Protecting Security and Privacy of Outsourced Data in the Cloud

Size: px

Start display at page:

Download "Protecting Security and Privacy of Outsourced Data in the Cloud"

Dana Haynes
6 years ago
Views:

1 Protecting Security and Privacy of Outsourced Data in the Cloud Robert H. Deng School of Information Systems Singapore Management University HK 2-4 December

2 Outline Introduction Using ABE for Access Control of Encrypted Data in the Cloud Improving Efficiency Supporting User Revocation Improving Privacy Protection Recent Related Developments Q&A 2

3 Introduction 3

4 The Era of Big Data Big data is everywhere, from sensors that monitor traffic conditions, noise levels to the flood of tweets and Facebook likes Sensor Networks Mobile devices Individuals and organizations face the challenge of storing data conveniently, reliably, and at low cost OSNs 4

5 Cloud Storage Services Dropbox: Startup 2007, product launched 2008; 300M users, over 200 countries today Microsoft SkyDrive: Launched 2007, renamed OneDrive recently; 250M users by mid 2014 Google Drive: Launched 2012; 190M users by June 2014 icloud: Launched 2011; 320M users by July 2013 Total cloud storage market is expected to grow from $13.57B in 2014 to $56.57B in 2019, with a CAGR of 33.1% (MarketsandMarkets) 5

6 Risks Follow Value For business Data information knowledge revenue The big four+ For individuals Your where about, shopping patterns, circle of friends, what you read, what you watch, bank information, your privacy your life The 2014 celebrity nude photo hacking is just the beginning 6

7 Existing Security Model Users Cloud Trusted to do the right thing Trusted for user Authentication & Access Control Trusted to keep data confidential 7

8 User Human is the weakest link Does not know what s going on Data automatically uploaded to the cloud User Authentication Huge problems in password authentication Weak password or PIN, e.g., birthday Password reuse Password reset; hackers accessed Apple s password reset information 8

9 Can We Trust Service Providers? Tim Cook When an online service is free, you re not the customer. You re the product Bruce Schneier on Security (Wired, 26/11/12) These vendors (Google, Apple, Microsoft etc) are becoming our feudal lords, Yet our lords can make mistakes with security. They mine our data in order to sell more advertising and make more money. These companies own us, so they can sell us off like serfs - - to rival lords or turn us into the authorities Ron Rivest Cloud computing sounds so sweet and wonderful and safe we should just be aware of the terminology; if we [are] calling it swamp computing, I think you might have the right mind-set. 9

10 What Can We Do to Protect Data in the Cloud? Strengthening user authentication e.g., Use 2FA if available Checking devices and apps linked to your account Remove unrecognized devices and apps Remove old devices which may be used by someone else Remove old apps which may have been compromised 10

11 What Can We Do to Protect Data in the Cloud? Use encryption Cloud only sees ciphertext; plaintext never leaves user s computer Good practice even for trusted servers The principle of defense in depth 11

12 Using ABE for Access Control of Encrypted Data in the Cloud 12

13 Attribute-Based Encryption (ABE) First introduced by Sahai and Waters as an application of their fuzzy identity-based encryption (IBE) [Eurocrypt 05] Goyal, Pandey, Sahai, and Waters formulated two complimentary forms of ABE [CCS 06] Ciphertext Policy ABE (CP-ABE) Key Policy ABE (KP-ABE) One-to-many public key encryption Built-in access control mechanism 13

14 Evolution of Attribute Based Encryption Fuzzy Identity- Based Encryption Key-Policy Attribute- Based Encryption Identity-Based Encryption Attribute-Based Encryption Functional Encryption Ciphertext-Policy Attribute- Based Encryption 14

15 Ciphertext-Policy ABE (CP-ABE) Users decryption keys associated with attributes Ciphertext associated with access policy Policy {A, B, C} {C} Data Owner Server {B, C} Key Authority 15

16 No User Collusions Users must not be able to collude by combining their attributes {A, B} AND {C, D} M A AND B C

17 Key-Policy ABE (KP-ABE) Users decryption keys associated with access policies Ciphertext associated with a set of attributes {A, B} A C B C Data Owner Server A B Key Authority 17

