Towards an auditable cryptographic access control to high-value sensitive data
Abstract
We discuss the challenge of achieving an auditable key management for cryptographic access control to high-value sensitive data. In such settings it is important to be able to audit the key management process - and in particular to be able to provide verifiable proofs of key generation. The auditable key management has several possible use cases in both civilian and military world.
In particular, the new regulations for protection of sensitive personal data, such as GDPR, introduce strict requirements for handling of personal data and apply a very restrictive definition of what can be considered a personal data. Cryptographic access control for personal data has a potential to become extremely important for preserving industrial ability to innovate, while protecting subject's privacy, especially in the context of widely deployed modern monitoring, tracking and profiling capabilities, that are used by both governmental institutions and high-tech companies. However, in general, an encrypted data is still considered as personal under GDPR and therefore cannot be, e.g., stored or processed in a public cloud or distributed ledger. In our work we propose an identity-based cryptographic framework that ensures confidentiality, availability, integrity of data while potentially remaining compliant with the GDPR framework.
References
@inproceedings{shamir1984identity,
title={Identity-based cryptosystems and signature schemes},
author={Shamir, Adi},
booktitle={Workshop on the theory and application of cryptographic techniques},
pages={47--53},
year={1984},
organization={Springer},
note={dostęp online: url{http://discovery.csc.ncsu.edu/Courses/csc774-S08/reading-assignments/shamir84.pdf}}
}
@inproceedings{boneh2001identity,
title={Identity-based encryption from the Weil pairing},
author={Boneh, Dan and Franklin, Matt},
booktitle={Annual international cryptology conference},
pages={213--229},
year={2001},
organization={Springer},
note={Available online at: url{https://crypto.stanford.edu/~dabo/papers/bfibe.pdf}}
}
@misc{GDPR,
title = {{General Data Protection Regulation 2016/679}},
author = {EU},
year = {2016}
}
@techreport{rfc,
author = {X. Boyen and L. Martin},
title = {{The Boneh-Franklin BF Cryptosystem}},
number = {RFC 5091},
institution = {IETF},
year = 2007
}
@inproceedings{yacobi,
title = "A Note on the Bi-Linear Diffie-Hellman Assumption",
year = 2002,
author={Yacobi, Yacov},
booktitle={ryptology ePrint Archive, Report 2002/113},
}
@techreport{rep2015,
author={Dustin Moody and Rene C. Peralta and Ray A. Perlner and Andrew R. Regenscheid and Allen L. Roginsky and Lidong Chen},
title={Report on Pairing-based Cryptography},
institution={NIST},
year=2015
}
@misc{209,
author = {Eleftherios Kokoris-Kogias
and Enis Ceyhun Alp and Sandra Deepthy Siby and Nicolas Gailly and Linus Gasser and Philipp Jovanovic and Ewa Syta and Bryan Ford},
title = {Verifiable Management of Private Data under Byzantine Failures},
howpublished = {Cryptology ePrint Archive 2018/209},
year = {2018}
}
@misc{016,
author = {Y. Rouselakis and B. Waters},
title = {Efficient Statically-Secure Large-Universe Multi-Authority Attribute-Based Encryption},
howpublished = {ePrint Archive 2015/016},
year = {2015}
}
@inproceedings{fed,
author = {Chadwick, D.},
title = {Federated Identity Management},
booktitle = {Foundations of Security Analysis and Design V SE - 3},
pages = {96–120},
year = {2009}
}
@misc{fed2,
author = {Vo, T.H.; Fuhrmann, W.F.; Fischer-Hellmann, K.P.},
title = {Identity-as-a-Service (IDaaS): A Missing Gap for Moving
Enterprise Applications in Inter-Cloud},
howpublished = {In Proceedings of the Eleventh International Network Conference,
INC 2016, Frankfurt, Germany},
year = {2016}
}
@inproceedings{Camenisch2009a,
author = {Camenisch, Jan and Kohlweiss, Markulf and Rial, Alfredo and Sheedy, Caroline},
booktitle = {Int. Work. Public Key Cryptogr.},
editor = {Jarecki, S. and Tsudik, G.},
pages = {196--214},
