research-article

A Framework for the Cryptographic Enforcement of Information Flow Policies

Authors:

James Alderman,

Jason Crampton,

Naomi FarleyAuthors Info & Claims

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

Pages 143 - 154

https://doi.org/10.1145/3078861.3078868

Published: 07 June 2017 Publication History

Abstract

It is increasingly common to outsource data storage to untrusted, third party (e.g. cloud) servers. However, in such settings, low-level online reference monitors may not be appropriate for enforcing read access, and thus cryptographic enforcement schemes (CESs) may be required. Much of the research on cryptographic access control has focused on the use of specific primitives and, primarily, on how to generate appropriate keys and fails to model the access control system as a whole. Recent work in the context of role-based access control has shown a gap between theoretical policy specification and computationally secure implementations of access control policies, potentially leading to insecure implementations. Without a formal model, it is hard to (i) reason about the correctness and security of a CES, and (ii) show that the security properties of a particular cryptographic primitive are sufficient to guarantee security of the CES as a whole.

In this paper, we provide a rigorous definitional framework for a CES that enforces read-only information flow policies (which encompass many practical forms of access control, including role-based policies). This framework (i) provides a tool by which instantiations of CESs can be proven correct and secure, (ii) is independent of any particular cryptographic primitives used to instantiate a CES, and (iii) helps to identify the limitations of current primitives (e.g. key assignment schemes) as components of a CES.

References

[1]

Martín Abadi and Bogdan Warinschi. 2008. Security analysis of cryptographically controlled access to XML documents. Journal of the ACM (JACM) 55, 2 (2008), 6.

Digital Library

[2]

Selim G. Akl and Peter D. Taylor. 1983. Cryptographic Solution to a Problem of Access Control in a Hierarchy. ACM Trans. Comput. Syst. 1, 3 (1983), 239--248.

Digital Library

[3]

Mikhail J. Atallah, Marina Blanton, Nelly Fazio, and Keith B. Frikken. 2009. Dynamic and Efficient Key Management for Access Hierarchies. ACM Trans. Inf. Syst. Secur. 12, 3 (2009).

Digital Library

[4]

Mikhail J. Atallah, Marina Blanton, and Keith B. Frikken. 2007. Efficient techniques for realizing geo-spatial access control. In ASIACCS, Feng Bao and Steven Miller (Eds.). ACM, 82--92.

Digital Library

[5]

Mihir Bellare, Anand Desai, E. Jokipii, and Phillip Rogaway. 1997. A Concrete Security Treatment of Symmetric Encryption. In 38th Annual Symposium on Foundations of Computer Science, FOCS '97, Miami Beach, Florida, USA, October 19--22, 1997. IEEE Computer Society, 394--403.

Digital Library

[6]

John Bethencourt, Amit Sahai, and Brent Waters. 2007. Ciphertext-Policy Attribute-Based Encryption. In IEEE Symposium on Security and Privacy. IEEE Computer Society, 321--334.

Digital Library

[7]

Arcangelo Castiglione, Alfredo De Santis, and Barbara Masucci. 2016. Key Indistinguishability versus Strong Key Indistinguishability for Hierarchical Key Assignment Schemes. IEEE Trans. Dependable Sec. Comput. 13, 4 (2016), 451--460.

[8]

Jason Crampton. 2010. Cryptographic Enforcement of Role-Based Access Control. In Formal Aspects in Security and Trust (Lecture Notes in Computer Science), Vol. 6561. Springer, 191--205.

Digital Library

[9]

Jason Crampton, Keith M. Martin, and Peter R. Wild. 2006. On Key Assignment for Hierarchical Access Control. In CSFW. IEEE Computer Society, 98--111.

Digital Library

[10]

Ivan Damgård, Helene Haagh, and Claudio Orlandi. 2016. Access control encryption: Enforcing information flow with cryptography. In Theory of Cryptography Conference. Springer, 547--576.

Digital Library

[11]

Sabrina De Capitani Di Vimercati, Sara Foresti, Sushil Jajodia, Stefano Paraboschi, and Pierangela Samarati. 2007. Over-encryption: management of access control evolution on outsourced data. In Proceedings of the 33rd international conference on Very Large Data Bases. VLDB endowment, 123--134.

Digital Library

[12]

Anna Lisa Ferrara, Georg Fuchsbauer, and Bogdan Warinschi. 2013. Cryptographically Enforced RBAC. In CSF. IEEE, 115--129.

Digital Library

[13]

Eduarda S. V. Freire, Kenneth G. Paterson, and Bertram Poettering. 2013. Simple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes. In CTRSA (Lecture Notes in Computer Science), Vol. 7779. Springer, 101--114.

Digital Library

[14]

William C. Garrison, Adam Shull, Steven Myers, and Adam J. Lee. 2016. On the practicality of cryptographically enforcing dynamic access control policies in the cloud. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 819--838.

[15]

David K. Gifford. 1982. Cryptographic sealing for information secrecy and authentication. Commun. ACM 25, 4 (1982), 274--286.

Digital Library

[16]

Shafi Goldwasser and Silvio Micali. 1984. Probabilistic encryption. Journal of computer and system sciences 28, 2 (1984), 270--299.

