On Using Encryption Techniques to Enhance Sticky Policies Enforcement

How to enforce privacy policies to protect sensitive personal data has become an urgent research topic for security researchers, as very little has been done in this field apart from some ad hoc research efforts. The sticky policy paradigm, proposed by Karjoth, Schunter, and Waidner, provides very useful inspiration on how we can protect sensitive personal data, but the enforcement is very weak. In this paper we provide an overview of the state of the art in enforcing sticky policies, especially the concept of sticky policy enforcement using encryption techniques including Public-Key Encryption (PKE), Identity-Based Encryption (IBE), Attribute-Based Encryption (ABE), and Proxy Re-Encryption (PRE). We provide detailed comparison results on the (dis)advantages of these enforcement mechanisms. As a result of the analysis, we provide a general framework for enhancing sticky policy enforcement using Type-based PRE (TPRE), which is an extension of general PRE

Building Secure and Anonymous Communication Channel: Formal Model and its Prototype Implementation

Various techniques need to be combined to realize anonymously authenticated communication. Cryptographic tools enable anonymous user authentication while anonymous communication protocols hide users' IP addresses from service providers. One simple approach for realizing anonymously authenticated communication is their simple combination, but this gives rise to another issue; how to build a secure channel. The current public key infrastructure cannot be used since the user's public key identifies the user. To cope with this issue, we propose a protocol that uses identity-based encryption for packet encryption without sacrificing anonymity, and group signature for anonymous user authentication. Communications in the protocol take place through proxy entities that conceal users' IP addresses from service providers. The underlying group signature is customized to meet our objective and improve its efficiency. We also introduce a proof-of-concept implementation to demonstrate the protocol's feasibility. We compare its performance to SSL communication and demonstrate its practicality, and conclude that the protocol realizes secure, anonymous, and authenticated communication between users and service providers with practical performance.Comment: This is a preprint version of our paper presented in SAC'14, March 24-28, 2014, Gyeongju, Korea. ACMSAC 201

An Efficient Certificateless Encryption for Secure Data Sharing in Public Clouds

We propose a mediated certificateless encryption scheme without pairing operations for securely sharing sensitive information in public clouds. Mediated certificateless public key encryption (mCL-PKE) solves the key escrow problem in identity based encryption and certificate revocation problem in public key cryptography. However, existing mCL-PKE schemes are either inefficient because of the use of expensive pairing operations or vulnerable against partial decryption attacks. In order to address the performance and security issues, in this paper, we first propose a mCL-PKE scheme without using pairing operations. We apply our mCL-PKE scheme to construct a practical solution to the problem of sharing sensitive information in public clouds. The cloud is employed as a secure storage as well as a key generation center. In our system, the data owner encrypts the sensitive data using the cloud generated users’ public keys based on its access control policies and uploads the encrypted data to the cloud. Upon successful authorization, the cloud partially decrypts the encrypted data for the users. The users subsequently fully decrypt the partially decrypted data using their private keys. The confidentiality of the content and the keys is preserved with respect to the cloud, because the cloud cannot fully decrypt the information. We also propose an extension to the above approach to improve the efficiency of encryption at the data owner. We implement our mCL-PKE scheme and the overall cloud based system, and evaluate its security and performance. Our results show that our schemes are efficient and practical

A new encrypted data switching Protocol: Bridging IBE and ABE without loss of data confidentiality

Encryption technologies have become one of the most prevalent solutions to safeguard data confidentiality in may real-world applications, e.g., cloud-based data storage systems. Encryption outputting a relatively “static” format of encrypted data, however, may hinder further data operations, for example, encrypted data may need to be “transformed” into other formats for either computation or other purposes. In order to enable an encryption to be used in another device equipped with a different encryption mechanism, the concept of encryption switching is first proposed in CRYPTO 2016 for conversion particularly between Paillier and ElGamal encryptions. This paper considers the conversion between conventional identity-based and attribute-based encryptions and further proposes a concrete construction via the technique of proxy reencryption. The construction is proved to be CPA secure in the standard model under q-decisional parallel bilinear Diffie-Hellman exponent assumption. The performance comparisons highlight that our bridging mechanism reduces computation and communication cost on client side, especially when the data of client is encrypted and outsourced to remote cloud. The computational costs w.r.t. re-encryption (on server side) and decryption (on client side) are acceptable in practice

