SlideShare une entreprise Scribd logo

2018 acm-scc-presentation

IronCore Labs
IronCore Labs

A new approach to cryptographically enforced data access controls that uses public key cryptography to secure large numbers of documents with arbitrarily large numbers of authorized users. This approach uses a proxy re-encryption (PRE) scheme to handle the problems typical of public key cryptography including key management, rotation, and revocation, in a highly scalable way, while providing end-to-end encryption and provable access. Presented by Bob Wall at the 2018 ACM Cryptography Workshop in Incheon, Korea.

Technologie
1  sur  32
Télécharger pour lire hors ligne
Cryptographically Enforced Orthogonal Access Control at Scale
bobwall23 bob.wall@ironcorelabs.com zmre patrick.walsh@ironcorelabs.com Bob Wall Patrick Walsh
Cloud Services Mobile Devices Internet of Things Partners Employee Laptops *Uncontrolled and with minimal security Data is Distributed
Perimeter Security is No Longer Relevant APP
Vulnerabilities in Applications Network-layer App-layer 90% due to defects at the application layer. -DHS
Concerns Slow the Move to the Cloud Security • Data Breaches Privacy • Service provider access to data • Government access (subpoenas) Encryption in transit and at rest does almost nothing to address these concerns.
End-to-End Encryption Data secured on the device that generates it Data stays secured until accessed on a device that will consume it Keys should stay on the device - public key cryptography
Orthogonal Access Control Allows users to decide which groups are allowed to access data 
 Independently allows group administrators to control who belongs to those groups 
 Relies on cryptographically backed access control, rather than policy-based controls Makes each change to group membership, access grant, or access revocation a constant-time operation independent of number of users, groups, documents Build a system that:
Proxy Re-Encryption (PRE) Set of cryptographic algorithms based on public key encryption - often pairing- based cryptography
 Originally designed to allow the recipient of an encrypted message to delegate access to another party without sharing her private key
PRE algorithms typically include five cryptographic primitives: 1.Key Generation 2.Transform Key Generation 3.Encryption 4.Transformation (ReEncryption) 5.Decryption PRE Primitives
Transform Key Generation Delegator Public Key Private Key Delegatee Public Key Private KeyDelegatee Transform Key Proxy Delegator Private Key Public Key
Transform Key Proxy File Encrypted to Delegator File Encrypted to Delegatee Client Delegatee Private Key Recovered plaintext Delegation of Access
Introduce the concept of a group Create a group Encrypt document to the group Add a member to the group allows immediate access to document without requiring any modification Remove a member from the group removes access without modifying documents PRE for Orthogonal Access Control
Creating a Group 1. Create key pair for group 2. Encrypt group’s private key to creating user Group Public Key Private Key Creating User Public KeyPublic Key Private Key Group Encrypted Group Key Admin Key Private Key Creating User
Granting Access to a Group 1. Retrieve group’s public key 2. Encrypt document using that key Group Public Key Document Encrypted to Group
Adding a Member to a Group 1. Retrieve member’s public key 2. Retrieve group’s private key 3. Compute transform key from group to member 4. Save transform key on proxy Member Public Key Private Key Group Public KeyPublic Key Private Key Group Member Private Key Group to Member Transform Key
Group Member Accessing Document 1. Request document from storage 2. Send encrypted doc to proxy for transformation 3. Proxy locates transform key from group to user 4. Proxy applies transform to encrypted document 5. Device decrypts using user’s private key Transform Key Proxy Doc Encrypted to Group Doc Encrypted to User Client User Private Key Recovered plaintext
Removing a Member from a Group Group Admin Revokes Access from One User Group Admin Instructs Server to Delete Group to User Transform Key Group Users Unique Key Pairs
User will use one or more devices to generate or access data Instead of sharing user’s private key across devices, add another layer of delegation, from user to device Device private keys always stay on device Device access can be revoked if device is lost or compromised Improving Security
Multi-Hop PRE Document Encrypted to A A to B Transform Key Transformed Encrypted Document B Private Key Transformed Encrypted Document B to C Transform Key Transformed Encrypted Document Doubly Transformed Encrypted Document Private Key CDoubly Transformed Encrypted Document
System with Addition of Devices
Add Device to User Member Public Key Private Key Device Public KeyPublic Key Private Key Device Member Private Key User to Device Transform Key
Proxy searches for shortest path of transforms from document to device Doc shared with user, user approved device Doc shared with group, user belongs to group, user approved device Proxy applies transforms in succession to generate doc encrypted to device Device decrypts using private key Device Requests Access to Document
Algorithm Choice Selected multi-hop algorithm introduced by Wang and Cao in 2009 Algorithm was analyzed by Zhang and Wang in 2013 CCA security problems addressed by Cai and Liu in 2014 We simplify the algorithm because we only need one proxy and can do all transforms at one time
Still a revocation vulnerability if a group administrator gets the group private key, then is removed from the system. Group private key can be used to directly decrypt any data encrypted to the group, without transformation. Resolve by augmenting keys Additional Security Issue
Client generates key pair for group or user as before, sends to proxy. Proxy augments the public key, so that it is no longer mathematically related to the private key. Any time a transform key is generated from a group or user, the proxy augments the transform key using the same factor. Device keys are not augmented. Key Augmentation
Encrypt to User 1 Server Generated Group 1 Public Key Private Key Server Group 1 Public Key Private Key Group 1 Encrypted Private Key User 1 Device A Server Generated Group 1 Public KeyPublic Key Group 1 Augmented Public Key Group 1 Public KeyPublic Key Server Secure Storage Key Augmentation Process
Private key of group or user can no longer be used to decrypt. Only devices can decrypt data. Private key of group or user is only used to compute transform keys. Proxy is required to use augmenting private key when adding new transform keys, but otherwise transform process is not affected. Security Benefits
We have implemented the PRE primitives in a Scala library We use ScalaJS to generate a client-side Javascript library from the same source Library is open source, available on GitHub - IronCoreLabs/recrypt PRE Library
We built a Javascript SDK around the library SDK talks to a service that functions as the public key repository and transformation proxy Developers are free to try the system - https://docs.ironcorelabs.com has a Getting Started example Working System
Questions? Thanks to Madison Kerndt for her help with preparing the presentation.
Thank You bob.wall@ironcorelabs.com BobWall23 Bob Wall @ironcorelabs ironcorelabs.com