title = {{Blind and anonymous identity-based encryption and authorised private searches on public key encrypted data}},
year = {2009}
}
@inproceedings{Kate2010a,
author = {Kate, A. and Goldberg, I.},
booktitle = {Int. Conf. Secur. Cryptogr. Networks},
title = {{Distributed Private-Key Generators for Identity-based Cryptography}},
year = {2010}
}
@inproceedings{Chow2009,
author = {Chow, Sherman S. M.},
booktitle = {Int. Work. Public Key Cryptogr.},
pages = {256--276},
publisher = {Springer},
title = {{Removing Escrow from Identity-Based Encryption}},
year = {2009}
}
@inproceedings{Boyen2006,
author = {Boyen, Xavier and Waters, Brent},
booktitle = {Adv. Cryptol. - CRYPTO},
title = {{Anonymous hierarchical identity-based encryption (Without random oracles)}},
year = {2006}
}
@article{Boneh2003a,
author = {Boneh, Dan and Franklin, Matthew},
journal = {SIAM J. Comput.},
number = {3},
pages = {586--615},
title = {{Identity-Based Encryption from the Weil Pairing}},
volume = {32},
year = {2003}
}
@article{Feldman1987,
author = {Feldman, Paul},
journal = {28th Annu. Symp. Found. Comput. Sci.},
pages = {427--438},
title = {{A practical scheme for non-interactive verifiable secret sharing}},
url = {http://ieeexplore.ieee.org/document/4568297/},
year = {1987}
}
@inproceedings{Gentry2006,
author = {Gentry, Craig},
booktitle = {EUROCRYPT Adv. Cryptol.},
pages = {445--464},
title = {{Practical Identity-Based Encryption Without Random Oracles}},
volume = {4004},
year = {2006}
}
@misc{Gresham2019,
author = {Josh Gresham},
title = {Is encrypted data personal data under the GDPR?},
year = {2019},
month = {3},
day = {6},
howpublished = {Available online at: url{https://iapp.org/news/a/is-encrypted-data-personal-data-under-the-gdpr/}}
}
@misc{EPRS2019,
author = {{European Parliamentary Research Service Scientific Foresight Unit}},
title = {Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?},
year = {2019},
month = {7},
howpublished = {Available online at: url{https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf}}
}
@inproceedings{Garg2019,
author = {Garg, Sanjam and Hajiabadi, Mohammad and Mahmoody, Mohammad and Rahimi, Ahmadreza and Sekar, Sruthi},
booktitle = {Public-Key Cryptogr. - PKC},
pages = {63--93},
title = {{Registration-Based Encryption from Standard Assumptions}},
year = {2019}
}
@inproceedings{Garg2018,
author = {Garg, Sanjam and Hajiabadi, Mohammad and Mahmoody, Mohammad and Rahimi, Ahmadreza},
booktitle = {Proc. TCC},
pages = {689--718},
title = {{Registration-based encryption: Removing private-key generator from IBE}},
year = {2018}
}
@techreport{Goyal2019,
author = {Goyal, Rishab and Vusirikala, Satyanarayana},
institution = {IACR},
pages = {1--45},
series = {eprint},
title = {{Verifiable Registration-Based Encryption}},
url = {https://eprint.iacr.org/2019/1044},
year = {2019}
}
@book{Chatterjee2011,
author = {Sanjit Chatterjee and Palash Sarkar},
title = {Identity-Based Encryption},
year = {2011},
publisher = {Springer}
}
@InProceedings{Dent2009,
author="Dent, Alexander W.",
editor="Martinelli, Fabio and Preneel, Bart",
title="A Brief Introduction to Certificateless Encryption Schemes and Their Infrastructures",
booktitle="Proc. of the European Public Key Infrastructure Workshop (EuroPKI 2009)",
year="2010",
publisher="Springer",
pages="1--16",
abstract="Certificateless encryption is a form of public-key encryption that is designed to eliminate the disadvantages of both traditional PKI-based public-key encryption scheme and identity-based encryption. Unlike public-key encryption, there is no requirement for digital certificates or a public-key infrastructure. Unlike identity-based encryption, the trusted third party need not be given the ability to decrypt ciphertexts intended for users. In this invited paper we will review the concept of certificateless encryption from an infrastructure point of view and show that many of the different formulations for ``certificateless'' encryption can be instantiated using public-key infrastructures after all."
}
@book{Greenberg2019,
author = {Andy Greenberg},
title = {Sandworm - A new era of cyberwar and the hunt for the Kremlin's hackers},
publisher = {Doubleday},
year = {2019}
}
@misc{cryptoeprint:2019:912,
author = {David Derler and Sebastian Ramacher and Daniel Slamanig and Christoph Striecks},
title = {I Want to Forget: Fine-Grained Encryption with Full Forward Secrecy in the Distributed Setting},
howpublished = {Cryptology ePrint Archive, Report 2019/912},
year = {2019},
note = {url{https://eprint.iacr.org/2019/912}},
}
@article{DBLP:journals/corr/EgorovW17,
author = {Michael Egorov and
MacLane Wilkison},
title = {NuCypher {KMS:} Decentralized key management system},
journal = {CoRR},
volume = {abs/1707.06140},
year = {2017},
url = {http://arxiv.org/abs/1707.06140},
archivePrefix = {arXiv},
eprint = {1707.06140},
timestamp = {Mon, 13 Aug 2018 16:46:57 +0200},
biburl = {https://dblp.org/rec/journals/corr/EgorovW17.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@misc{umbral,
author = {David Nuñez},
title = {Umbral: a threshold proxy re-encryption scheme},
year = {2018},
note = {url{https://raw.githubusercontent.com/nucypher/umbral-doc/master/umbral-doc.pdf}},
}
@inproceedings{Egorov2018NuCypherA,
title={NuCypher : A proxy re-encryption network to empower privacy in decentralized systems},
author={Michael Egorov and David Nu{~n}ez and MacLane Wilkison},
year={2018}
}
@article{Ateniese2005ImprovedPR,
title={Improved proxy re-encryption schemes with applications to secure distributed storage},
author={Giuseppe Ateniese and Kevin Fu and Matthew Green and Susan Hohenberger},
journal={IACR Cryptology ePrint Archive},
year={2005},
volume={2005},
pages={28}
}
@article{Nuez2017ProxyRA,
title={Proxy Re-Encryption: Analysis of constructions and its application to secure access delegation},
author={David Nu{~n}ez and Isaac Agudo and Javier L{'o}pez},
journal={J. Netw. Comput. Appl.},
year={2017},
volume={87},
pages={193-209}
}
@inproceedings{Reniers2019AnalysisOA,
title={Analysis of architectural variants for auditable blockchain-based private data sharing},
author={Vincent Reniers and Dimitri Van Landuyt and Paolo Viviani and Bert Lagaisse and Riccardo Lombardi and Wouter Joosen},
booktitle={SAC '19},
year={2019}
}
@article{Widick2019BlockchainBA,
title={Blockchain Based Authentication and Authorization Framework for Remote Collaboration Systems},
author={Logan Widick and Ishan Ranasinghe and Ram Dantu and Srikanth Jonnada},
journal={2019 IEEE 20th International Symposium on "A World of Wireless, Mobile and Multimedia Networks" (WoWMoM)},
year={2019},
pages={1-7}
}
@article{Bernabe2019PrivacyPreservingSF,
title={Privacy-Preserving Solutions for Blockchain: Review and Challenges},
author={Jorge Bernal Bernabe and Jose Luis Canovas and Jos{'e} L. Hern{'a}ndez-Ramos and Rafael Torres Moreno and Antonio F. Skarmeta},
journal={IEEE Access},
year={2019},
volume={7},
pages={164908-164940}
}
@misc{cryptoeprint:2018:209,
author = {Eleftherios Kokoris-Kogias and Enis Ceyhun Alp and Sandra Deepthy Siby and Nicolas Gailly and Linus Gasser and Philipp Jovanovic and Ewa Syta and Bryan Ford},
title = {Verifiable Management of Private Data under Byzantine Failures},
howpublished = {Cryptology ePrint Archive, Report 2018/209},
year = {2018},
note = {url{https://eprint.iacr.org/2018/209}},
}
@misc{cryptoeprint:2020:254,
author = {Sanjam Garg and Shafi Goldwasser and Prashant Nalini Vasudevan},
title = {Formalizing Data Deletion in the Context of the Right to be Forgotten},
