Insecurity of an Dynamic User Revocation and Key Refreshing for ...

2014 2014Tenth 10th International InternationalConference Conferenceon onComputational ComputationalIntelligence Intelligenceand andSecurity Security

Insecurity of an Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption Scheme Changji Wang∗ , Haitao Lin† , Xilei Xu† , Kangjia Zheng† , Xiaonan Xia† ∗ National Pilot School of Software Yunnan University, Kunming, China E-mail: [email protected] † School of Information Science and Technology Sun Yat-sen University, Guangzhou, China

Abstract—Cloud computing has generated a major impact on the global IT ecosystem, which promises economic advantages, speed, agility, flexibility, virtually infinite elasticity and innovation. However, data security and privacy remain the biggest barriers to widespread adoption of cloud services. To address the problem of fine-grained access control over encrypted data that is faced by cloud services, ciphertextpolicy attribute-based encryption (CP-ABE) technology was proposed in recent years and has aroused great concern of researchers. Although CP-ABE schemes provide the ability for data owner-centric protection in cloud services, they are not very practical with the respect to the efficiency and scalability of access right revocation and key refreshing. Recently Xu and Martin proposed a dynamic user revocation and key refreshing model for CP-ABE schemes, and presented a concrete construction based on Bethencourt et al.’s CP-ABE scheme. They claimed that their construction is efficient and provable secure. However, after revisiting the construction, we demonstrate that cloud service provider can not perform data retrieval task in their construction, and their construction cannot achieve oneto-many encryption.

•

•

Traditional public key encryption and identity-based encryption (IBE) methods are cumbersome to apply to access control in cloud computing. Assume that Alice needs to encrypt a document for access by multiple recipients, who are not necessarily known at encryption time. To solve the problem of fine-grained access control over encrypted data, the concept of attribute-based encryption (ABE) was introduced by Sahai and Waters [4]. Compared with IBE [5], ABE has significant advantage as it achieves flexible oneto-many encryption instead of one-to-one, it is envisioned as a promising tool for addressing the problem of secure and fine-grained data sharing and decentralized access control.

Keywords-Ciphertext-Policy Attribute-Based Encryption; Dynamic User Revocation; Key Refreshing; Cloud Computing.

I. I NTRODUCTION There is no doubt that cloud computing is one of the biggest buzzwords in the IT industry today. Cloud computing offers numerous advantages both to end users and businesses of all sizes, the most important advantages include cost efficient, ubiquitous access, high reliability and scalability [1]. However, there can be potential risks of data security and privacy when relying on a third party to provide infrastructure, platforms, or software as a service [2]. Encryption seems like an obvious solution to data security and privacy. If the cloud service provider is responsible for data encryption, data owners are still faced with risks such as insider fraud, hacking and disclosure demands from law enforcement. Thus, data owners should take responsibility for protecting their own data from a data security perspective. This data owner-centric protection approach typically requires the following characteristics [3]: • Fine-grained access control over encrypted data: Data access policy can be defined at data item level and 978-1-4799-7434-4/14 $31.00 © 2014 IEEE DOI 10.1109/CIS.2014.100 10.1109/.99

should be enforced at each access attempt with or without the data owner’s involvement. Dynamic access rights management: The granting or revoking of access rights to a particular data item is conducted straightforward and can be performed almost instantaneously. Efficient key management: Critical key management operation such as key establishment, key refreshing and key revocation are conducted in an efficient manner that scales well and is appropriate for the highly dynamic and heterogeneous nature of a cloud storage environment.

There are two types of ABE depending on which of private keys or ciphertexts that access policies are associated with. In a key-policy attribute-based encryption (KP-ABE) system [6], ciphertexts are labeled by the sender with a set of descriptive attributes, while users’ private key are issued by the trusted attribute authority captures a policy (also called the access structure) that specifies which type of ciphertexts the key can decrypt. Typical applications of KP-ABE include secure forensic analysis and target broadcast [6]. In a ciphertext-policy attribute-based encryption (CP-ABE) system [7], when a sender encrypts a message, they specify a specific access policy in terms of access structure over attributes in the ciphertext, stating what kind of receivers will be able to decrypt the ciphertext. Users possess sets of attributes and obtain corresponding secret attribute keys from 459