[17]

Vipul Goyal, Omkant Pandey, Amit Sahai, and Brent Waters. 2006. Attribute-based encryption for fine-grained access control of encrypted data. In ACM Conference on Computer and Communications Security. ACM, 89--98.

Digital Library

[18]

Ehud Gudes. 1980. The design of a cryptography based secure file system. IEEE Transactions on Software Engineering 5 (1980), 411--420.

Digital Library

[19]

Shai Halevi, Paul A. Karger, and Dalit Naor. 2005. Enforcing Confinement in Distributed Storage and a Cryptographic Model for Access Control. IACR Cryptology ePrint Archive 2005 (2005), 169.

[20]

Anthony Harrington and Christian Jensen. 2003. Cryptographic access control in a distributed file system. In Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies. ACM, 158--165.

Digital Library

[21]

Bin Liu and Bogdan Warinschi. 2016. Universally Composable Cryptographic Role-Based Access Control. Cryptology ePrint Archive, Report 2016/902. (2016). http://eprint.iacr.org/2016/902.

[22]

Hemanta K. Maji, Manoj Prabhakaran, and Mike Rosulek. 2011. Attribute-Based Signatures. In CT-RSA (Lecture Notes in Computer Science), Aggelos Kiayias (Ed.), Vol. 6558. Springer, 376--392.

Digital Library

[23]

Matthew G. Parker (Ed.). 2009. Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009, Cirencester, UK, December 15--17, 2009. Proceedings. Lecture Notes in Computer Science, Vol. 5921. Springer.

Digital Library

[24]

Nutta pong Attrapadung and Hideki Imai. 2009. Attribute-Based Encryption Supporting Direct/Indirect Revocation Modes, See {23}, 278--300.

Digital Library

Cited By

Liu BMichalas AWarinschi B(2022)Cryptographic Role-Based Access Control, ReconsideredProvable and Practical Security10.1007/978-3-031-20917-8_19(282-289)Online publication date: 7-Nov-2022
https://doi.org/10.1007/978-3-031-20917-8_19
Ming YWang E(2019)Identity-Based Encryption with Filtered Equality Test for Smart City ApplicationsSensors10.3390/s1914304619:14(3046)Online publication date: 10-Jul-2019
https://doi.org/10.3390/s19143046
Ma HZhang RYang GSong ZHe KXiao Y(2019)Efficient Fine-Grained Data Sharing Mechanism for Electronic Medical Record Systems with Mobile DevicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.2844814(1-1)Online publication date: 2019
https://doi.org/10.1109/TDSC.2018.2844814

Index Terms

A Framework for the Cryptographic Enforcement of Information Flow Policies
1. Security and privacy

Recommendations

Comments on Circuit ciphertext-policy attribute-based hybrid encryption with verifiable delegation

Attribute-based encryption (ABE) with outsourced decryption not only allows fine-grained and versatile sharing of encrypted data, but also largely mitigates the decryption overhead and the ciphertext size in the standard ABE schemes. Very recently, Xu et ...
Attribute-based encryption schemes with constant-size ciphertexts

Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data. In its key-policy flavor (the dual ciphertext-policy scenario proceeds the other way around), the primitive enables senders to ...
Fine-grained user access control in ciphertext-policy attribute-based encryption

Key revocation is one of the most challenging and open issues in attribute-based encryption (ABE). The previous revocable ABE schemes feature a mechanism that revokes the attribute key periodically without any consideration of the user membership ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SACMAT '17 Abstracts: Proceedings of the 22nd ACM on Symposium on Access Control Models and Technologies

June 2017

276 pages

ISBN:9781450347020

DOI:10.1145/3078861

General Chair:
Elisa Bertino
Purdue University, USA
,
Program Chairs:
Ravi Sandhu
University of Texas at San Antonio, USA
,
Edgar Weippl
SBA Research, Austria

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 June 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Engineering and Physical Sciences Research Council
Horizon 2020

Conference

SACMAT'17

Sponsor:

SIGSAC

SACMAT'17: The 22nd ACM Symposium on Access Control Models and Technologies

June 21 - 23, 2017

Indiana, Indianapolis, USA

Acceptance Rates

SACMAT '17 Abstracts Paper Acceptance Rate 14 of 50 submissions, 28%;

Overall Acceptance Rate 177 of 597 submissions, 30%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
148
Total Downloads

Downloads (Last 12 months)3
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Liu BMichalas AWarinschi B(2022)Cryptographic Role-Based Access Control, ReconsideredProvable and Practical Security10.1007/978-3-031-20917-8_19(282-289)Online publication date: 7-Nov-2022
https://doi.org/10.1007/978-3-031-20917-8_19
Ming YWang E(2019)Identity-Based Encryption with Filtered Equality Test for Smart City ApplicationsSensors10.3390/s1914304619:14(3046)Online publication date: 10-Jul-2019
https://doi.org/10.3390/s19143046
Ma HZhang RYang GSong ZHe KXiao Y(2019)Efficient Fine-Grained Data Sharing Mechanism for Electronic Medical Record Systems with Mobile DevicesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2018.2844814(1-1)Online publication date: 2019
https://doi.org/10.1109/TDSC.2018.2844814

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents