STRONG DATA PRIVACY AND SECURITY FOR THE IOT...Extending access control in oneM2M systems with...
Transcript of STRONG DATA PRIVACY AND SECURITY FOR THE IOT...Extending access control in oneM2M systems with...
STRONG DATA PRIVACY AND SECURITY FOR THE IOT
François Ambrosini, ETSI TC CYBER STF 529, IBIT Ambrosini UG© ETSI 2017. All rights reserved
Extending access control in oneM2M systemswith Attribute Based Encryption
Outline
Introduction and objectives
Limitations of traditional public key encryption for access control
Getting to know Attribute‐Based Encryption (ABE)
Operational models
Integrating ABE in the access control stack
Example usage in oneM2M
Outlook and conclusion© ETSI 2012. All rights reserved2
Introduction
© ETSI 2017. All rights reserved3
ETSI Specialist Task Force 529 under supervision of TC CYBERis currently developing an access control toolkit leveraging Attribute Based Encryption (ABE)Objective: access control using encryption• Bind access control to encrypted data• Protect data during the complete lifecycle• Goes beyond real‐time access control
A toolbox• Addressing Cloud, Mobile, and IoT• That other Standard Defining Organisations can pick up• Focusing on interoperability (ontologies and existing access control systems)
Applicable to oneM2M, would complement real‐time access control
Why ABE? Limitations of TraditionalPublic Key Encryption for access control
© ETSI 2017. All rights reserved4
cleartext ciphertext cleartext
1
3
setup
KprivKpub
encrypts decrypts
shares or
How can the data owner share with many recipients and enforce access control?• Obtain Kpub from each recipient and encrypt for each recipient• Does not scale, puts constraints on the data owner
Does not allow recipients to share data among themselves, under data owner control
4
requests2 2
(simplified example)
Data Owner Recipients
Getting to know ABE (1)
© ETSI 2017. All rights reserved5
setup
MSK MPK
1Many‐to‐many encryption schemeBased on a secret sharing scheme (a secret is split into shares) mapped to attributes and policiesThe data owner remains in control• the setup phase allows to declare attributes; a Master Secret Key
and a Master Public Key are generated• The Master Secret Key allows to generate private keys• Because he owns the Master Secret Key, only the data owner can
issue private keys
Scales better for the data owner
+
requests a private keyevaluates request and generates
Kpriv returns+
provisioning2
Data Owner Recipient
Could also be devices or services…
Other recipients
encrypted expense report
Getting to know ABE (2)
© ETSI 2017. All rights reserved6
expense report
3encrypts
Policy+
Example using Ciphertext Policy ABE (CP‐ABE) a variant of ABE where the policy is in the encrypted data
( (service == finance) AND(role == auditor)
) OR (role == CFO)
encryptedexpense report
expense report
decrypts4 If a branch of the policy is satisfied, the recipient has enough shares to recover the secret and perform decryption Similar to permit‐override combining algorithm in XACML & oneM2M
( (service == finance) AND(role == auditor)
) OR (role == CFO)
role == CFO
Recipient
Getting to know ABE (3)
© ETSI 2017. All rights reserved7
cleartext ciphertext
5can encrypt as well
Attributes or Policy+
e.g. results from data analytics
can access new ciphertext using their Kpriv, or if MSK owner grants an appropriate Kpriv
Recipient acting as Contributor
Recipients can become contributing third‐partiesAccess control still applies
Data Owner Other recipients
+
Our operational models
© ETSI 2017. All rights reserved8
Characteristics• data at rest when the on‐board storage area offers low security• or is remote and untrusted• while keeping access control in force
Basis for IoT and B2B data sharing use cases
Long Term Storage
Characteristics• environment offers too little or no network connectivity• limits user / device authentication and authorisation services• relies on pre‐provisioning of keys as well as out of band methods
Basis for some industrial IoT use cases with strong isolation constraints Can be extended to offline authentication / authorisation
Offline Access Control
Characteristics• users delegate access control over their data, to a trusted Platform Provider• Platform Provider offers user‐friendly access control management• third‐party service providers connect to the Platform Provider and request permission to obtain data
Basis for Cloud and Mobile use cases
Platform Provider
Intermediate Access Control Languages
© ETSI 2017. All rights reserved9
Layer 1
Layer 2
ABE schemes
ABE library +tools
Translator
Translator + non-ABE services
S1 S2 …
High-level access control frameworks
Complex attributesand related operators:‐ Locations (zones, circles, etc.)‐ Timestamps‐ Device types‐ Free strings (Roles etc.)‐ …
Allow a mapping to ontologiesat the level of the cryptosystem
Basic attributes and operators:‐ Integers‐ Booleans