Recommandé

Enabling Secure Data Sharing Scheme in the Cloud Storage Groups
Enabling Secure Data Sharing Scheme in the Cloud Storage GroupsEnabling Secure Data Sharing Scheme in the Cloud Storage Groups
Enabling Secure Data Sharing Scheme in the Cloud Storage GroupsIRJET Journal
 
Enhanced Security Through Token
Enhanced Security Through TokenEnhanced Security Through Token
Enhanced Security Through TokenIRJET Journal
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...Editor IJCATR
 
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...NetworkCollaborators
 
Secure Data Sharing in Cloud through Limiting Trust in Third Party/Server
Secure Data Sharing in Cloud through Limiting Trust in Third Party/ServerSecure Data Sharing in Cloud through Limiting Trust in Third Party/Server
Secure Data Sharing in Cloud through Limiting Trust in Third Party/ServerIRJET Journal
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Comparative analysis of authentication and authorization security in distribu...
Comparative analysis of authentication and authorization security in distribu...Comparative analysis of authentication and authorization security in distribu...
Comparative analysis of authentication and authorization security in distribu...eSAT Journals
 
IRJET - Providing High Securtiy for Encrypted Data in Cloud
IRJET - Providing High Securtiy for Encrypted Data in CloudIRJET - Providing High Securtiy for Encrypted Data in Cloud
IRJET - Providing High Securtiy for Encrypted Data in CloudIRJET Journal
 

Recommandé

Enabling Secure Data Sharing Scheme in the Cloud Storage Groups
Enabling Secure Data Sharing Scheme in the Cloud Storage GroupsEnabling Secure Data Sharing Scheme in the Cloud Storage Groups
Enabling Secure Data Sharing Scheme in the Cloud Storage GroupsIRJET Journal
 
Enhanced Security Through Token
Enhanced Security Through TokenEnhanced Security Through Token
Enhanced Security Through TokenIRJET Journal
 
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...Editor IJCATR
 
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...
Cisco Connect 2018 Thailand - Cybersecurity strategy an integrated approach k...NetworkCollaborators
 
Secure Data Sharing in Cloud through Limiting Trust in Third Party/Server
Secure Data Sharing in Cloud through Limiting Trust in Third Party/ServerSecure Data Sharing in Cloud through Limiting Trust in Third Party/Server
Secure Data Sharing in Cloud through Limiting Trust in Third Party/ServerIRJET Journal
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Comparative analysis of authentication and authorization security in distribu...
Comparative analysis of authentication and authorization security in distribu...Comparative analysis of authentication and authorization security in distribu...
Comparative analysis of authentication and authorization security in distribu...eSAT Journals
 
