STRONG DATA PRIVACY AND SECURITY FOR THE IOT

Transcription

1 STRONG DATA PRIVACY AND SECURITY FOR THE IOT François Ambrosini, ETSI TC CYBER STF 529, IBIT Ambrosini UG Extending access control in onem2m systems with Attribute Based Encryption

2 Outline Introduction and objectives Limitations of traditional public key encryption for access control Getting to know Attribute Based Encryption (ABE) Operational models Integrating ABE in the access control stack Example usage in onem2m Outlook and conclusion 2 ETSI All rights reserved

3 Introduction ETSI Specialist Task Force 529 under supervision of TC CYBER is currently developing an access control toolkit leveraging Attribute Based Encryption (ABE) Objective: access control using encryption Bind access control to encrypted data Protect data during the complete lifecycle Goes beyond real time access control A toolbox Addressing Cloud, Mobile, and IoT That other Standard Defining Organisations can pick up Focusing on interoperability (ontologies and existing access control systems) Applicable to onem2m, would complement real time access control 3

4 Why ABE? Limitations of Traditional Public Key Encryption for access control (simplified example) shares or 2 2 requests K pub K priv 1 setup encrypts decrypts cleartext 3 ciphertext 4 cleartext Data Owner Recipients How can the data owner share with many recipients and enforce access control? Obtain K pub from each recipient and encrypt for each recipient Does not scale, puts constraints on the data owner Does not allow recipients to share data among themselves, under data owner control 4

5 Getting to know ABE (1) 1 setup MSK MPK Many to many encryption scheme Based on a secret sharing scheme (a secret is split into shares) mapped to attributes and policies The data owner remains in control the setup phase allows to declare attributes; a Master Secret Key and a Master Public Key are generated The Master Secret Key allows to generate private keys Because he owns the Master Secret Key, only the data owner can issue private keys Scales better for the data owner 2 provisioning evaluates request and generates requests a private key Could also be devices or services K priv Data Owner returns Recipient Other recipients 5

6 Getting to know ABE (2) Example using Ciphertext Policy ABE (CP ABE) a variant of ABE where the policy is in the encrypted data 3 encrypts Policy expense report encrypted expense report ( (service == finance) AND (role == auditor) ) OR (role == CFO) 4 decrypts encrypted expense report role == CFO expense report ( (service == finance) AND (role == auditor) ) OR (role == CFO) Recipient If a branch of the policy is satisfied, the recipient has enough shares to recover the secret and perform decryption Similar to permit override combining algorithm in XACML & onem2m 6

7 Getting to know ABE (3) Recipients can become contributing third parties Access control still applies 5 can encrypt as well Attributes or Policy Recipient acting as Contributor cleartext ciphertext Data Owner Other recipients e.g. results from data analytics can access new ciphertext using their K priv, or if MSK owner grants an appropriate K priv 7

8 Our operational models Long Term Storage Characteristics data at rest when the on board storage area offers low security or is remote and untrusted while keeping access control in force Basis for IoT and B2B data sharing use cases Offline Access Control Platform Provider Characteristics environment offers too little or no network connectivity limits user / device authentication and authorisation services relies on pre provisioning of keys as well as out of band methods Basis for some industrial IoT use cases with strong isolation constraints Can be extended to offline authentication / authorisation Characteristics users delegate access control over their data, to a trusted Platform Provider Platform Provider offers user friendly access control management third party service providers connect to the Platform Provider and request permission to obtain data Basis for Cloud and Mobile use cases 8

9 Intermediate Access Control Languages And relation to ontologies High-level access control frameworks Complex attributes and related operators: Locations (zones, circles, etc.) Timestamps Device types Free strings (Roles etc.) onem2m XACML Layer 2 Translator non-abe services Allow a mapping to ontologies at the level of the cryptosystem Layer 1 Translator Basic attributes and operators: Integers Booleans ABE schemes S1 S2 ABE library tools 9