howpublished = {Cryptology ePrint Archive, Report 2020/254},
year = {2020},
note = {url{https://eprint.iacr.org/2020/254}},
}
@article{Amroudi2017AV,
title={A Verifiable (k,n,m)-Threshold Multi-secret Sharing Scheme Based on NTRU Cryptosystem},
author={Ali Nakhaei Amroudi and Ali Zaghain and Mahdi Sajadieh},
journal={Wireless Personal Communications},
year={2017},
volume={96},
pages={1393-1405}
}
@article{DBLP:journals/corr/abs-1801-10228,
author = {Elli Androulaki and
Artem Barger and
Vita Bortnikov and
Christian Cachin and
Konstantinos Christidis and
Angelo De Caro and
David Enyeart and
Christopher Ferris and
Gennady Laventman and
Yacov Manevich and
Srinivasan Muralidharan and
Chet Murthy and
Binh Nguyen and
Manish Sethi and
Gari Singh and
Keith Smith and
Alessandro Sorniotti and
Chrysoula Stathakopoulou and
Marko Vukolic and
Sharon Weed Cocco and
Jason Yellick},
title = {Hyperledger Fabric: {A} Distributed Operating System for Permissioned
Blockchains},
journal = {CoRR},
volume = {abs/1801.10228},
year = {2018},
url = {http://arxiv.org/abs/1801.10228},
archivePrefix = {arXiv},
eprint = {1801.10228},
timestamp = {Mon, 13 Aug 2018 16:46:46 +0200},
biburl = {https://dblp.org/rec/journals/corr/abs-1801-10228.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{inproceedingsAzaria,
author = {Azaria, Asaph and Ekblaw, Ariel and Vieira, Thiago and Lippman, Andrew},
year = {2016},
month = {08},
pages = {25-30},
title = {MedRec: Using Blockchain for Medical Data Access and Permission Management},
doi = {10.1109/OBD.2016.11}
}
@InProceedings{10.1007/978-3-642-16441-5_1,
author="Dent, Alexander W.",
editor="Martinelli, Fabio
and Preneel, Bart",
title="A Brief Introduction to Certificateless Encryption Schemes and Their Infrastructures",
booktitle="Public Key Infrastructures, Services and Applications",
year="2010",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="1--16",
abstract="Certificateless encryption is a form of public-key encryption that is designed to eliminate the disadvantages of both traditional PKI-based public-key encryption scheme and identity-based encryption. Unlike public-key encryption, there is no requirement for digital certificates or a public-key infrastructure. Unlike identity-based encryption, the trusted third party need not be given the ability to decrypt ciphertexts intended for users. In this invited paper we will review the concept of certificateless encryption from an infrastructure point of view and show that many of the different formulations for ``certificateless'' encryption can be instantiated using public-key infrastructures after all.",
isbn="978-3-642-16441-5"
}
@article{Rajabi,
author = {Rajabi, Bahman and Eslami, Ziba},
year = {2018},
month = {11},
pages = {},
title = {A Verifiable Threshold Secret Sharing Scheme Based On Lattices},
volume = {501},
journal = {Information Sciences},
doi = {10.1016/j.ins.2018.11.004}
}
@inproceedings{10.1145/3140649.3140656,
author = {Shafagh, Hossein and Burkhalter, Lukas and Hithnawi, Anwar and Duquennoy, Simon},
title = {Towards Blockchain-Based Auditable Storage and Sharing of IoT Data},
year = {2017},
isbn = {9781450352048},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3140649.3140656},
doi = {10.1145/3140649.3140656},
booktitle = {Proceedings of the 2017 on Cloud Computing Security Workshop},
pages = {45–50},
numpages = {6},
keywords = {security, cloud, time-series, access control, edge, blockchain, iot},
location = {Dallas, Texas, USA},
series = {CCSW ’17}
}