IRJET - Providing High Securtiy for Encrypted Data in Cloud
IRJET - Providing High Securtiy for Encrypted Data in CloudIRJET - Providing High Securtiy for Encrypted Data in Cloud
IRJET - Providing High Securtiy for Encrypted Data in CloudIRJET Journal
 
Vulnerability Assesment Subscriptions Cyber51
Vulnerability Assesment Subscriptions Cyber51Vulnerability Assesment Subscriptions Cyber51
Vulnerability Assesment Subscriptions Cyber51martinvoelk
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Application of CP-ABE Scheme in Data Sharing System for confidentiality
Application of CP-ABE Scheme in Data Sharing System for confidentialityApplication of CP-ABE Scheme in Data Sharing System for confidentiality
Application of CP-ABE Scheme in Data Sharing System for confidentialityEditor IJMTER
 
Cloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelCloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelVishal Sharma
 
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER csandit
 
key management in cryptography and network security
key management in cryptography and network securitykey management in cryptography and network security
key management in cryptography and network securitySri Latha
 
key management
key management key management
key managementVIRAJRATHOD8
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
A secure anti collision data sharing scheme in dynamic groups in the cloud
A secure anti collision data sharing scheme in dynamic groups in the cloudA secure anti collision data sharing scheme in dynamic groups in the cloud
A secure anti collision data sharing scheme in dynamic groups in the cloudCrystalRose25
 
A secure anti collusion data sharing scheme for dynamic groups in the cloud
A secure anti collusion data sharing scheme for dynamic groups in the cloudA secure anti collusion data sharing scheme for dynamic groups in the cloud
A secure anti collusion data sharing scheme for dynamic groups in the cloudKamal Spring
 
A secure anti collision data sharing
A secure anti collision data sharingA secure anti collision data sharing
A secure anti collision data sharingCrystalRose25
 
enhanced secure multi keyword top k retrieval in cloud
enhanced secure multi keyword top k retrieval in cloudenhanced secure multi keyword top k retrieval in cloud
enhanced secure multi keyword top k retrieval in cloudINFOGAIN PUBLICATION
 
H0362052056
H0362052056H0362052056
H0362052056inventionjournals
 
A Survey on Assured deletion and Access Control
A Survey on Assured deletion and Access ControlA Survey on Assured deletion and Access Control
A Survey on Assured deletion and Access ControlAM Publications
 
CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) ghayour abbas
 
IJSRED-V2I5P16
IJSRED-V2I5P16IJSRED-V2I5P16
IJSRED-V2I5P16IJSRED
 
Paper2
Paper2Paper2
Paper2Vikas Khairnar
 
Mona final review
Mona final reviewMona final review
Mona final reviewsudheer kumar
 
Securing data at rest with encryption
Securing data at rest with encryptionSecuring data at rest with encryption
Securing data at rest with encryptionRuban Deventhiran
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The CloudTu Pham
 

Contenu connexe

Tendances

Vulnerability Assesment Subscriptions Cyber51
Vulnerability Assesment Subscriptions Cyber51Vulnerability Assesment Subscriptions Cyber51
Vulnerability Assesment Subscriptions Cyber51martinvoelk
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixJohn Yeoh
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013javagroup2006
 
Application of CP-ABE Scheme in Data Sharing System for confidentiality
Application of CP-ABE Scheme in Data Sharing System for confidentialityApplication of CP-ABE Scheme in Data Sharing System for confidentiality
Application of CP-ABE Scheme in Data Sharing System for confidentialityEditor IJMTER
 
Cloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelCloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelVishal Sharma
 
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER csandit
 

Tendances (7)

Vulnerability Assesment Subscriptions Cyber51
Vulnerability Assesment Subscriptions Cyber51Vulnerability Assesment Subscriptions Cyber51
Vulnerability Assesment Subscriptions Cyber51
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
 
Introduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls MatrixIntroduction to the CSA Cloud Controls Matrix
Introduction to the CSA Cloud Controls Matrix
 
Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013Data Security Essentials for Cloud Computing - JavaOne 2013
Data Security Essentials for Cloud Computing - JavaOne 2013
 
Application of CP-ABE Scheme in Data Sharing System for confidentiality
Application of CP-ABE Scheme in Data Sharing System for confidentialityApplication of CP-ABE Scheme in Data Sharing System for confidentiality
Application of CP-ABE Scheme in Data Sharing System for confidentiality
 
Cloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. ModelCloud Security Guide - Ref Architecture and Gov. Model
Cloud Security Guide - Ref Architecture and Gov. Model
 
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER
FILESHADER: ENTRUSTED DATA INTEGRATION USING HASH SERVER
 

Similaire à 2018 acm-scc-presentation

key management in cryptography and network security
key management in cryptography and network securitykey management in cryptography and network security
key management in cryptography and network securitySri Latha
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distributionRiya Choudhary
 
A secure anti collision data sharing scheme in dynamic groups in the cloud
A secure anti collision data sharing scheme in dynamic groups in the cloudA secure anti collision data sharing scheme in dynamic groups in the cloud
A secure anti collision data sharing scheme in dynamic groups in the cloudCrystalRose25
 
A secure anti collusion data sharing scheme for dynamic groups in the cloud
A secure anti collusion data sharing scheme for dynamic groups in the cloudA secure anti collusion data sharing scheme for dynamic groups in the cloud
A secure anti collusion data sharing scheme for dynamic groups in the cloudKamal Spring
 
A secure anti collision data sharing
A secure anti collision data sharingA secure anti collision data sharing
A secure anti collision data sharingCrystalRose25
 
enhanced secure multi keyword top k retrieval in cloud
enhanced secure multi keyword top k retrieval in cloudenhanced secure multi keyword top k retrieval in cloud
enhanced secure multi keyword top k retrieval in cloudINFOGAIN PUBLICATION
 
A Survey on Assured deletion and Access Control
A Survey on Assured deletion and Access ControlA Survey on Assured deletion and Access Control
A Survey on Assured deletion and Access ControlAM Publications
 
CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) ghayour abbas
 
IJSRED-V2I5P16
IJSRED-V2I5P16IJSRED-V2I5P16
IJSRED-V2I5P16IJSRED
 
Securing data at rest with encryption
Securing data at rest with encryptionSecuring data at rest with encryption
Securing data at rest with encryptionRuban Deventhiran
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The CloudTu Pham
 
secure multi-owner data sharing for dynamic groups
secure multi-owner data sharing for dynamic groupssecure multi-owner data sharing for dynamic groups
secure multi-owner data sharing for dynamic groupsSuchithra Balan
 
Decentralized access control with authentication anonymous of data stored in ...
Decentralized access control with authentication anonymous of data stored in ...Decentralized access control with authentication anonymous of data stored in ...
Decentralized access control with authentication anonymous of data stored in ...Guellord Mpia
 
Final Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxFinal Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxlmelaine
 
Mona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloudMona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloudJPINFOTECH JAYAPRAKASH
 
Secure Authorised De-duplication using Convergent Encryption Technique
Secure Authorised De-duplication using Convergent Encryption TechniqueSecure Authorised De-duplication using Convergent Encryption Technique
Secure Authorised De-duplication using Convergent Encryption TechniqueEswar Publications
 

Similaire à 2018 acm-scc-presentation (20)

key management in cryptography and network security
key management in cryptography and network securitykey management in cryptography and network security
key management in cryptography and network security
 
key management
key management key management
key management
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
 
A secure anti collision data sharing scheme in dynamic groups in the cloud
A secure anti collision data sharing scheme in dynamic groups in the cloudA secure anti collision data sharing scheme in dynamic groups in the cloud
A secure anti collision data sharing scheme in dynamic groups in the cloud
 
A secure anti collusion data sharing scheme for dynamic groups in the cloud
A secure anti collusion data sharing scheme for dynamic groups in the cloudA secure anti collusion data sharing scheme for dynamic groups in the cloud
A secure anti collusion data sharing scheme for dynamic groups in the cloud
 
A secure anti collision data sharing
A secure anti collision data sharingA secure anti collision data sharing
A secure anti collision data sharing
 
enhanced secure multi keyword top k retrieval in cloud
enhanced secure multi keyword top k retrieval in cloudenhanced secure multi keyword top k retrieval in cloud
enhanced secure multi keyword top k retrieval in cloud
 
H0362052056
H0362052056H0362052056
H0362052056
 
A Survey on Assured deletion and Access Control
A Survey on Assured deletion and Access ControlA Survey on Assured deletion and Access Control
A Survey on Assured deletion and Access Control
 
CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System) CSI-503 - 10. Security & Protection (Operating System)
CSI-503 - 10. Security & Protection (Operating System)
 
IJSRED-V2I5P16
IJSRED-V2I5P16IJSRED-V2I5P16
IJSRED-V2I5P16
 
Paper2
Paper2Paper2
Paper2
 
Mona final review
Mona final reviewMona final review
Mona final review
 
Securing data at rest with encryption
Securing data at rest with encryptionSecuring data at rest with encryption
Securing data at rest with encryption
 
Security On The Cloud
Security On The CloudSecurity On The Cloud
Security On The Cloud
 
secure multi-owner data sharing for dynamic groups
secure multi-owner data sharing for dynamic groupssecure multi-owner data sharing for dynamic groups
secure multi-owner data sharing for dynamic groups
 
Decentralized access control with authentication anonymous of data stored in ...
Decentralized access control with authentication anonymous of data stored in ...Decentralized access control with authentication anonymous of data stored in ...
Decentralized access control with authentication anonymous of data stored in ...
 
Final Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docxFinal Project – Incident Response Exercise SAMPLE.docx
Final Project – Incident Response Exercise SAMPLE.docx
 
Mona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloudMona secure multi owner data sharing for dynamic groups in the cloud
Mona secure multi owner data sharing for dynamic groups in the cloud
 
Secure Authorised De-duplication using Convergent Encryption Technique
Secure Authorised De-duplication using Convergent Encryption TechniqueSecure Authorised De-duplication using Convergent Encryption Technique
Secure Authorised De-duplication using Convergent Encryption Technique
 

Plus de IronCore Labs

Rethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationRethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationIronCore Labs
 
How to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeHow to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeIronCore Labs
 
CCPA: What You Need to Know
CCPA: What You Need to KnowCCPA: What You Need to Know
CCPA: What You Need to KnowIronCore Labs
 
How to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationHow to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationIronCore Labs
 
How to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppHow to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppIronCore Labs
 
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)IronCore Labs
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearIronCore Labs
 

Plus de IronCore Labs (7)

Rethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC PresentationRethinking the Enterprise Perimeter | SnowFROC Presentation
Rethinking the Enterprise Perimeter | SnowFROC Presentation
 
How to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a TimeHow to Eat the Privacy and Security Elephant One Bite at a Time
How to Eat the Privacy and Security Elephant One Bite at a Time
 
CCPA: What You Need to Know
CCPA: What You Need to KnowCCPA: What You Need to Know
CCPA: What You Need to Know
 
How to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular ApplicationHow to Add Data Privacy to Your Angular Application
How to Add Data Privacy to Your Angular Application
 
How to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React AppHow to Add End-to-End Encryption to Your React App
How to Add End-to-End Encryption to Your React App
 
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
Pairing Based Transform Cryptography (Proxy Re-Encryption - PRE)
 
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwearThe Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
The Internet is a dog-eat-dog world and your app is clad in Milk Bone underwear
 

