Oblivious Enforcement of Hidden Information Release Policies Using Online Certification Authorities

This thesis examines a new approach to attribute-based access control with hidden policies and hidden credentials. In this setting, a resource owner has an access control policy that is a function of Boolean-valued attributes of the resource requester. Access to the resource should be granted if and only if the resource owner's policy is satisfied, but we wish to hide the access control policy from the resource requester and the requester's attributes from the resource owner.Previous solutions to this problem involved the use of cryptographic credentials held by the resource requester, but it is obvious that if no information is provided about the access control policy, then the resource requester must try to satisfy the policy using every available credential. An initial contribution of this thesis is the first published empirical evaluation of the state-of-the-art protocol of Frikken, Atallah, and Li for access control with hidden policies and hidden credentials, demonstrating that the computational cost of the required cryptographic operations is highly burdensome.A new system model is then proposed that includes the active involvement of online certification authorities (CAs). These are entities that can provide authoritative information about the attributes in a resource owner's access control policy. Allowing the resource owner to query these online CAs immediately removes the need for the resource requester to guess which credentials to use.If the resource owner was allowed to learn the values of a requester's attributes from online CAs, however, the requester's credentials would no longer be private. This thesis examines cryptographic solutions in which the CAs' replies do not directly reveal any attribute information to the resource owner, but can nevertheless be used in the enforcement of an access control policy. The techniques considered involve scrambled circuit evaluation, homomorphic encryption, and secure multiparty computation using arithmetic circuits and Shamir secret sharing. Empirical experiments demonstrate that the proposed protocols can provide an order-of-magnitude performance improvement over existing solutions

Oblivious enforcement of hidden information release policies

In a computing system, sensitive data must be protected by release policies that determine which principals are authorized to access that data. In some cases, such a release policy could refer to information about the requesting principal that is unavailable to the information provider. Furthermore, the release policy itself may contain sensitive information about the resource that it protects. In this paper we describe a scheme for enforcing information release policies whose satisfaction cannot be verified by the entity holding the protected information, but only by the entity requesting this information. Not only does our scheme prevent the information provider from learning whether the policy was satisfied, but it also hides the information release policy being enforced from the requesting principal. Unlike previous approaches, our construction requires no guesswork or wasted computation on the part of the information requester. The information release policies that we consider can contain third-party assertions that themselves have release conditions that must be satisfied; we show that our system functions correctly even when these dependencies form cycles. © 2010 ACM