In distributed systems users often need to share sensitive data with other users based on the latter’s ability to satisfy various policies. In many cases the data owner may not even know the identities of the data recipients, but deems it crucial that they are legitimate; i.e., satisfy the policy. Enabling such data sharing over the Internet faces the challenge of (1) securely associating access policies with data and enforcing them, and (2) protecting data as it traverses untrusted proxies and intermediate repositories. Furthermore, it is desirable to achieve properties such as: (1) flexibility of access policies; (2) privacy of sensitive access policies; (3) minimal reliance on trusted third parties; and (4) efficiency of access policy enforcement. Often schemes enabling controlled data sharing need to trade one property for another.
In this talk, we will present two complementary policy-based data sharing schemes that achieve different subsets of the above desired properties. The first scheme, Ciphertext-Policy Attribute-Set Based Encryption (CP-ASBE), is a form of Ciphertext-Policy Attribute-Based Encryption (CP-ABE). It specifies and enforces access policies cryptographically and thus eliminates trusted mediators. While the CP-ASBE scheme minimizes reliance on trusted mediators, it can support neither context-based policies nor policy privacy. The second scheme, Policy Based Encryption System (PBES), is based on hybrid encryption paradigm and employs mediated decryption. It supports both context-based policies and policy privacy. We will present the salient features of each scheme and discuss integration with practical applications.
Rakesh Bobba is a Security Engineer at the National Center for Supercomputing Applications (NCSA) at the University of Illinois at Urbana-Champaign. He received his M.S. and a Ph.D. from the University of Maryland, College Park in 2007 and 2009 respectively. His research interests are in distributed system security and critical infrastructure protection. Topics of interest include authentication, access control, key management, security protocols and their formal analysis, and applied cryptography, among others. He is currently involved in the design and development of secure communication and data sharing infrastructures for the next-generation Power Grid, and in the design of secure attribute-based systems.