@article{DBLP:journals/corr/abs-1802-07344,
author = {Alberto Sonnino and
Mustafa Al{-}Bassam and
Shehar Bano and
George Danezis},
title = {Coconut: Threshold Issuance Selective Disclosure Credentials with
Applications to Distributed Ledgers},
journal = {CoRR},
volume = {abs/1802.07344},
year = {2018},
url = {http://arxiv.org/abs/1802.07344},
archivePrefix = {arXiv},
eprint = {1802.07344},
timestamp = {Mon, 13 Aug 2018 16:48:07 +0200},
biburl = {https://dblp.org/rec/journals/corr/abs-1802-07344.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@article{Zyskind2015DecentralizingPU,
title={Decentralizing Privacy: Using Blockchain to Protect Personal Data},
author={Guy Zyskind and Oz Nathan and Alex Pentland},
journal={2015 IEEE Security and Privacy Workshops},
year={2015},
pages={180-184}
}
@INPROCEEDINGS{7695147,
author={X. A. {Wang} and F. {Xhafa} and Z. {Zheng} and J. {Nie}},
booktitle={2016 International Conference on Intelligent Networking and Collaborative Systems (INCoS)},
title={Identity Based Proxy Re-Encryption Scheme (IBPRE+) for Secure Cloud Data Sharing},
year={2016},
volume={},
number={},
pages={44-48},
keywords={cloud computing;public key cryptography;identity based proxy reencryption scheme;IBPRE+;cloud data sharing security;re-encryption keys;ciphertext;Alice's public key;PRE plus scheme;PRE+ scheme;message-level based line-grained delegation;3-linear map;Cloud computing;Encryption;Generators;Proposals;Servers},
doi={10.1109/INCoS.2016.83},
ISSN={null},
month={Sep.},}
@article{nun,
author = {Nuñez, David and Agudo, Isaac and Lopez, Javier},
year = {2017},
month = {03},
pages = {},
title = {Proxy Re-Encryption: Analysis of Constructions and its Application to Secure Access Delegation},
volume = {87},
journal = {Journal of Network and Computer Applications},
doi = {10.1016/j.jnca.2017.03.005}
}
@misc{cryptoeprint:2007:432,
author = {Craig Gentry and Chris Peikert and Vinod Vaikuntanathan},
title = {Trapdoors for Hard Lattices and New Cryptographic Constructions},
howpublished = {Cryptology ePrint Archive, Report 2007/432},
year = {2007},
note = {url{https://eprint.iacr.org/2007/432}},
}
@InProceedings{10.1007/978-3-642-13190-5_28,
author="Agrawal, Shweta
and Boneh, Dan
and Boyen, Xavier",
editor="Gilbert, Henri",
title="Efficient Lattice (H)IBE in the Standard Model",
booktitle="Advances in Cryptology -- EUROCRYPT 2010",
year="2010",
publisher="Springer Berlin Heidelberg",
address="Berlin, Heidelberg",
pages="553--572",
abstract="We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors. One trapdoor enables the real system to generate short vectors in all lattices in the family. The other trapdoor enables the simulator to generate short vectors for all lattices in the family except for one. We extend this basic technique to an adaptively-secure IBE and a Hierarchical IBE.",
isbn="978-3-642-13190-5"
}
@inproceedings{Regev,
author = {Regev, Oded},
year = {2005},
month = {01},
pages = {84-93},
title = {On Lattices, Learning with Errors, Random Linear Codes, and Cryptography},
volume = {56},
journal = {Journal of the ACM (JACM)},
doi = {10.1145/1568318.1568324}
}
@inproceedings{euledgers,
author = {Finck, Michèle},
year = {2019},
title = {Blockchain and the General Data Protection Regulation. Can distributed ledgers be squared with European data protection law?},
}
Downloads
Published
Issue
Section
License
Copyright (c) 2020 International Journal of Electronics and Telecommunications
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.
