage service to reliably store data, provide it upon request, and protect it from overwrite or deletion by unauthorized users
Do not trust a storage service to keep data confidential, relying instead on encryption to guard private information
Two operations to SS put get
Applications::Storage Service
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
29Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
A collaborative multi-reader/writer application The Wall in Facebook
Doc: a multi-reader multi-writer application in Persona Users create a Page Metadata: References to encrypted data The application: display, updates reference
Reading the Page DefineRelationship(Alice; attrs; Bob)
Writing to the Page AssignRightsToIdentity(Alice; write; Bob:TPK; D; Doc)
Applications::Collaborative Data
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
30Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Persona Wall is distributed Inherit Doc It allows users to choose where the Wall metadata is
stored Posts and comments are stored on storage servers
owned by the poster/commenter Chat application
Inherit Doc On-the-fly UI
Profile, Photos, Groups and Events Inherit Doc
Applications::Wall & Chat
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
31Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Given ASK to applications Where I've Been in Facebook
Allow a specific group of people to retrieve part data
Applications::Selective Revelation
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
32Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Graph of social connections People You May Know in Facebook Private in Persona
2 approaches Directly grant access Inherently private application
Applications::Social Graph
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
33Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Implementation
*(@#$@#
This is … Data reference resolution Replacement of special tags Caching
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
34Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Evaluation
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
35
Secret-Sharing Scheme
Thank you!