Enhance Data Security Protection for Data Sharing in Cloud Storage System

Cloud computing technology can be used in all types of organizations. There are many benefits to use cloud storage. The most notable is data accessibility. Data stored in the cloud can be accessed at any time any place. Another advantage of cloud storage is data sharing between users. By sharing storage and networks with many users it is also possible for unauthorized users to access our data. To provide confidentiality of shared sensitive data, the cryptographic techniques are applied. So protect the data from unauthorized users, the cryptographic key is main challenge. In this method a data protection for cloud storage 1) The key is protected by two factors: Secret key is stored in the computer and personal security device 2) The key can be revoked efficiently by implementing proxy re-encryption and key separation techniques. 3) The data is protected in a fine grained way by adopting the attribute based encryption technique. So our proposed method provides confidentiality on data

A UNIQUE ASSISTANCE THAT PROVIDES GUARANTEE THE HIDING OF DATA

The fundamental dependence on the services is to be sure the confidentiality from the data. This paper, the very first time, proposes a privacy-preserving cipher text multi-discussing mechanism to offer the above qualities. By utilizing some traditional PKE, Identity-Based File encryption (IBE), or Attribute-Based File encryption (ABE), the confidentiality from the record could be protected effectively. It combines the merits of proxy re-file encryption with anonymous technique where a cipher text could be safely and conditionally shared multiple occasions without dripping both understanding of underlying message and also the identity information of cipher text senders/recipients. The necessity of secure big data storage services are more inviting than ever before up to now. The safety type of MH-IBCPRE may be the fundamental one, where a challenger plays the sport using the foe to produce Selected-Cipher text Attacks (CCA) towards the original cipher text and re-encrypted cipher text to be able to solve a tough problem. However, the anonymity from the service clients, probably the most essential facets of privacy, should be thought about concurrently. In addition, this paper implies that the brand new primitive is safe against selected-cipher text attacks within the standard model. Furthermore, the service should also provide practical and fine-grained encrypted data discussing so that an information owner is permitted to talk about a cipher text of information amongst others under some specified conditions

Symmetric Primitives with Structured Secrets

Securely managing encrypted data on an untrusted party is a challenging problem that has motivated the study of a variety of cryptographic primitives. A special class of such primitives allows an untrusted party to transform a ciphertext encrypted under one key to a ciphertext under another key, using some auxiliary information that does not leak the underlying data. Prominent examples of such primitives in the symmetric-key setting are key-homomorphic PRFs, updatable encryption, and proxy re-encryption. Although these primitives differ significantly in terms of their constructions and security requirements, they share two important properties: (a) they have secrets with structure or extra functionality, and (b) all known constructions of these primitives satisfying reasonably strong definitions of security are based on concrete public-key assumptions, e.g., DDH and LWE. This raises the question of whether these objects inherently belong to the world of public-key primitives, or they can potentially be built from simple symmetric-key objects such as pseudorandom functions. In this work, we show that the latter possibility is unlikely. More specifically, we show that: • Any (bounded) key-homomorphic weak PRF with an abelian output group implies a (bounded) input-homomorphic weak PRF, which has recently been shown to imply not only public-key encryption (PKE), but also a variety of primitives such as PIR, lossy TDFs, and even IBE. • Any ciphertext-independent updatable encryption scheme that is forward and post-compromise secure implies PKE. Moreover, any symmetric-key proxy re-encryption scheme with reasonably strong security guarantees implies a forward and post-compromise secure ciphertext-independent updatable encryption, and hence PKE. In addition, we show that unbounded (or exact) key-homomorphic weak PRFs over abelian groups are impossible in the quantum world. In other words, over abelian groups, bounded key-homomorphism is the best that we can hope for in terms of post-quantum security. Our attack also works over other structured primitives with abelian groups and exact homomorphisms, including homomorphic one-way functions and input-homomorphic weak PRFs