1. License
The non-commercial use of the article will be governed by the Creative Commons Attribution license as currently displayed on https://creativecommons.org/licenses/by/4.0/.
2. Author’s Warranties
The author warrants that the article is original, written by stated author/s, has not been published before, contains no unlawful statements, does not infringe the rights of others, is subject to copyright that is vested exclusively in the author and free of any third party rights, and that any necessary written permissions to quote from other sources have been obtained by the author/s. The undersigned also warrants that the manuscript (or its essential substance) has not been published other than as an abstract or doctorate thesis and has not been submitted for consideration elsewhere, for print, electronic or digital publication.
3. User Rights
Under the Creative Commons Attribution license, the author(s) and users are free to share (copy, distribute and transmit the contribution) under the following conditions: 1. they must attribute the contribution in the manner specified by the author or licensor, 2. they may alter, transform, or build upon this work, 3. they may use this contribution for commercial purposes.
4. Rights of Authors
Authors retain the following rights:
- copyright, and other proprietary rights relating to the article, such as patent rights,
- the right to use the substance of the article in own future works, including lectures and books,
- the right to reproduce the article for own purposes, provided the copies are not offered for sale,
- the right to self-archive the article
- the right to supervision over the integrity of the content of the work and its fair use.
5. Co-Authorship
If the article was prepared jointly with other authors, the signatory of this form warrants that he/she has been authorized by all co-authors to sign this agreement on their behalf, and agrees to inform his/her co-authors of the terms of this agreement.
6. Termination
This agreement can be terminated by the author or the Journal Owner upon two months’ notice where the other party has materially breached this agreement and failed to remedy such breach within a month of being given the terminating party’s notice requesting such breach to be remedied. No breach or violation of this agreement will cause this agreement or any license granted in it to terminate automatically or affect the definition of the Journal Owner. The author and the Journal Owner may agree to terminate this agreement at any time. This agreement or any license granted in it cannot be terminated otherwise than in accordance with this section 6. This License shall remain in effect throughout the term of copyright in the Work and may not be revoked without the express written consent of both parties.
7. Royalties
This agreement entitles the author to no royalties or other fees. To such extent as legally permissible, the author waives his or her right to collect royalties relative to the article in respect of any use of the article by the Journal Owner or its sublicensee.
8. Miscellaneous
The Journal Owner will publish the article (or have it published) in the Journal if the article’s editorial process is successfully completed and the Journal Owner or its sublicensee has become obligated to have the article published. Where such obligation depends on the payment of a fee, it shall not be deemed to exist until such time as that fee is paid. The Journal Owner may conform the article to a style of punctuation, spelling, capitalization and usage that it deems appropriate. The Journal Owner will be allowed to sublicense the rights that are licensed to it under this agreement. This agreement will be governed by the laws of Poland.
By signing this License, Author(s) warrant(s) that they have the full power to enter into this agreement. This License shall remain in effect throughout the term of copyright in the Work and may not be revoked without the express written consent of both parties.