Insecurity of an Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption Scheme

2014 Tenth 10th International Conference on Computational Intelligence and Security Insecurity of an Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption Scheme Changji Wang, Haitao Lin, Xilei Xu, Kangjia Zheng, Xiaonan Xia National Pilot School of Software Yunnan University, Kunming, China E-mail: wchangji@gmailcom School of Information Science and Technology Sun Yat-sen University, Guangzhou, China Abstract Cloud computing has generated a major impact on the global IT ecosystem, which promises economic advantages, speed, agility, flexibility, virtually infinite elasticity and innovation However, data security and privacy remain the biggest barriers to widespread adoption of cloud services To address the problem of fine-grained access control over encrypted data that is faced by cloud services, ciphertextpolicy attribute-based encryption (CP-ABE) technology was proposed in recent years and has aroused great concern of researchers Although CP-ABE schemes provide the ability for data owner-centric protection in cloud services, they are not very practical with the respect to the efficiency and scalability of access right revocation and key refreshing Recently Xu and Martin proposed a dynamic user revocation and key refreshing model for CP-ABE schemes, and presented a concrete construction based on Bethencourt et al s CP-ABE scheme They claimed that their construction is efficient and provable secure However, after revisiting the construction, we demonstrate that cloud service provider can not perform data retrieval task in their construction, and their construction cannot achieve oneto-many encryption Keywords-Ciphertext-Policy Attribute-Based Encryption; Dynamic User Revocation; Key Refreshing; Cloud Computing I INTRODUCTION There is no doubt that cloud computing is one of the biggest buzzwords in the IT industry today Cloud computing offers numerous advantages both to end users and businesses of all sizes, the most important advantages include cost efficient, ubiquitous access, high reliability and scalability [1] However, there can be potential risks of data security and privacy when relying on a third party to provide infrastructure, platforms, or software as a service [2] Encryption seems like an obvious solution to data security and privacy If the cloud service provider is responsible for data encryption, data owners are still faced with risks such as insider fraud, hacking and disclosure demands from law enforcement Thus, data owners should take responsibility for protecting their own data from a data security perspective This data owner-centric protection approach typically requires the following characteristics [3]: Fine-grained access control over encrypted data: Data access policy can be defined at data item level and should be enforced at each access attempt with or without the data owner s involvement Dynamic access rights management: The granting or revoking of access rights to a particular data item is conducted straightforward and can be performed almost instantaneously Efficient key management: Critical key management operation such as key establishment, key refreshing and key revocation are conducted in an efficient manner that scales well and is appropriate for the highly dynamic and heterogeneous nature of a cloud storage environment Traditional public key encryption and identity-based encryption (IBE) methods are cumbersome to apply to access control in cloud computing Assume that Alice needs to encrypt a document for access by multiple recipients, who are not necessarily known at encryption time To solve the problem of fine-grained access control over encrypted data, the concept of attribute-based encryption (ABE) was introduced by Sahai and Waters [4] Compared with IBE [5], ABE has significant advantage as it achieves flexible oneto-many encryption instead of one-to-one, it is envisioned as a promising tool for addressing the problem of secure and fine-grained data sharing and decentralized access control There are two types of ABE depending on which of private keys or ciphertexts that access policies are associated with In a key-policy attribute-based encryption (KP-ABE) system [6], ciphertexts are labeled by the sender with a set of descriptive attributes, while users private key are issued by the trusted attribute authority captures a policy (also called the access structure) that specifies which type of ciphertexts the key can decrypt Typical applications of KP-ABE include secure forensic analysis and target broadcast [6] In a ciphertext-policy attribute-based encryption (CP-ABE) system [7], when a sender encrypts a message, they specify a specific access policy in terms of access structure over attributes in the ciphertext, stating what kind of receivers will be able to decrypt the ciphertext Users possess sets of attributes and obtain corresponding secret attribute keys from 978-1-4799-7434-4/14 3100 2014 IEEE DOI 101109/99 101109/CIS2014100 459