the attribute authority. Such a user can decrypt a ciphertext if his/her attributes satisfy the access policy associated with the ciphertext. Thus, CP-ABE mechanism is conceptually closer to traditional role-based access control method. ABE have drawn extensive attention from both academia and industry, many ABE schemes have been proposed and several cloud-based secure systems using ABE schemes have been developed, such as [6]–[10]. Revocation mechanism is necessary for any public key encryption schemes that involve many users, since some private keys might get compromised or the affiliation of the owner has changed at some point. In the traditional public key encryption and IBE system, there are many revocation methods proposed in the literature [11], [12]. Similar to IBE, ABE also suffers from the key revocation and inherent key escrow problems [5]. In practical applications, attribute revocation is not only a difficult problem in the research but also necessary to solve for the ABE scheme. Currently, there are some available revocable ABE schemes in the literature, such as [7], [13]–[15]. Bethencourt et al. [7] proposed a trival attribute revocation method for CPABE scheme by appending to each of attributes an expiration time. Obviously, this type of solutions requires interaction between users and the trusted attribute authority, and is not able to efficiently revoke user attributes on the fly. Attrapadung and Imai [13] classified the revocation mechanisms in ABE as direct and indirect methods. Direct revocation enforces revocation directly by the sender who specifies the revocation list while encrypting. Indirect revocation enforces revocation by the key authority who releases a key update material periodically in such a way that only non-revoked users can update their keys. An advantage of the indirect method over the direct one is that it does not require senders to know the revocation list. In contrast, an advantage of the direct method over the other is that it does not involve key update phase for all non-revoked users interacting with the key authority. Yu et al. [14] proposed a CP-ABE scheme in which revocation is based on proxy re-encryption technology by changing system public key and users’ private key, but the cost of revocation is still high. Hur and Noh [15] exploited a fully fine-grained CP-ABE revocation scheme by a binary tree. However, the approach brings potential management overheads and scalability issues. In addition, the proposed scheme does not provide strict security model, security proof, and anti-collusion attacks. Recently, Xu and Martin [3] proposed a deployment model called as dynamic user revocation and key refreshing (DURKR) for ABE in cloud computing, which enables management of access rights as well as efficient key refreshing and revocation. They claimed that the proposed model can be generically adapted to suit CP-ABE schemes, and gave a concrete construction based on Bethencourt et al.’s CP-ABE scheme [7] to achieve user revocation and key refreshing. However, after carefully revisiting the construction, we demonstrate

that their construction is wrong, cloud service provider can not perform data retrieval task. Moreover, their construction cannot achieve one-to-many encryption, and provide backward and forward secrecy. The rest of this paper is organized as follows. Some preliminaries about bilinear pairing, access structure and access tree are described in Section II. Xu and Martin’s dynamic user revocation and key refreshing model for ABE in cloud computing will be introduced in Section III. Security analysis on Xu and Martin’s dynamic user revocation and key refreshing construction for Bethencourt et al.’s CP-ABE scheme [7] are explained in Section IV. Finally, we conclude the paper in Section V. II. P RELIMINARIES Table I summarizes the notations that will be used in this paper. Table I N OTATIONS Symbol

Description

λ k

Security parameter A session key k ∈ {0, 1}λ $

x←S Π Ek (m) Dk (c) H1 H2 H3

Pick an element x uniformly at random from the set S A semantically secure symmetric encryption scheme Encrypt a message m under Π with a session key k Decrypt a ciphertext c under Π with a session key k Hash function H1 : {0, 1}∗ → G1 Hash function H2 : G2 → Z∗p Hash function H3 : G2 → {0, 1}λ

A. Bilinear Group Generator The bilinear group generator G is an algorithm that takes as input a security parameter λ and outputs a bilinear group p, G1 , G2 , eˆ, g, where p is a prime of size 2λ , G1 and G2 are cyclic groups of order p, g is a generator of G1 , and eˆ : G1 × G1 → G2 is a bilinear map with the following properties. • • •

$

Bilinearity: For a, b ← Z∗p , we have eˆ(g a , g b ) = e(g, g)ab . Non-degeneracy: eˆ(g, g) is a generator of G2 . $ Computability: For g1 , g2 ← G1 , there is an efficient algorithm to compute eˆ(g1 , g2 ).

B. Access structure and Access Tree Let P = {P1 , P2 , . . . , Pn } be a set of parties and let 2P denote its power set. A collection A ⊆ 2P is monotone if for every B and C, if B ∈ A and B ⊆ C then C ∈ A. An access structure (respectively, monotone access structure) is a collection (respectively, monotone collection) A of nonempty subsets of P, i.e. P \ ∅. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets.