Dernier

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 

Dernier (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 

2018 acm-scc-presentation

  • 3. Cloud Services Mobile Devices Internet of Things Partners Employee Laptops *Uncontrolled and with minimal security Data is Distributed
  • 4. Perimeter Security is No Longer Relevant APP
  • 5. Vulnerabilities in Applications Network-layer App-layer 90% due to defects at the application layer. -DHS
  • 6. Concerns Slow the Move to the Cloud Security • Data Breaches Privacy • Service provider access to data • Government access (subpoenas) Encryption in transit and at rest does almost nothing to address these concerns.
  • 7. End-to-End Encryption Data secured on the device that generates it Data stays secured until accessed on a device that will consume it Keys should stay on the device - public key cryptography
  • 8. Orthogonal Access Control Allows users to decide which groups are allowed to access data 
 Independently allows group administrators to control who belongs to those groups 
 Relies on cryptographically backed access control, rather than policy-based controls Makes each change to group membership, access grant, or access revocation a constant-time operation independent of number of users, groups, documents Build a system that:
  • 9. Proxy Re-Encryption (PRE) Set of cryptographic algorithms based on public key encryption - often pairing- based cryptography
 Originally designed to allow the recipient of an encrypted message to delegate access to another party without sharing her private key
  • 10. PRE algorithms typically include five cryptographic primitives: 1.Key Generation 2.Transform Key Generation 3.Encryption 4.Transformation (ReEncryption) 5.Decryption PRE Primitives
  • 11. Transform Key Generation Delegator Public Key Private Key Delegatee Public Key Private KeyDelegatee Transform Key Proxy Delegator Private Key Public Key
  • 12. Transform Key Proxy File Encrypted to Delegator File Encrypted to Delegatee Client Delegatee Private Key Recovered plaintext Delegation of Access
  • 13. Introduce the concept of a group Create a group Encrypt document to the group Add a member to the group allows immediate access to document without requiring any modification Remove a member from the group removes access without modifying documents PRE for Orthogonal Access Control
  • 14. Creating a Group 1. Create key pair for group 2. Encrypt group’s private key to creating user Group Public Key Private Key Creating User Public KeyPublic Key Private Key Group Encrypted Group Key Admin Key Private Key Creating User
  • 15. Granting Access to a Group 1. Retrieve group’s public key 2. Encrypt document using that key Group Public Key Document Encrypted to Group
  • 16. Adding a Member to a Group 1. Retrieve member’s public key 2. Retrieve group’s private key 3. Compute transform key from group to member 4. Save transform key on proxy Member Public Key Private Key Group Public KeyPublic Key Private Key Group Member Private Key Group to Member Transform Key
  • 17. Group Member Accessing Document 1. Request document from storage 2. Send encrypted doc to proxy for transformation 3. Proxy locates transform key from group to user 4. Proxy applies transform to encrypted document 5. Device decrypts using user’s private key Transform Key Proxy Doc Encrypted to Group Doc Encrypted to User Client User Private Key Recovered plaintext
  • 18. Removing a Member from a Group Group Admin Revokes Access from One User Group Admin Instructs Server to Delete Group to User Transform Key Group Users Unique Key Pairs
  • 19. User will use one or more devices to generate or access data Instead of sharing user’s private key across devices, add another layer of delegation, from user to device Device private keys always stay on device Device access can be revoked if device is lost or compromised Improving Security
  • 20. Multi-Hop PRE Document Encrypted to A A to B Transform Key Transformed Encrypted Document B Private Key Transformed Encrypted Document B to C Transform Key Transformed Encrypted Document Doubly Transformed Encrypted Document Private Key CDoubly Transformed Encrypted Document
  • 21. System with Addition of Devices
  • 22. Add Device to User Member Public Key Private Key Device Public KeyPublic Key Private Key Device Member Private Key User to Device Transform Key
  • 23. Proxy searches for shortest path of transforms from document to device Doc shared with user, user approved device Doc shared with group, user belongs to group, user approved device Proxy applies transforms in succession to generate doc encrypted to device Device decrypts using private key Device Requests Access to Document
  • 24. Algorithm Choice Selected multi-hop algorithm introduced by Wang and Cao in 2009 Algorithm was analyzed by Zhang and Wang in 2013 CCA security problems addressed by Cai and Liu in 2014 We simplify the algorithm because we only need one proxy and can do all transforms at one time
  • 25. Still a revocation vulnerability if a group administrator gets the group private key, then is removed from the system. Group private key can be used to directly decrypt any data encrypted to the group, without transformation. Resolve by augmenting keys Additional Security Issue
  • 26. Client generates key pair for group or user as before, sends to proxy. Proxy augments the public key, so that it is no longer mathematically related to the private key. Any time a transform key is generated from a group or user, the proxy augments the transform key using the same factor. Device keys are not augmented. Key Augmentation
  • 27. Encrypt to User 1 Server Generated Group 1 Public Key Private Key Server Group 1 Public Key Private Key Group 1 Encrypted Private Key User 1 Device A Server Generated Group 1 Public KeyPublic Key Group 1 Augmented Public Key Group 1 Public KeyPublic Key Server Secure Storage Key Augmentation Process
  • 28. Private key of group or user can no longer be used to decrypt. Only devices can decrypt data. Private key of group or user is only used to compute transform keys. Proxy is required to use augmenting private key when adding new transform keys, but otherwise transform process is not affected. Security Benefits
  • 29. We have implemented the PRE primitives in a Scala library We use ScalaJS to generate a client-side Javascript library from the same source Library is open source, available on GitHub - IronCoreLabs/recrypt PRE Library
  • 30. We built a Javascript SDK around the library SDK talks to a service that functions as the public key repository and transformation proxy Developers are free to try the system - https://docs.ironcorelabs.com has a Getting Started example Working System
  • 31. Questions? Thanks to Madison Kerndt for her help with preparing the presentation.