And relation to ontologies
XACMLoneM2M …
Some possible uses of ABE in oneM2M
© ETSI 2017. All rights reserved10
Time‐based access control in the Long‐Term Storage model• Data are saved with attributes allowing comparison against
accessControlTimeWindow …• … which is expressed as a policy in KprivAE/CSE resource access control in the Offline Access Control model• AE/CSE runs an ABE challenge‐response protocol with the Originator• The protocol is successful only if the Originator possesses a Kpriv that satisfies
the access control policy set by the AE/CSE
Direct/Indirect Dynamic Authorisation, RBAC, and Privacy Policy Manager in the Platform Provider model• Kpriv can be used to emulate tokens
These are being discussed within ETSI TC CYBER and its STF 529 and not yet proposed to oneM2M
Other aspects & outlook
A Public Key Infrastructure is still needed in support of ABE• Secure distribution of keys, proof of data origin, proof of assertions…
Performance and security• FAME scheme from Agrawal & Chase recently selected,
very promising with good security proof• a normative specification will be included in the toolkit
• Crypto agility: the toolkit will permit use of other ABE schemes• Optimisations & upgrade of cryptographic algorithms
Under research: post‐quantum ABE schemes• Current hard problems will not be so hard under quantum computing• Schemes exist but are not yet practical, state‐of‐the‐art remains theoretical• Bonus: more expressiveness could be achieved with post‐quantum schemes
Under research: homomorphic encryption in conjunction with ABE• Would allow to process information without accessing the raw data• cryptographically not trivial to achieve at all
© ETSI 2017. All rights reserved11
Final note
© ETSI 2017. All rights reserved12
ETSI TC CYBER• Advises other groups in ETSI for cybersecurity matters
(e.g. Lawful Interception, NFV Security)• Spearheads and coordinates ETSI’s technical response to EU legislation
related to cybersecurity (GDPR, NIS, upcoming Cybersecurity Act…)
ETSI TC CYBER WG‐QSC (CYBER‐QSC)• Focus is on quantum‐safe cryptography• Have identified ABE on their roadmap
Plans to make draft TS 103 532 (DTS‐CYBER‐0025) available for public review in the near future• Publication planned Feb/March 2018
Thank you !
© ETSI 2017. All rights reserved13
?
Annex ‐ Contacts
© ETSI 2017. All rights reserved14
ETSI TC CYBER https://portal.etsi.org/tb.aspx?tbid=824&SubTB=824,856
STF 529 https://portal.etsi.org/STF/stfs/STFHomePages/STF529
Annex ‐ Examples for oneM2M (KP‐ABE)
© ETSI 2017. All rights reserved15
Time‐based access control in the Long‐Term Storage model
measurement data from an AE are subject to accessControlTimeWindow parameter in an access rule applying to Originator OA
a datum is accessible at a specific time window; if we back it up, we can attach this information to the datumwhen the data is saved with ABE, the ciphertext is annotated with attributes expressing the timeframe at which the data were accessible (compatible with the crontab syntax); this is possible at the price of losing resolution and by setting rules on the calculation of attributes at AE/CSE thus this requires good granularity of the ciphertext generation frequencywhen OA needs access to data in the past, it requests Kpriv with a policy matching accessControlTimeWindow
<acr>
Access control rule as in oneM2M TS-0003
An acr can mention allowed access time in a crontab-compatible format
convert +MPK
Configured ABE attributes:- SECmin- SECmax- MINmin- MINmax- etc.
1
2
AE/CSE
ciphertext
3
e.g “You may access all data captured between Monday and Friday on any week of any year”
+Kpriv
Encrypts using the attributes in order to express the timeframe of data capture in a crontab-compatible format
4 decrypts
+Kpriv
MPK
MPK
MPK
Annex ‐ Examples for oneM2M (KP‐ABE)
© ETSI 2017. All rights reserved16
resources from an AE/CSE are subject to an access rule applying to Originator OA
ABE attributes are defined to identify operations and resources of the AE/CSE AE/CSE is provisioned with the MPKWhen OA requests a given operation on a given resource, the AE/CSE runs a challenge‐response protocol by encrypting a secret using the MPKand the ABE attributes matching the requestOA can solve the challenge only if they have a Kpriv with a matching policyExtensible to other access control parameters e.g. accessControlTimeWindow
<acr>
Access control rule as in oneM2M TS-0003
An acr can mention allowed operations (CRUD and others)
convert +MPK
Configured ABE attributes:- device_id- resource_id- operation_id
1
3
AE/CSE resource access control in the Offline Access Control model
e.g “You may UPDATE resource #1 on device ABC”
+Kpriv
2
requests resource #1 update
Encrypt( , resource_id = 1, device_id = ABCoperation_id = UPDATE, secret)
response with secret
update protocol continues
(simplified example)
4OA AE/CSE
MPKMPK