460

In our context, the role of the parties is taken by the attributes. Thus, the access structure A will contain the authorized sets of attributes. Let T be an access tree with its root representing an access structure. Each non-leaf node of the tree represents a threshold gate, described by its children and a threshold value. Let numx and kx be the number of children and the threshold value of a node x, respectively. It is obvious that we have 0 < kx ≤ numx . When kx = 1, the threshold gate is an OR gate, and when kx = numx , it is an AND gate. Each leaf node x of the tree is described by an attribute and a threshold value kx = 1 . We denote the parent of the node x in the tree by parent(x). The function attr(x) is defined only if x is a leaf node and denotes the attribute associated with the leaf node x in the tree. The access tree T also defines an ordering between the children of every node, that is, the children of a node x are numbered from 1 to numx . The function index(x) returns such a number associated with the node x. Let T be an access tree with root root. Denote by Tx the subtree of T rooted at the node x. If a set of attributes ω satisfies the access tree Tx , we denote it as Tx (ω) = 1. We compute Tx (ω) recursively as follows. If x is a nonleaf node, evaluate Tz (ω) for all children z of node x. Tx (ω) returns 1 if and only if at least kx children of x return 1. If x is a leaf node, then Tx (ω) = 1 if and only if attr(x) ∈ ω.

Figure 1.

DURKR model for ABE in Cloud

ABE to achieve fine-grained user-level access control. They introduce an additional system attribute called delegation attribute, which is designated to CSP. Alongside the key shares for system attributes, AA generates a delegation key share for the delegation attribute. The delegation key share is sent to CSP that is used for ciphertext re-encryption. Since CSP only has the delegation key share, it cannot decrypt the data encrypted under the CP-ABE scheme. In addition, the delegation key share is also used to achieve system key refreshing or revocation. The master secret is split into two portions. One portion is used by the CP-ABE scheme to generate attribute key shares. The other portion is used by the CSP (i.e., proxy) to issue an additional secret share to the users every time when they retrieve the data. So only non-revoked users can successfully construct the decryption key. When the system key needs to be refreshed, AA only re-generates the delegation key share for CSP. All the system key and key shares are tracked by version numbers, Vno , that is initially set to 1. When an attribute revocation event occurs, it increases by 1. Xu and Martin illustrated how to apply DURKR to the Bethencourt et al.’s CP-ABE scheme as follows. λ λ • Setup(1 ): AA runs the bilinear group generator G(1 ) to get a prime order bilinear group (p, G1 , G2 , eˆ, g), $ and chooses α1 , α2 ← Z∗p satisfying α = α1 + α2 mod p. AA then sets key version Vno = 1 and sets the master secret key as

III. R EVIEW OF X U ET AL .’ S DURKR M ODEL AND C ONSTRUCTION Xu et al.’s dynamic user revocation and key refreshing model for ABE involves four participants, which is described as follows. • Attribute Authority (AA): This is the central trusted component that is responsible for generating attribute key shares, publishing system public parameters and maintaining the master secret. • Cloud Services Provider (CSP): This is a semi-trusted entity that provides data storage and retrieval service. CSP includes a proxy server, which is responsible for re-encrypting data owners’ ciphertexts before they are sent to users. • Data Owner (DO): This is the cloud storage subscriber who are responsible for protecting their data by defining access policies, managing user revocation lists, and encrypting data before it is sent to the cloud storage provider. • Data User (DU): This is another cloud storage subscriber whose attributes need to comply with the access policy before the data is able to be decrypted. All the communication channels need to be encrypted for data transmission. The system architecture is illustrated as in Figure 1. In order to revoke an individual user within a group, they utilize another layer of encryption on top of CP-

M K = β, g α , α1 , α2 , Vno  . Finally, AA publishes the system public parameters as   P K = p, G1 , G2 , eˆ, g, h = g β , eˆ(g, g)α , Vno . •

461

KeyGen(P K, M K, S, Vno ): The key share generation algorithm is similar to that of the Bethencourt et al.’s CP-ABE scheme, except that we use the first part of the master secret α1 instead of α. For the given

$

$

attribute set S, AA chooses r ← Z∗p and rj ← Z∗p for j ∈ S, computes D = g (α1 +r)/β , and Dj = g r H(j)rj , Dj = g rj for j ∈ S. AA then sets the key shares as   SK = D, {Dj , Dj }j∈S , Vno . •

CloudServiceKeyGen(P K, M K): AA uses the other part of the master secret α2 to generate the delegation key share for CSP as   SKc = Dc = g α2 /β , Vno .

•

Encrypt(P K, T, M, Vno ): The encryption algorithm is similar to that of the Bethencourt et al.’s CP-ABE scheme, except that the key version is attached to the ciphertext. Let Y be the set of leaf nodes in the $ access tree T. The sender chooses s ← Z∗p , computes αs s  C˜ = M eˆ(g, g) , C = h , Cy = H(attr(y))qy (0) for all y ∈ Y. Finally, the ciphertext CT is set as   ˜ C, {Cy , Cy }y∈Y , Vno . T, C,

•

•

and the master secret key MK becomes    M K = β, g α , α1 , α2 , Vno . The algorithm then calls the CloudServiceKeyGen algorithm to re-generate the delegation key share and distribute it to CSP. IV. C RYPTANALYSIS OF X U ET AL . DURKR C ONSTRUCTION Theorem 1: The CSP can not perform DataRetrieval algorithm in Xu et al.’s DURKR construction. Proof: Here we give a proof by contradiction. Assume that CSP can compute

DataRetrival(P K, uid): Suppose that the revocation list is IDrevoked = {uid1 , uid2 , . . . , uidm }, where uidi is the user identifier. CSP re-encrypts the ciphertext as follows. – If uid ∈ IDrevoked , then CSP randomly selects  $ k, k  ← Zp , and computes C˜  = M eˆ(g, g)αsk , C = hs , C  = hsk , Dc = Dck , Cy = g qy (0)k , Cy = H(attr(y))qy (0)k for any y ∈ Y, then sets ciphtertext   CT  = T, C˜  , C, C  , Dc , {Cy , Cy }y∈Y , Vno .

 C˜  = M eˆ(g, g)αsk or C˜  = M eˆ(g, g)αsk )

$

$

from C˜ = M eˆ(g, g)αs , where k ← Zp (or k  ← Zp ) is chosen by CSP in the DataRetrieval algorithm. Then CSP can calculate C˜  /C˜

– If uid ∈ IDrevoked , then CSP randomly selects $ k ← Zp , and computes C˜  = M eˆ(g, g)αsk , C = hs , C  = hsk , Dc = Dck , Cy = g qy (0)k , Cy = H(attr(y))qy (0)k for any y ∈ Y, then sets ciphtertext   CT  = T, C˜  , C, C  , Dc , {Cy , Cy }y∈Y , Vno .

•

KeyReGen(P K, M K): Suppose that the current public system parameters are P KVno = (G1 , GT , g, eˆ, h = g β , eˆ(g, g)α , Vno ), and the master key M KVno is (β, g α , α1 , α2 , Vno ). The key refreshing algorithm s$ elects α ← Zp and computes α2 = α − α mod p. Increasing the key version Vno by 1, the new public system parameters are set as    P K = G1 , GT , g, eˆ, h = g β , eˆ(g, g)α , Vno ,

= =

M eˆ(g, g)αsk /M eˆ(g, g)αs eˆ(g, g)αs(k−1) .

Thus, CSP can recover the message M by setting k = 2. It is contradictory to the assumption that CSP is a semi-trusted, CSP can just re-encrypt data owners’ ciphertext to respond to the data retrieval request from cloud users without knowing any information about the corresponding plaintext. This ends the proof. Theorem 2: Xu et al.’s DURKR construction is irrational and can not achieve one-to-many encryption, backward and forward secrecy. Proof: In the Xu et al.’s DURKR construction, CSP maintains a revocation list which is a set of revoked user identifiers. During the DataRetrieval phase, CSP first determines whether the requesting user is revoked or not. If the requesting user is revoked, CSP will select two random $ number k, k  ← Zp , re-encrypt the ciphertext and send the ill-formed ciphertext to the requesting user. If the requesting user is not revoked, CSP will select a random number $ k ← Zp , re-encrypt the ciphertext and send the well-formed ciphertext to the requesting user. The problem here is that if CSP can determine whether the user has been revoked or not, why not just refuse the data retrieval request to save bandwidth and computing resources?