10 Some possible uses of ABE in onem2m Time based access control in the Long Term Storage model Data are saved with attributes allowing comparison against accesscontroltimewindow which is expressed as a policy in K priv AE/CSE resource access control in the Offline Access Control model AE/CSE runs an ABE challenge response protocol with the Originator The protocol is successful only if the Originator possesses a K priv that satisfies the access control policy set by the AE/CSE Direct/Indirect Dynamic Authorisation, RBAC, and Privacy Policy Manager in the Platform Provider model K priv can be used to emulate tokens These are being discussed within ETSI TC CYBER and its STF 529 and not yet proposed to onem2m 10

11 Other aspects & outlook A Public Key Infrastructure is still needed in support of ABE Secure distribution of keys, proof of data origin, proof of assertions Performance and security FAME scheme from Agrawal & Chase recently selected, very promising with good security proof a normative specification will be included in the toolkit Crypto agility: the toolkit will permit use of other ABE schemes Optimisations & upgrade of cryptographic algorithms Under research: post quantum ABE schemes Current hard problems will not be so hard under quantum computing Schemes exist but are not yet practical, state of the art remains theoretical Bonus: more expressiveness could be achieved with post quantum schemes Under research: homomorphic encryption in conjunction with ABE Would allow to process information without accessing the raw data cryptographically not trivial to achieve at all 11

12 Final note ETSI TC CYBER Advises other groups in ETSI for cybersecurity matters (e.g. Lawful Interception, NFV Security) Spearheads and coordinates ETSI s technical response to EU legislation related to cybersecurity (GDPR, NIS, upcoming Cybersecurity Act ) ETSI TC CYBER WG QSC (CYBER QSC) Focus is on quantum safe cryptography Have identified ABE on their roadmap Plans to make draft TS (DTS CYBER 0025) available for public review in the near future Publication planned Feb/March

13 Thank you!? 13

14 Annex Contacts ETSI TC CYBER STF

15 Annex Examples for onem2m (KP ABE) Time based access control in the Long Term Storage model <acr> Access control rule as in onem2m TS-0003 An acr can mention allowed access time in a crontab-compatible format convert MPK 1 Configured ABE attributes: - SEC min - SEC max - MIN min - MIN max - etc. measurement data from an AE are subject to accesscontroltimewindow parameter in an access rule applying to Originator O A a datum is accessible at a specific time window; if we back it up, we can attach this information to the datum when the data is saved with ABE, the ciphertext is annotated with attributes expressing the timeframe at which the data were accessible (compatible with the crontab syntax); this is possible at the price of losing resolution and by setting rules on the calculation of attributes at AE/CSE thus this requires good granularity of the ciphertext generation frequency when O A needs access to data in the past, it requests K priv with a policy matching accesscontroltimewindow K priv MPK 4 decrypts 3 e.g You may access all data captured between Monday and Friday on any week of any year Encrypts using the attributes in order to express the timeframe of data capture in a crontab-compatible format K priv MPK 2 MPK AE/CSE ciphertext 15

16 Annex Examples for onem2m (KP ABE) AE/CSE resource access control in the Offline Access Control model <acr> An acr can mention allowed operations (CRUD and others) convert MPK Configured ABE attributes: - device_id - resource_id - operation_id Access control rule as in onem2m TS resources from an AE/CSE are subject to an access rule applying to Originator O A ABE attributes are defined to identify operations and resources of the AE/CSE AE/CSE is provisioned with the MPK When O A requests a given operation on a given resource, the AE/CSE runs a challenge response protocol by encrypting a secret using the MPK and the ABE attributes matching the request O A can solve the challenge only if they have a Kpriv with a matching policy Extensible to other access control parameters e.g. accesscontroltimewindow O A 3 2 K priv MPK Encrypt( 4 e.g You may UPDATE resource #1 on device ABC requests resource #1 update, resource_id = 1, device_id = ABC operation_id = UPDATE, secret) response with secret MPK AE/CSE update protocol continues 16 (simplified example)