The Cloud we Share: Access Control on Symmetrically Encrypted Data in Untrusted Clouds

Along with the rapid growth of cloud environments, rises the problem of secure data storage–a problem that both businesses and end-users take into consideration before moving their data online. Recently, a lot of solutions have been proposed based either on Symmetric Searchable Encryption (SSE) or Attribute-Based Encryption (ABE). SSE is an encryption technique that offers security against both internal and external attacks. However, since in an SSE scheme, a single key is used to encrypt everything, revoking a user would imply downloading the entire encrypted database and re-encrypt it with a fresh key. On the other hand, in an ABE scheme, the problem of revocation can be addressed. Unfortunately, though, the proposed solutions are based on the properties of the underlying ABE scheme and hence, the revocation costs grow along with the complexity of the policies. To this end, we use these two cryptographic techniques that squarely fit cloud-based environments to design a hybrid encryption scheme based on ABE and SSE in such a way that we utilize the best out of both of them. Moreover, we exploit the functionalities offered by Intel’s SGX to design a revocation mechanism and an access control one, that are agnostic to the cryptographic primitives used in our construction.

[1]  Vipul Goyal,et al.  Identity-based encryption with efficient revocation , 2008, IACR Cryptol. ePrint Arch..

[2]  Nicolae Paladi,et al.  Providing User Security Guarantees in Public Infrastructure Clouds , 2017, IEEE Transactions on Cloud Computing.

[3]  Srinivas Devadas,et al.  Intel SGX Explained , 2016, IACR Cryptol. ePrint Arch..

[4]  Marcus Peinado,et al.  Inferring Fine-grained Control Flow Inside SGX Enclaves with Branch Shadowing , 2016, USENIX Security Symposium.

[5]  Brice Minaud,et al.  Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives , 2017, CCS.

[6]  Dan Boneh,et al.  IRON: Functional Encryption using Intel SGX , 2017, CCS.

[7]  Raphael Bost,et al.  ∑oφoς: Forward Secure Searchable Encryption , 2016, CCS.

[8]  Hai-Van Dang,et al.  ABSTRACT: Access Control in Searchable Encryption with the use of Attribute-Based Encryption and SGX , 2019, CCSW@CCS.

[9]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[10]  Alptekin Küpçü,et al.  Efficient Dynamic Searchable Encryption with Forward Privacy , 2017, Proc. Priv. Enhancing Technol..

[11]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[12]  Ahmad-Reza Sadeghi,et al.  HardIDX: Practical and Secure Index with SGX , 2017, DBSec.

[13]  Rafail Ostrovsky,et al.  Public Key Encryption with Keyword Search , 2004, EUROCRYPT.

[14]  Alexandros Bakas,et al.  Multi-Client Symmetric Searchable Encryption with Forward Privacy , 2019, IACR Cryptol. ePrint Arch..

[15]  Alexandros Bakas,et al.  Modern Family: A Revocable Hybrid Encryption Scheme Based on Attribute-Based Encryption, Symmetric Searchable Encryption and SGX , 2019, IACR Cryptol. ePrint Arch..

[16]  Rüdiger Kapitza,et al.  AsyncShock: Exploiting Synchronisation Bugs in Intel SGX Enclaves , 2016, ESORICS.

[17]  Yaling Zhang,et al.  Traceable ciphertext-policy attribute-based encryption scheme with attribute level user revocation for cloud storage , 2018, PloS one.

[18]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[19]  Steven Myers,et al.  Practical Revocation and Key Rotation , 2018, CT-RSA.

[20]  Tsz Hon Yuen,et al.  Time-Based Direct Revocable Ciphertext-Policy Attribute-Based Encryption with Short Revocation List , 2018, IACR Cryptol. ePrint Arch..

[21]  Victor Boyko,et al.  On the Security Properties of OAEP as an All-or-Nothing Transform , 1999, CRYPTO.

[22]  Antonis Michalas,et al.  The lord of the shares: combining attribute-based encryption and searchable encryption for flexible data sharing , 2019, IACR Cryptol. ePrint Arch..

[23]  Rafael Dowsley,et al.  A survey on design and implementation of protected searchable data in the cloud , 2017, Comput. Sci. Rev..

[24]  Seny Kamara,et al.  Forward and Backward Private Searchable Encryption with SGX , 2019, EuroSec@EuroSys.

[25]  Melissa Chase,et al.  FAME: Fast Attribute-based Message Encryption , 2017, CCS.

[26]  Alexandros Bakas,et al.  Power Range: Forward Private Multi-Client Symmetric Searchable Encryption with Range Queries Support , 2020, 2020 IEEE Symposium on Computers and Communications (ISCC).