18 Bilinear Maps G, G T : finite cyclic groups of prime order p Definition: An admissible bilinear map e: G G G T is: Bilinear: e(g a, h b ) = e(g, h) ab a, b Z P, g, h G Non-degenerate: g and h generates G e(g, h) generates G T Efficiently computable 18

19 CP-ABE based Access Control of Encrypted Data in the Cloud: Basic Solution Data Owner Encrypted file Access policy Cloud User Charlie KC Co. Ltd. Programmer OR AND General Hospital Cardiologist User Alice General Hospital Cardiologist 19

20 System Setup [BSW07] Key Generation Authority Setup (λ) Public Params (PP) g, g b, e(g, g) a, H: {0,1} * G MSK a where a, b R Z P 20

21 Key Generation Authority issues secret key for user Alice who has a set of attributes S = { , General Hospital (GH), Cardiologist (Cardio)} KeyGen(PP, MSK, S) SK g a+bt, g t, t is a random number H( 100- ) t, H( GH ) t, H( Cardio ) t 21

22 Encryption by Data Owner Given a message M and the following access policy M A OR General Hospital AND Cardiologist Data owner encrypts data: Enc(PP, M, A) CT 22

23 Encryption by Data Owner PP: g, g b, e(g, g) a, H: {0,1} * G Computes the ciphertext CT: Data owner generates random s M M e(g,g) as, g s C 1 = (g bs 1 H( 123- ) r1, g r 1), C 2 = (g bs 2 H( GH ) r2, g r 2), C 3 = (g bs 3 H( Cardio ) r3, g r 3) s 1 =s s 2 =s-r OR General Hospital (GH) s AND s s 3 =r Cardiologist 23

24 Bilinear map e(g a, h b ) = e(g, h) ab a, b Z P, g, h G We have e(g a m c, h b ) = e(g, h) ab e(m, h) cb a, b, c Z P, g, h, m G 24

25 Decryption by Alice Dec(PP, SK, CT) M CT = M e(g,g) as, g s (g bs 1 H( 123- ) r1, g r1 ), (g bs 2 H( GH ) r2, g r2 ), (g bs 3 H( Cardio ) r3, g r3 ) OR General Hospital (GH) AND Cardiologist Alice s SK (which meets access policy) g a+bt, g t, H( GH ) t, H( Cardio ) t, H( 100 ) t e(g,g) as e(g,g) bts e(g,g) bts 2 e(g,g) bts 3 e(g,g) bts 2 e(g,g) bts 3 = e(g,g) bt(s-r+r) = e(g,g) bts (Linear operation in exponent to reconstruct e(g,g) bts ) 25

26 Improving Efficiency - ABE with Outsourced Decryption [Green, Hohenberger, Waters, USENIX Security 11] [Lai, Deng, Guan, Weng, TISF2013] [Qing, Deng, Liu in Submission] 26

27 Access Policies in ABE OR General Hospital (GH) AND Cardiologist May support integer comparison operators <, > = by converting them into a Boolean circuit composed of OR and AND gates Comparing an attribute to a fixed n-bit integer adds about n components to the policy Key_Expiry_Date > X (Unix time) increases policy size by about 32 policy leaves Ciphertext size increases linearly with the # of attributes Number of paring operations in decryption increases linearly with # of policy leaves Decryption with 100 policy leaves on iphone 3G (412Mhz ARM) takes 30s 27

28 ABE with Outsourced Decryption (ABE-OD) [Green, Hohenberger, Waters, USENIX Security 11] Each user has a transform key (TK) and a decryption key (DK) Public, associated with user s attributes Secret TK DK 28

29 ABE-OD CT Cloud Server TK Data Owner Data User CT ElGamal like ciphertext TK DK 29

30 How ABE-OD Works? CT M e(g,g) as, g s (g bs1 H( 123- ) r1, g r1 ), (g bs2 H( GH ) r2, g r2 ), (g bs3 H( Cardio ) r3, g r3 ) Alice: SK g g (a+bt)/z a+bt, g, t, g t/z H( GH ), H( GH ) t, t/z H( Cardio ), H( Cardio ) t t/z Alice:TK :DK =z OR General Hospital (GH) AND Cardiologist Cloud: Transform(TK, CT) = CT = (M e(g,g) as, e(g,g) as/z ) Alice computes: M e(g,g) as /(e(g,g) as/z ) z = M 30

