PBES: a policy based encryption system with application to data sharing in the power grid

In distributed systems users need the ability to share sensitive content with multiple other recipients based on their ability to satisfy arbitrary policies. One such system is electricity grids where finegrained sensor data sharing holds the potential for increased reliability and efficiency. However, effective data sharing requires technical solutions that support flexible access policies, for example, sharing more data when the grid is unstable. In such systems, both the messages and policies are sensitive and, therefore, they need to kept be secret. Furthermore, to allow for such a system to be secure and usable in the presence of untrusted object stores and relays it must be resilient in the presence of active adversaries and provide efficient key management. While several of these properties have been studied in the past we address a new problem in the area of policy based encryption in that we develop a solution with all of these capabilities. We develop a Policy and Key Encapsulation Mechanism -- Data Encapsulation Mechanism (PKEM-DEM) encryption scheme that is a generic construction secure against adaptive chosen ciphertext attacks and develop a Policy Based Encryption System (PBES) using this scheme that provides these capabilities. We provide an implementation of PBES and measure its performance.

[1]  Kent E. Seamons,et al.  Concealing complex policies with hidden credentials , 2004, CCS '04.

[2]  Joonsang Baek,et al.  Identity-Based Threshold Decryption , 2004, Public Key Cryptography.

[3]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[4]  Matt Donnelly,et al.  Eastern Interconnection Phasor Project , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[5]  J.F. Hauer,et al.  Current Status and Experience of WAMS Implementation in North America , 2005, 2005 IEEE/PES Transmission & Distribution Conference & Exposition: Asia and Pacific.

[6]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2010, RFC.

[7]  Diana K. Smetters,et al.  Domain-Based Administration of Identity-Based Cryptosystems for Secure Email and IPSEC , 2003, USENIX Security Symposium.

[8]  Ling Cheung,et al.  Provably secure ciphertext policy ABE , 2007, CCS '07.

[9]  Sean W. Smith,et al.  YASIR: A Low-Latency, High-Integrity Security Retrofit for Legacy SCADA Systems , 2008, SEC.

[10]  Louis Granboulan RSA hybrid encryption schemes , 2001, IACR Cryptol. ePrint Arch..

[11]  Hao Wang,et al.  Reducing the Dependence of SPKI/SDSI on PKI , 2006, ESORICS.

[12]  Paul Myrda,et al.  EIPP Data Management Task Team Architecture , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[13]  Mudhakar Srivatsa,et al.  Key Derivation Algorithms for Monotone Access Structures in Cryptographic File Systems , 2006, ESORICS.

[14]  Carl H. Hauser,et al.  Security, trust, and QoS in next-generation control and communication for large power systems , 2008, Int. J. Crit. Infrastructures.

[15]  Michael Carl Tschantz,et al.  Verification and change-impact analysis of access-control policies , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[16]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Richard S. Varga,et al.  Proof of Theorem 5 , 1983 .

[18]  Scott Rose,et al.  Resource Records for the DNS Security Extensions , 2005, RFC.

[19]  David M. Eyers,et al.  Securing Publish/Subscribe for Multi-domain Systems , 2005, Middleware.

[20]  Ronald Cramer,et al.  Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack , 2003, SIAM J. Comput..

[21]  Refik Molva,et al.  Policy-Based Cryptography and Applications , 2005, Financial Cryptography.

[22]  Sean W. Smith,et al.  Attribute-Based Publishing with Hidden Credentials and Hidden Policies , 2007, NDSS.

[23]  Ninghui Li,et al.  Policy-hiding access control in open environment , 2005, PODC '05.

[24]  Kaoru Kurosawa,et al.  Tag-KEM/DEM: A New Framework for Hybrid Encryption , 2008, Journal of Cryptology.

[25]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[26]  Mudhakar Srivatsa,et al.  Secure Event Dissemination in Publish-Subscribe Networks , 2007, 27th International Conference on Distributed Computing Systems (ICDCS '07).

[27]  Gene Tsudik,et al.  Simple Identity-Based Cryptography with Mediated RSA , 2003, CT-RSA.

[28]  Nigel P. Smart,et al.  Escrow-free encryption supporting cryptographic workflow , 2006, International Journal of Information Security.

[29]  Jeff Dagle North American SynchroPhasor Initiative , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[30]  Mikhail J. Atallah,et al.  Attribute-Based Access Control with Hidden Policies and Hidden Credentials , 2006, IEEE Transactions on Computers.

[31]  Jean Bacon,et al.  A model of OASIS role-based access control and its support for active security , 2001, TSEC.

[32]  Markus Jakobsson,et al.  Proactive public key and signature systems , 1997, CCS '97.

[33]  Kazuki Yoneyama,et al.  Attribute-Based Encryption with Partially Hidden Encryptor-Specified Access Structures , 2008, ACNS.

[34]  Chinya V. Ravishankar,et al.  Layering public key distribution over secure DNS using authenticated delegation , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[35]  John Linn,et al.  An Examination of Asserted PKI Issues and Pro- posed Alternatives , 2004 .

[36]  Refik Molva,et al.  Collusion-Free Policy-Based Encryption , 2006, ISC.

[37]  Victor Shoup,et al.  A Proposal for an ISO Standard for Public Key Encryption , 2001, IACR Cryptol. ePrint Arch..

[38]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 2000, Journal of Cryptology.

[39]  Miguel Correia,et al.  The CRUTIAL reference critical information infrastructure architecture: a blueprint , 2008, Int. J. Syst. Syst. Eng..

[40]  Warwick Ford,et al.  A key distribution method for object-based protection , 1994, CCS '94.

[41]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2002, RFC.

[42]  J.E. Daggle Postmortem analysis of power grid blackouts - The role of measurement systems , 2006, IEEE Power and Energy Magazine.

[43]  Zahid Anwar,et al.  Automatic security assessment of critical cyber-infrastructures , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).