the attribute authority Such a user can decrypt a ciphertext if his/her attributes satisfy the access policy associated with the ciphertext Thus, CP-ABE mechanism is conceptually closer to traditional role-based access control method ABE have drawn extensive attention from both academia and industry, many ABE schemes have been proposed and several cloud-based secure systems using ABE schemes have been developed, such as [6] [10] Revocation mechanism is necessary for any public key encryption schemes that involve many users, since some private keys might get compromised or the affiliation of the owner has changed at some point In the traditional public key encryption and IBE system, there are many revocation methods proposed in the literature [11], [12] Similar to IBE, ABE also suffers from the key revocation and inherent key escrow problems [5] In practical applications, attribute revocation is not only a difficult problem in the research but also necessary to solve for the ABE scheme Currently, there are some available revocable ABE schemes in the literature, such as [7], [13] [15] Bethencourt et al [7] proposed a trival attribute revocation method for CP- ABE scheme by appending to each of attributes an expiration time Obviously, this type of solutions requires interaction between users and the trusted attribute authority, and is not able to efficiently revoke user attributes on the fly Attrapadung and Imai [13] classified the revocation mechanisms in ABE as direct and indirect methods Direct revocation enforces revocation directly by the sender who specifies the revocation list while encrypting Indirect revocation enforces revocation by the key authority who releases a key update material periodically in such a way that only non-revoked users can update their keys An advantage of the indirect method over the direct one is that it does not require senders to know the revocation list In contrast, an advantage of the direct method over the other is that it does not involve key update phase for all non-revoked users interacting with the key authority Yu et al [14] proposed a CP-ABE scheme in which revocation is based on proxy re-encryption technology by changing system public key and users private key, but the cost of revocation is still high Hur and Noh [15] exploited a fully fine-grained CP-ABE revocation scheme by a binary tree However, the approach brings potential management overheads and scalability issues In addition, the proposed scheme does not provide strict security model, security proof, and anti-collusion attacks Recently, Xu and Martin [3] proposed a deployment model called as dynamic user revocation and key refreshing (DURKR) for ABE in cloud computing, which enables management of access rights as well as efficient key refreshing and revocation They claimed that the proposed model can be generically adapted to suit CP-ABE schemes, and gave a concrete construction based on Bethencourt et al s CP-ABE scheme [7] to achieve user revocation and key refreshing However, after carefully revisiting the construction, we demonstrate that their construction is wrong, cloud service provider can not perform data retrieval task Moreover, their construction cannot achieve one-to-many encryption, and provide backward and forward secrecy The rest of this paper is organized as follows Some preliminaries about bilinear pairing, access structure and access tree are described in Section II Xu and Martin s dynamic user revocation and key refreshing model for ABE in cloud computing will be introduced in Section III Security analysis on Xu and Martin s dynamic user revocation and key refreshing construction for Bethencourt et al s CP-ABE scheme [7] are explained in Section IV Finally, we conclude the paper in Section V II PRELIMINARIES Table I summarizes the notations that will be used in this paper Table I NOTATIONS Symbol Description λ Security parameter k A session key k {0, 1} λ x S Pick an element x uniformly at random from the set S Π A semantically secure symmetric encryption scheme E k (m) Encrypt a message m under Π with a session key k D k (c) Decrypt a ciphertext c under Π with a session key k H 1 Hash function H 1 : {0, 1} G 1 H 2 Hash function H 2 : G 2 Z p H 3 Hash function H 3 : G 2 {0, 1} λ A Bilinear Group Generator The bilinear group generator G is an algorithm that takes as input a security parameter λ and outputs a bilinear group p, G 1, G 2, ê, g, where p is a prime of size 2 λ, G 1 and G 2 are cyclic groups of order p, g is a generator of G 1, and ê : G 1 G 1 G 2 is a bilinear map with the following properties Bilinearity: For a, b Z p, we have ê(g a,g b ) = e(g, g) ab Non-degeneracy: ê(g, g) is a generator of G 2 Computability: For g 1,g 2 G1, there is an efficient algorithm to compute ê(g 1,g 2 ) B Access structure and Access Tree Let P = {P 1,P 2,,P n } be a set of parties and let 2 P denote its power set A collection A 2 P is monotone if for every B and C, ifb A and B C then C A An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of nonempty subsets of P, ie P \ The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets 460

In our context, the role of the parties is taken by the attributes Thus, the access structure A will contain the authorized sets of attributes Let T be an access tree with its root representing an access structure Each non-leaf node of the tree represents a threshold gate, described by its children and a threshold value Let num x and k x be the number of children and the threshold value of a node x, respectively It is obvious that we have 0 <k x num x When k x =1, the threshold gate is an OR gate, and when k x = num x,itisanand gate Each leaf node x of the tree is described by an attribute and a threshold value k x =1 We denote the parent of the node x in the tree by parent(x) The function attr(x) is defined only if x is a leaf node and denotes the attribute associated with the leaf node x in the tree The access tree T also defines an ordering between the children of every node, that is, the children of a node x are numbered from 1 to num x The function index(x) returns such a number associated with the node x Let T be an access tree with root root Denote by T x the subtree of T rooted at the node x If a set of attributes ω satisfies the access tree T x, we denote it as T x (ω) =1 We compute T x (ω) recursively as follows If x is a nonleaf node, evaluate T z (ω) for all children z of node x T x (ω) returns 1 if and only if at least k x children of x return 1 If x is a leaf node, then T x (ω) =1if and only if attr(x) ω III REVIEW OF XU ETAL S DURKR MODEL AND CONSTRUCTION Xu et al s dynamic user revocation and key refreshing model for ABE involves four participants, which is described as follows Attribute Authority (AA): This is the central trusted component that is responsible for generating attribute key shares, publishing system public parameters and maintaining the master secret Cloud Services Provider (CSP): This is a semi-trusted entity that provides data storage and retrieval service CSP includes a proxy server, which is responsible for re-encrypting data owners ciphertexts before they are sent to users Data Owner (DO): This is the cloud storage subscriber who are responsible for protecting their data by defining access policies, managing user revocation lists, and encrypting data before it is sent to the cloud storage provider Data User (DU): This is another cloud storage subscriber whose attributes need to comply with the access policy before the data is able to be decrypted All the communication channels need to be encrypted for data transmission The system architecture is illustrated as in Figure 1 In order to revoke an individual user within a group, they utilize another layer of encryption on top of CP- Figure 1 DURKR model for ABE in Cloud ABE to achieve fine-grained user-level access control They introduce an additional system attribute called delegation attribute, which is designated to CSP Alongside the key shares for system attributes, AA generates a delegation key share for the delegation attribute The delegation key share is sent to CSP that is used for ciphertext re-encryption Since CSP only has the delegation key share, it cannot decrypt the data encrypted under the CP-ABE scheme In addition, the delegation key share is also used to achieve system key refreshing or revocation The master secret is split into two portions One portion is used by the CP-ABE scheme to generate attribute key shares The other portion is used by the CSP (ie, proxy) to issue an additional secret share to the users every time when they retrieve the data So only non-revoked users can successfully construct the decryption key When the system key needs to be refreshed, AA only re-generates the delegation key share for CSP All the system key and key shares are tracked by version numbers, V no, that is initially set to 1 When an attribute revocation event occurs, it increases by 1 Xu and Martin illustrated how to apply DURKR to the Bethencourt et al s CP-ABE scheme as follows Setup(1 λ ): AA runs the bilinear group generator G(1 λ ) to get a prime order bilinear group (p, G 1, G 2, ê, g), and chooses α 1,α 2 Z p satisfying α = α 1 +α 2 mod p AA then sets key version V no =1and sets the master secret key as MK = β,g α,α 1,α 2,V no Finally, AA publishes the system public parameters as PK = p, G 1, G 2, ê, g, h = g β, ê(g, g) α,v no KeyGen(PK,MK,S,V no ): The key share generation algorithm is similar to that of the Bethencourt et al s CP-ABE scheme, except that we use the first part of the master secret α 1 instead of α For the given 461

attribute set S, AA chooses r Z p and r j Z p for j S, computes D = g (α1+r)/β, and D j = g r H(j) rj, D j = for j S AA then sets the key shares as grj SK = D, {D j,d j} j S,V no CloudServiceKeyGen(PK,MK): AA uses the other part of the master secret α 2 to generate the delegation key share for CSP as SK c = D c = g α2/β,v no Encrypt(PK,T,M,V no ): The encryption algorithm is similar to that of the Bethencourt et al s CP-ABE scheme, except that the key version is attached to the ciphertext Let Y be the set of leaf nodes in the access tree T The sender chooses s Z p, computes C = Mê(g, g) αs, C = h s, C y = H(attr(y)) qy(0) for all y Y Finally, the ciphertext CT is set as T, C, C, {Cy,C y} y Y,V no DataRetrival(P K, uid): Suppose that the revocation list is ID revoked = {uid 1, uid 2,,uid m }, where uid i is the user identifier CSP re-encrypts the ciphertext as follows If uid ID revoked, then CSP randomly selects k, k Zp, and computes C = Mê(g, g) αsk, C = h s, C = h sk, D c = Dc k, C y = g qy(0)k, C y = H(attr(y)) qy(0)k for any y Y, then sets ciphtertext CT = T, C,C,C,D c, {C y,c y} y Y,V no If uid ID revoked, then CSP randomly selects k Z p, and computes C = Mê(g, g) αsk, C = h s, C = h sk, D c = Dc k, C y = g qy(0)k, C y = H(attr(y)) qy(0)k for any y Y, then sets ciphtertext CT = T, C,C,C,D c, {C y,c y} y Y,V no The re-encrypted ciphertext CT is then sent to the user Decrypt(PK,CT,SK,V no ): The first part of decryption proceeds the same as that of the Bethencourt et al s CP-ABE scheme Using the same attribute key version V no, if the user has attributes that comply with the access tree, then he can compute A = DecryptNode(CT,SK,root) =ê(g, g) rks If the user is not in the revoked list, the message M can be revealed by Decrypt(PK,CT,SK,V no ) = A C /(ê(c,d)ê(c, D c) KeyReGen(PK,MK): Suppose that the current public system parameters are PK Vno =(G 1, G T,g,ê, h = g β, ê(g, g) α,v no ), and the master key MK Vno is (β,g α,α 1,α 2,V no ) The key refreshing algorithm s- elects α Zp and computes α 2 = α α mod p Increasing the key version V no by 1, the new public system parameters are set as ) PK = (G 1, G T,g,ê, h = g β, ê(g, g) α,v no, and the master secret key MK becomes ) MK = (β,g α,α 1,α 2,V no The algorithm then calls the CloudServiceKeyGen algorithm to re-generate the delegation key share and distribute it to CSP IV CRYPTANALYSIS OF XU ETAL DURKR CONSTRUCTION Theorem 1: The CSP can not perform DataRetrieval algorithm in Xu et al s DURKR construction Proof: Here we give a proof by contradiction Assume that CSP can compute C = Mê(g, g) αsk or C = Mê(g, g) αsk ) from C = Mê(g, g) αs, where k Z p (or k Zp )is chosen by CSP in the DataRetrieval algorithm Then CSP can calculate C / C = Mê(g, g) αsk /M ê(g, g) αs = ê(g, g) αs(k 1) Thus, CSP can recover the message M by setting k =2It is contradictory to the assumption that CSP is a semi-trusted, CSP can just re-encrypt data owners ciphertext to respond to the data retrieval request from cloud users without knowing any information about the corresponding plaintext This ends the proof Theorem 2: Xu et al s DURKR construction is irrational and can not achieve one-to-many encryption, backward and forward secrecy Proof: In the Xu et al s DURKR construction, CSP maintains a revocation list which is a set of revoked user identifiers During the DataRetrieval phase, CSP first determines whether the requesting user is revoked or not If the requesting user is revoked, CSP will select two random number k, k Zp, re-encrypt the ciphertext and send the ill-formed ciphertext to the requesting user If the requesting user is not revoked, CSP will select a random number k Z p, re-encrypt the ciphertext and send the well-formed ciphertext to the requesting user The problem here is that if CSP can determine whether the user has been revoked or not, why not just refuse the data retrieval request to save bandwidth and computing resources? 462

Moreover, the well-formed ciphertext can be decrypted if and only if attributes owned by the user satisfy the access structure associated with the ciphertext, no matter whether the user is revoked or not revoked That is to say, the revoked user can also decrypt the well-formed ciphertext as long as he is able to get it Therefore, CSP must build a secure channel to send the re-encrypted well-formed ciphertext to the unrevoked user In other words, the data owner can only achieve one-to-one encryption instead of one-to-many encryption More seriously, Xu et al s DURKR construction did not consider backward and forward secrecy Whether the user is revoked or not revoked, users do not need to update their private keys This ends the proof V CONCLUSION Attribute-based encryption is a great invention by security researchers and allows to efficiently performing group based encryption While it provides many benefits, revocation of users has been a key issue of utilizing attribute-based encryption Recently Xu and Martin proposed a dynamic user revocation and key refreshing model for ciphertextpolicy attribute-based encryption schemes They presented a concrete construction and claimed that the proposed construction is efficient and proved to be secure However, after carefully revisiting the construction, we show that their construction is wrong, cloud service provider can not perform data retrieval task Moreover, their construction cannot achieve one-to-many encryption, and provide backward and forward secrecy User revocation, especially attribute revocation for attribute-based encryption scheme is still subject to extensive research ACKNOWLEDGMENT This research is jointly funded by the National Natural Science Foundation of China (Grant No 61173189) and the Guangdong Province Information Security Key Laboratory Project REFERENCES [1] P Mell and T Grance, The NIST Definition of Cloud, NIST Special Publication 800-145, 2011 [5] D Boneh and M K Franklin, Identity-based encryption from the Weil pairing, In CRYPTO 2001, LNCS 2139, Springer- Verlag, 2001, pp 213-229 [6] V Goyal, O Pandey, A Sahai and B Waters, Attribute Based Encryption for Fine-Grained Access Conrol of Encrypted Data, In ACM conference on Computer and Communications Security, 2006, pp 89 98 [7] J Bethencourt, A Sahai and B Waters, Ciphertext-policy attribute-based encryption, In IEEE Symposium on Security & Privacy, 2007, pp 321 334 [8] B Waters, Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization, In PKC 2011, LNCS 6571, Springer-Verlag, 2011, pp 53 70 [9] A B Lewko and B Waters: New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques In: CRYPTO 2012, LNCS 7417, Springer-Verlag, 2012, pp 180-198 [10] M Li, S C Yu, Y Zheng, K Ren and W J Lou, Scalable and Secure Sharing of Personal Health Records in Cloud Computing using Attribute-based Encryption, IEEE Transactions on Parallel and Distributed Systems, Vol 24, No 1, 2013, pp 131-143 [11] C Gentry, Certificate-based encryption and the certificate revocation problem, In EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003, pp 272 293 [12] A Boldyreva, V Goyal and V Kumar, Identity-based encryption with efficient revocation, In the 15th ACM Conference on Computer and Communications Security, 2008, pp 417 426 [13] N Attrapadung and H Imai, Attribute-Based Encryption Supporting Direct Indirect Revocation Modes, In Cryptography and Coding 2009, LNCS 5921, Springer-Verlag, 2009, pp 278 300 [14] S Yu, C Wang, K Ren and W J Lou, Attribute based data sharing with attribute revocation, In ACM Symposium on Information, Computer and Communications Security, 2010, pp 261 270 [15] J Hur and D K Noh, Attribute-Based Access Control with Efficient Revocation in Data Outsourcing Systems, IEEE Transactions on Parallel and Distributed Systems, Vol 22, No 7, 2011, pp 1214 1221 [2] J Xue and J J Zhang, A brief survey on the security model of cloud computing, In the 9th International Symposium on Distributed Computing and Applications to Business, Engineering and Science, 2010, pp 475-478 [3] Z Q Xu and K M Martin, Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption in Cloud Storage, In 11th International Conference on Trust, Security and Privacy in Computing and Communications, 2012, pp 844-849 [4] A Sahai and B Waters, Fuzzy Identity Based Encryption, In EUROCRYPT 2005, LNCS 3494, Springer-Verlag, 2005, pp 457 473 463