31 Security of ABE-OD Semantic security of the encrypted message even if the cloud knows the challenge transformation key, and other users transformation keys and decryption keys But ABE-OD lacks verifiability DK (TK, CT) CT Transform(TK, CT) Cloud Is the transformation (final decryption) correct? 31

32 ABE with Verifiable Outsourced Decryption (ABE-VOD) [Lai, Deng, Guan, Weng, TIFS 13] Provable verifiability in the standard model Informally, user can verify that the final decryption is correct, i.e., message is indeed decryption of CT Approach Double ABE encryptions: CT = (ABE(M, A), ABE(R, A), Tag) Tag = Commit(M, R) is a (hiding and biding) commitment of message M User obtains M and R after decyption, and verifies that Tag=Commit(M, R ) Double ciphertext size, encryption and decryption costs 32

33 Time in seconds Time in seconds Experiment Results 224-bit MNT ECC 2.53GHz Intel Core Duo, 4GB RAM, Linux 800Mhz ARM-based, 278MB RAM, Android Standard ABE Decryption Final Decryption by User in ABE-VOD Number of policy attributes Number of policy attributes 33

34 ABE with Efficient Verifiable Outsourced Decryption [Qing, Deng, Liu, in submission] General approach Converting any ABE-OD scheme to support verifiability Efficient (almost optimal) Ciphertext size overhead: 1 hash value Encryption/Decryption overhead: only non-dominant operations, e.g., hash computations Security In the standard model 34

ABE with Efficient Verifiable Outsourced Decryption [Qing, Deng, Liu, in submission] Encryption Get random K, compute h(k), K =Ext(K) CT = C 1 C 2 Tag ABE(K, A) SKE(K, M) H(C 2, h(k)) Decryption (1.

35 ABE with Efficient Verifiable Outsourced Decryption [Qing, Deng, Liu, in submission] Encryption Get random K, compute h(k), K =Ext(K) CT = C 1 C 2 Tag ABE(K, A) SKE(K, M) H(C 2, h(k)) Decryption (1. &. 2. are standard ABE-OD operations) 1. Using TK, cloud transforms C 1 into simpler C 1 2. Using DK, user decrypts C 1 to get K 3. Compute H(C 2, h(k)). If Tag= H(C 2, h(k)), recover M from C 2 using K =Ext(K) Note: If Tag is correct, so are C 2 and h(k); if h(k) is correct so is K; If K and C 2 are correct, so is M. 35

36 ABE with Efficient Verifiable Outsourced Decryption [Qing, Deng, Liu, in submission] Security: if ABE-OD and SKE are secure Verifiability: if h and H are collision-resistant hash functions Efficiency: CT = ABE(K, A) SKE(K, M) H(C 2, h(k)) Ciphertext overhead compared with ABE-OD Cloud transformation cost: same as ABE-OD User s decryption cost: ABE-OD + H(C 2,h(K))=Tag, K =Ext(K), M=SKE -1 (K,C 2 ) 36

37 Size in Kbytes Time in seconds Time in seconds Experiment Results 224-bit MNT ECC, 80 bit security PBC library Platform: Intel Core i5, 8G RAM, Win7 [ABE-OD USENIX Security 11] [ABE-VOD TIFS13] [New scheme] Number of policy attributes Number of policy attributes Number of policy attributes Ciphertext overhead Transformation time User decryption time 37

38 Supporting User Revocation 38

39 User/Key Revocation in ABE Whenever users credentials changes, their secret keys need to be revoked Conventional approach Periodically broadcasts by key authority so that unrevoked keys can be updated to decrypt data encrypted at new time t: Enc(PP, M, A, t) Only protecting future data; revoked keys can still be used to access data encrypted in the past Need to update existing ciphertexts in the cloud to prevent access by revoked users Decrypting and re-encrypting by cloud is not acceptable since we don t want cloud to know our data 39

40 Combining KP-ABE and PRE to Achieve User Revocation [Yu, Wang, Ren and Lou INFOCOM10] The 1 st to recognize the need for updating existing ciphertexts and proposed an efficient solution A user has a set of updateable attributes and a fixed dummy attribute Secret key components associated with updateable attributes held by proxy Secret key component associated with dummy attribute AND held by the user Dummy Attribute When a user is revoked, proxy Updates affected attributes, say Prof (j), to a new version, Prof (j+1), and updates secret key components associated with affected attributes for all unrevoked users Updates ciphertext components corresponding to affected attributes in existing ciphertexts in the cloud Postdoc (i) OR Pro (j) 40

41 Dynamic Credentials and Ciphertext Delegation for ABE [Sahai, Seyalioglu and Waters Crypto 12] Ciphertext update, called revocable storage Storage server increments time component using public data to disqualify revoked users from decrypting these ciphertexts Enc(PP, M, A, t-1) Enc(PP, M, A, t) More generally, ciphertext delegation Given CT = Enc(PP, M, A) and a more restrictive policy A, we want Delegate(PP, CT, A ) = Enc(PP, M, A ) 41

42 ABE User Revocation Based on Splitting Decryption Capability [Yang, Ding, Lu, Wan, Zhou ISC13] Each user s decryption capability is represented by a user side key UsK and a server side key SsK Server side decryption generates an intermediate ciphertext; user side decryption gets the plaintext message To revoke a user, simply delete his server side key No key renewal or ciphertext update is required Cloud server is assumed to be semi-trusted Does not collude with users 45

43 ABE User Revocation Based on Splitting Decryption Capability [Yang, Ding, Lu, Wan, Zhou ISC13] CT Cloud Server User Name Server side Key Alice SsK A Bob SsK B Carol SsK C David SsK D Data Owner Data User CT 46 UsK A

44 Improving Privacy Protection 47

45 Basic Solution Data Owner Encrypted file Cloud Storage Provider User Bob KC Co. Ltd. Programmer Access policy User Alice OR AND General Hospital Cardiologist General Hospital Cardiologist Access policies may leak lots of sensitive Information!! 48

46 CP-ABE with Fully Hidden Access Policy One can obtain CP-ABE with fully hidden access policy from inner-product predicate encryption (IPE) Supporting access policies written in CNF or DNF form, but can result in a superpolynomial blowup in size for arbitrary formulas. 49

47 CP-ABE with Partially Hidden Access Policy [Lai, Deng, Li AsiaCCS2012] Each attribute includes two parts: attribute name and attribute value Access Policy OR Public : SS#: * OR AND SS#: AND Affiliation: * Occupation: * Affiliation: General Hospital Occupation: Cardiologist Hidden : , General Hospital, Cardiologist 50

48 How about we simply don t release the CP-ABE Encryption attribute values in the access policy in standard CP-ABE? Public Params e: G G G T g, g b, e(g,g) a, F: {0,1} * G Access Policy OR M SS#: Affiliation: General Hospital AND Occupation: Cardiologist M e(g,g) as, g s (g bs1 H( 123 ) r1, g r1 ), (g bs2 H( GH ) r2, g r2 ), (g bs3 H( Cardio ) r3, g r3 ) 51

49 Dictionary Attack on Attribute Values PP: g, g b, e(g,g) a, F: {0,1} * G SS#:* Ciphertext: M e(g, g) as, g s Affiliation: * Occupation: * (g bs1 H( ) r1, g r1 ), (g bs2 H( GH ) r2, g r2 ), (g bs3 H( Cardio ) r3, g r3 ) OR AND e(g bs2 H( GH ) r2, g) e(g r2, H( GH )) e(g bs3 H( Cardio ) r3, g) e(g r3, H( Cardio )) e(g bs2, g) x e(g bs3, g) = e(g s, g b ) The guessed values GH & Cardio can be verified as above. 52

50 Our Construction: Main Idea Using composite order bilinear group to hide attribute values in ciphertext G, G T are cyclic groups of order N = p 1 p 2 p 3 p 4 e: G G G T Bilinear: a, b Z N, g G, e(g a, g b ) =e(g, g) ab Non-degenerate: g G such that e(g, g) has order N in G T Orthogonality: e(h i, h j ) = 1, h i G pi and h j G pj for i j 53

