A new approach to cryptographically enforced data access controls that uses public key cryptography to secure large numbers of documents with arbitrarily large numbers of authorized users. This approach uses a proxy re-encryption (PRE) scheme to handle the problems typical of public key cryptography including key management, rotation, and revocation, in a highly scalable way, while providing end-to-end encryption and provable access. Presented by Bob Wall at the 2018 ACM Cryptography Workshop in Incheon, Korea.

1. Cryptographically Enforced
Orthogonal Access Control at
Scale

2. bobwall23
bob.wall@ironcorelabs.com
zmre
patrick.walsh@ironcorelabs.com
Bob Wall Patrick Walsh

3. Cloud Services
Mobile Devices
Internet of Things
Partners
Employee Laptops
*Uncontrolled and with minimal security
Data is Distributed

4. Perimeter Security is No Longer Relevant
APP

5. Vulnerabilities in Applications
Network-layer
App-layer
90% due to defects at the
application layer.
-DHS

6. Concerns Slow the Move to the Cloud
Security
• Data Breaches
Privacy
• Service provider access to data
• Government access (subpoenas)
Encryption in transit and at rest does almost nothing to address these concerns.

7. End-to-End Encryption
Data secured on the device that generates it
Data stays secured until accessed on a device that will consume it
Keys should stay on the device - public key cryptography

8. Orthogonal Access Control
Allows users to decide which groups are allowed to access data
Independently allows group administrators to control who belongs to those groups
Relies on cryptographically backed access control, rather than policy-based
controls
Makes each change to group membership, access grant, or access revocation a
constant-time operation independent of number of users, groups, documents
Build a system that:

9. Proxy Re-Encryption (PRE)
Set of cryptographic algorithms based on public key encryption - often pairing-
based cryptography
Originally designed to allow the recipient of an encrypted message to delegate
access to another party without sharing her private key

10. PRE algorithms typically include five cryptographic primitives:
1.Key Generation
2.Transform Key Generation
3.Encryption
4.Transformation (ReEncryption)
5.Decryption
PRE Primitives

11. Transform Key Generation
Delegator
Public
Key
Private Key
Delegatee
Public
Key
Private KeyDelegatee
Transform
Key
Proxy
Delegator
Private Key
Public
Key

12. Transform
Key
Proxy
File Encrypted
to Delegator
File Encrypted
to Delegatee
Client
Delegatee
Private Key
Recovered
plaintext
Delegation of Access

13. Introduce the concept of a group
Create a group
Encrypt document to the group
Add a member to the group
allows immediate access to document without requiring any modification
Remove a member from the group
removes access without modifying documents
PRE for Orthogonal Access Control

14. Creating a Group
1. Create key pair for group
2. Encrypt group’s private key to creating user
Group
Public Key
Private Key
Creating
User
Public KeyPublic Key
Private
Key
Group
Encrypted
Group Key
Admin Key
Private Key
Creating
User

15. Granting Access to a Group
1. Retrieve group’s public key
2. Encrypt document using that key
Group
Public Key
Document
Encrypted to
Group

16. Adding a Member to a Group
1. Retrieve member’s public key
2. Retrieve group’s private key
3. Compute transform key from group to member
4. Save transform key on proxy
Member
Public Key
Private
Key Group
Public KeyPublic Key
Private
Key
Group
Member
Private
Key
Group to
Member
Transform Key

17. Group Member Accessing Document
1. Request document from storage
2. Send encrypted doc to proxy for transformation
3. Proxy locates transform key from group to user
4. Proxy applies transform to encrypted document
5. Device decrypts using user’s private key
Transform
Key
Proxy
Doc Encrypted
to Group
Doc Encrypted
to User
Client
User
Private Key
Recovered
plaintext

18. Removing a Member from a Group
Group Admin Revokes
Access from One User
Group Admin Instructs
Server to Delete Group to
User Transform Key
Group
Users
Unique Key Pairs

19. User will use one or more devices to generate or access data
Instead of sharing user’s private key across devices, add another layer
of delegation, from user to device
Device private keys always stay on device
Device access can be revoked if device is lost or compromised
Improving Security

20. Multi-Hop PRE
Document
Encrypted to
A
A to B
Transform Key
Transformed
Encrypted Document
B
Private Key
Transformed
Encrypted Document
B to C
Transform Key
Transformed
Encrypted Document
Doubly Transformed
Encrypted Document
Private Key
CDoubly Transformed
Encrypted Document

21. System with Addition of Devices

22. Add Device to User
Member
Public Key
Private
Key Device
Public KeyPublic Key
Private
Key
Device
Member
Private Key
User to
Device
Transform Key

23. Proxy searches for shortest path of transforms from document to device
Doc shared with user, user approved device
Doc shared with group, user belongs to group, user approved device
Proxy applies transforms in succession to generate doc encrypted to device
Device decrypts using private key
Device Requests Access to Document

24. Algorithm Choice
Selected multi-hop algorithm introduced by Wang and Cao in 2009
Algorithm was analyzed by Zhang and Wang in 2013
CCA security problems addressed by Cai and Liu in 2014
We simplify the algorithm because we only need one proxy and can do
all transforms at one time

25. Still a revocation vulnerability if a group administrator gets the group
private key, then is removed from the system.
Group private key can be used to directly decrypt any data encrypted
to the group, without transformation.
Resolve by augmenting keys
Additional Security Issue

26. Client generates key pair for group or user as before, sends to proxy.
Proxy augments the public key, so that it is no longer mathematically
related to the private key.
Any time a transform key is generated from a group or user, the proxy
augments the transform key using the same factor.
Device keys are not augmented.
Key Augmentation

27. Encrypt to
User 1
Server
Generated
Group 1
Public Key
Private Key
Server
Group 1
Public Key
Private Key
Group 1
Encrypted
Private Key
User 1
Device
A
Server
Generated
Group 1
Public KeyPublic Key
Group 1
Augmented
Public Key
Group 1
Public KeyPublic Key
Server
Secure
Storage
Key Augmentation Process

28. Private key of group or user can no longer be used to decrypt. Only
devices can decrypt data.
Private key of group or user is only used to compute transform keys.
Proxy is required to use augmenting private key when adding new
transform keys, but otherwise transform process is not affected.
Security Benefits

29. We have implemented the PRE primitives in a Scala library
We use ScalaJS to generate a client-side Javascript library from the
same source
Library is open source, available on GitHub - IronCoreLabs/recrypt
PRE Library

30. We built a Javascript SDK around the library
SDK talks to a service that functions as the public key repository and
transformation proxy
Developers are free to try the system - https://docs.ironcorelabs.com
has a Getting Started example
Working System

31. Questions?
Thanks to Madison Kerndt for her help with preparing the presentation.

32. Thank You
bob.wall@ironcorelabs.com
BobWall23
Bob Wall
@ironcorelabs
ironcorelabs.com