– The re-encrypted ciphertext CT  is then sent to the user. Decrypt(P K, CT  , SK, Vno ): The first part of decryption proceeds the same as that of the Bethencourt et al.’s CP-ABE scheme. Using the same attribute key version Vno , if the user has attributes that comply with the access tree, then he can compute A = DecryptNode(CT  , SK, root) = eˆ(g, g)rks If the user is not in the revoked list, the message M can be revealed by Decrypt(P K, CT  , SK, Vno ) = AC˜  /(ˆ e(C  , D)ˆ e(C, D ) c

462

Moreover, the well-formed ciphertext can be decrypted if and only if attributes owned by the user satisfy the access structure associated with the ciphertext, no matter whether the user is revoked or not revoked. That is to say, the revoked user can also decrypt the well-formed ciphertext as long as he is able to get it. Therefore, CSP must build a secure channel to send the re-encrypted well-formed ciphertext to the unrevoked user. In other words, the data owner can only achieve one-to-one encryption instead of one-to-many encryption. More seriously, Xu et al.’s DURKR construction did not consider backward and forward secrecy. Whether the user is revoked or not revoked, users do not need to update their private keys. This ends the proof.

[5] D. Boneh and M. K. Franklin, Identity-based encryption from the Weil pairing, In CRYPTO 2001, LNCS 2139, SpringerVerlag, 2001, pp. 213-229. [6] V. Goyal, O. Pandey, A. Sahai and B. Waters, Attribute Based Encryption for Fine-Grained Access Conrol of Encrypted Data, In ACM conference on Computer and Communications Security, 2006, pp. 89–98. [7] J. Bethencourt, A. Sahai and B. Waters, Ciphertext-policy attribute-based encryption, In IEEE Symposium on Security & Privacy, 2007, pp. 321–334. [8] B. Waters, Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization, In PKC 2011, LNCS 6571, Springer-Verlag, 2011, pp. 53–70. [9] A. B. Lewko and B. Waters: New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques. In: CRYPTO 2012, LNCS 7417, Springer-Verlag, 2012, pp. 180-198.

V. C ONCLUSION Attribute-based encryption is a great invention by security researchers and allows to efficiently performing group based encryption. While it provides many benefits, revocation of users has been a key issue of utilizing attribute-based encryption. Recently Xu and Martin proposed a dynamic user revocation and key refreshing model for ciphertextpolicy attribute-based encryption schemes. They presented a concrete construction and claimed that the proposed construction is efficient and proved to be secure. However, after carefully revisiting the construction, we show that their construction is wrong, cloud service provider can not perform data retrieval task. Moreover, their construction cannot achieve one-to-many encryption, and provide backward and forward secrecy. User revocation, especially attribute revocation for attribute-based encryption scheme is still subject to extensive research.

[10] M. Li, S. C. Yu, Y. Zheng, K. Ren and W. J. Lou, Scalable and Secure Sharing of Personal Health Records in Cloud Computing using Attribute-based Encryption, IEEE Transactions on Parallel and Distributed Systems, Vol. 24, No. 1, 2013, pp. 131-143. [11] C. Gentry, Certificate-based encryption and the certificate revocation problem, In EUROCRYPT 2003, LNCS 2656, Springer-Verlag, 2003, pp. 272–293. [12] A. Boldyreva, V. Goyal and V. Kumar, Identity-based encryption with efficient revocation, In the 15th ACM Conference on Computer and Communications Security, 2008, pp. 417–426. [13] N. Attrapadung and H. Imai, Attribute-Based Encryption Supporting Direct Indirect Revocation Modes, In Cryptography and Coding 2009, LNCS 5921, Springer-Verlag, 2009, pp. 278–300.

ACKNOWLEDGMENT This research is jointly funded by the National Natural Science Foundation of China (Grant No. 61173189) and the Guangdong Province Information Security Key Laboratory Project.

[14] S. Yu, C. Wang, K. Ren and W. J. Lou, Attribute based data sharing with attribute revocation, In ACM Symposium on Information, Computer and Communications Security, 2010, pp. 261–270. [15] J. Hur and D. K. Noh, Attribute-Based Access Control with Efficient Revocation in Data Outsourcing Systems, IEEE Transactions on Parallel and Distributed Systems, Vol. 22, No. 7, 2011, pp. 1214–1221.

R EFERENCES [1] P. Mell and T. Grance, The NIST Definition of Cloud, NIST Special Publication 800-145, 2011. [2] J. Xue and J. J. Zhang, A brief survey on the security model of cloud computing, In the 9th International Symposium on Distributed Computing and Applications to Business, Engineering and Science, 2010, pp. 475-478. [3] Z. Q. Xu and K. M. Martin, Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption in Cloud Storage, In 11th International Conference on Trust, Security and Privacy in Computing and Communications, 2012, pp. 844-849. [4] A. Sahai and B. Waters, Fuzzy Identity Based Encryption, In EUROCRYPT 2005, LNCS 3494, Springer-Verlag, 2005, pp. 457–473.

463