51 Our Construction Based on e: G G G T, composite order p 1 p 2 p 3 p 4 with G p1 as the main working group Secret Key g a+bt R, g t R, (H(Value1) t R 1,, Ciphertext M e(g,g) as, g s, (g bs1 H( )Zh) r1 Z 1, g r1 Z 1 ), where g, h, u G p1, R, R G p3, Z, Z 1, Z 1 G p4, Zs G p4 are used to hide attribute values in ciphertext to prevent dictionary attack Orthogonality property cancels effects of Zs in decryption 54

52 Privacy-Preserved Access Control Data Owner Encrypted file User Charlie Partial hidden Access policy Public: SS#: * Hidden & embedded in CT: OR AND Affiliation: * Occupation: * General Hospital Cardiologist Cloud Storage Provider SS#: Affiliation: KC Co. Ltd. Occupation: Programmer User Alice SS#: Affiliation: General Hospital Occupation: Cardiologist 55

53 Comparison with Existing Schemes Super-poly Super-poly 1. Schemes in [13] and [14] have ciphetext size linear to the predicate vector length; but an access structure needs to be converted to vectors which causes a super-polynomial blowup in ciphertext size. 2. One can convert any monotonic boolean formula represented by an access tree into an LSSS representation 56

54 Other Developments in ABE 57

Authorized Searchable Public Key Encryption (AS-PKE) [Shi, Lai, Li, Deng, Weng ESORICS 14] Encrypted file Access

Affiliation: General Hospital Occupation: Cardiologist Alice issues a query, such as {Male AND Cardiomyopathy},

55 Authorized Searchable Public Key Encryption (AS-PKE) [Shi, Lai, Li, Deng, Weng ESORICS 14] Encrypted file Access policy SS#: OR Keywords Name: John Smith Sex: Male Illness: Cardiomyopathy AND Cloud Charlie SS#: Affiliation: KC Co. Ltd. Occupation: Programmer Alice Affiliation: General Hospital Occupation: Cardiologist SS#: Affiliation: General Hospital Occupation: Cardiologist Alice issues a query, such as {Male AND Cardiomyopathy}, an authority generates a token which allows cloud to locate all ciphertexts such that 1) keywords in ciphertexts satisfy user s query, and 2) user s attributes meet access policies of the ciphertexts 58

56 AS-PKE [Shi, Lai, Li, Deng, Weng ESORICS 14] Related Work PEKS supporting equality queries (Boneh et al 04), conjunctive keyword search (Park et al 04), and disjunctive keyword search (Katz et al 08) AS-PKE A variation of dual-policy ABE [Attrapadung and Imai 09]; following the idea of CA-ABE with partially hidden access structures [Lai, Deng, Li 12] Both keywords and access structures are partially hidden Fully secure in the standard model 59

57 ABE with Fast Decryption [Hohenberger and Waters PKC 13] Flexible tradeoff between decryption/encryption costs/key size Ciphertexts can be decrypted with a minimum of 2 pairings KP-ABE: increased secret key size CP-ABE: increased ciphertext size Selective security Large universe construction relies on random oracles 60

58 Summary Cloud storage offers real and significant benefits; it also brings significant risks Access control of encrypted data on untrusted server using ABE ABE is many-to-many public key encryption supporting expressive policies Outsouring ABE decryption to the cloud for improved efficiency User revocation in ABE ABE with partially hidden access policy to protect privacy of access policies as well as data 62

59 Future Work Construction of ABE schemes with partial hiding access policies/attributes based on standard assumptions/on prime order group ABE schemes with adaptable policies With ciphertext delegation as a special case and with minimal trust placed on the cloud Automatic policy generation & verification There are many piecemeal solutions Access control, search over encrypted data, proof of data retrievability, pervasive data deletion, etc) We need a simple and efficient solution to system as a whole 63

60 For more information, please contact me at 64

Attribute-based encryption with encryption and decryption outsourcing

Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing