Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt ESPOON: Enforcing Security Policies in Outsourced Environments M. Rizwan Asghar SRI International Menlo.

Published byKathleen Leslie Ball Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide title In CAPITALS 50 pt Slide subtitle 32 pt ESPOON: Enforcing Security Policies in Outsourced Environments M. Rizwan Asghar SRI International Menlo."— Presentation transcript:

1 Slide title In CAPITALS 50 pt Slide subtitle 32 pt ESPOON: Enforcing Security Policies in Outsourced Environments M. Rizwan Asghar SRI International Menlo Park, CA, USA August 1, 2012

2 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 2 Why Outsourcing  Cost saving  Scalability  Efficiency  Availability

3 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 3 Motivation Patient Service Provider Policy Dentist Access Request Medical Record Access Response Policy: Only a dentist may get access from dentist- ward during duty hours (9-17 hrs) Policy Medical Record Issue: Policy or access request may leak sensitive information Requester=Dentist, Location=Dentist-ward, Time=10hrs

4 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 4 Problem Patient Service Provider Policy Dentist Access Request Medical Record Policy Medical Record Problem: How to evaluate encrypted policy against encrypted access request

5 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 5 Proposed Solution  We name our solution ESPOON (Enforcing Security Policies in OutsOurced eNvironments)  In ESPOON, the Service Provider is assumed honest-but- curious  ESPOON is capable of handling complex policies involving range queries  ESPOON is a multiuser scheme in which entities do not share any encryption keys  A compromised user can be removed without requiring re- encryption of policies

6 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 6 ESPOON Architecture Policy Store PIP Administration Point Admin User Service Provider (i) Requester Key Store PEP PDP (6) Data (5) Yes/No (2) (7) Response (1) Outsourced Environment Trusted but can be removed Partially-trusted but can be removed Trusted Key Management Authority Data Store Fully-trusted (ii) (3) (4)

7 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 7 Policy Representation Λ V Λ V Λ V AT = Access Time Policy: Only a dentist may get access from dentist-ward during duty hours (9-17 hrs) Requester=Dentist Location=Dentist-Ward AT:0**** AT:*0*** AT:**0** AT:***0* AT:****0 AT:1**** AT:*1*** AT:**1** AT:***1*

8 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 8 Policy Evaluation Λ V Λ V Λ V AT = Access Time C(Requester=Dentist) C(Location=Dentist-Ward) C(AT:0****) C(AT:*0***) C(AT:**0**) C(AT:***0*) C(AT:****0) C(AT:1****) C(AT:*1***) C(AT:**1**) C(AT:***1*) TD(Requester=Dentist) TD(Location=Dentist-Ward) Access Time =10hrs TD(AT:0****) TD(AT:*1***) TD(AT:**0**) TD(AT:***1*) TD(AT:****0) Yes No Yes No Yes

9 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 9 Policy Evaluation (2) Λ V Λ V Λ V Yes No Yes No Yes No Yes

10 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 10 Performance Analysis: Requester  String Attribute: O(n), n is the number of string attributes  Numerical Attribute: O(ns), n is the number of numerical attributes each of size s

11 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 11 Performance Analysis: Policy Evaluation  String Attribute: O(nm), n is the number of string attributes and m is the number of string comparisons  Numerical Attribute: O(nms 2 ), n is the number of numerical attributes and m is the number of numerical comparisons each of size s

12 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 12 Related Work  Schemes supporting access controls in outsourced environments require re-generation of keys and re-encryption of data for any administrative changes [Vimercati et al. CSAW’07 VLDB’07]  Schemes supporting queries on encrypted data do not support access policies [Dong et al. DBSec’08, Song et al. S&P’00, Boneh et al. EUROCRYPT’04, Curtmola et al. CCS’06, Hwang and Lee LNCS’07, Boneh and Waters TCC’07, Wang et al. SOFSEM’08, Baek et al. ICCSA’08, Rhee et al. JSS’10, Shao et al. Inf. Sci.’10]  Encrypted data with CP-ABE policy reveals the policy structure [Narayan et al. CCSW’10]  Hidden credentials schemes do not support complex policies and require parties to be online [Holt et al. WPES’03, Bradshaw et al. CCS’04]

13 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 13 Recent Advancements  ESPOON ERBAC –Enforcing RBAC style of policies covering:  RBAC0 – Role assignment and permission assignment  RBAC1 – Dynamic constraints (E-GRANT) - Dynamic separation of duties - Chinese Wall  RBAC2 = RBAC0 + RBAC1  Distributed Policy Enforcement –Under development and writing paper

14 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 14 Conclusions and Future Work  Conclusions –ESPOON enforces policies in outsourced environments –ESPOON supports complex policies including range queries –ESPOON employs a multiuser scheme where entities do not share keys  Future work –Secure auditing mechanism in ESPOON –Support for negative authorisation policies and conflict resolution

15 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 15 Conclusions and Future Work  Conclusions –ESPOON enforces policies in outsourced environments –ESPOON supports complex policies including range queries –ESPOON employs a multiuser scheme where entities do not share keys  Future work –Secure auditing mechanism in ESPOON –Support for negative authorisation policies and conflict resolution

16 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 16 References  [Asghar et al. CCS’11] M. R. Asghar, G. Russello, B. Crispo. POSTER:ESPOON ERBAC : Enforcing Security Policies in Outsourced Environments with Encrypted RBAC. In Proceedings of the 18th ACM conference on Computer and communications security, CCS ’11, pages 841- 844, New York, NY, USA, 2011. ACM.  [Asghar et al. ARES’11] M. R. Asghar, M. Ion, G. Russello, B. Crispo. ESPOON: Enforcing Encrypted Security Policies in Outsourced Environments. The Sixth International Conference on Availability, Reliability and Security (ARES), Austria, Vienna, 22-26 August 2011, pages 99-108. IEEE, 2011 (Full paper acceptance rate was 20%).  M. R. Asghar, M. Ion, G. Russello, B. Crispo. ESPOON ERBAC : Enforcing Security Policies in Outsourced Environments with Encrypted RBAC. Elsevier Computers & Security (COSE) – under review  M. R. Asghar, G. Russello, B. Crispo. E-GRANT: Enforcing Encrypted Dynamic Security Constraints in the Cloud – A journal paper under review

17 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 17 Thank You! Any Questions? asghar@disi.unitn.it asghar@disi.unitn.it

18 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 18 Performance Analysis: Policy Deployment  String Comparison: For both enc and re-enc: O(n), n is the number of string comparisons  Numerical Comparison: For both enc and re-enc O(ns), n is the number of numerical comparisons each of size s

19 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 19 Key Distribution  A Trusted Key Management Authority (KMA) is initialised with security parameters to generate –Master secret key x and s –Public parameters (g, h=g x, H, f)  For each user i, the KMA –randomly generates x i1 –calculates x i2 = x – x i1  Finally, the KMA securely transmits –K U i = (x i1, s) to user i –K S i = (x i2, i) to the Server Provider

20 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 20 Policy Deployment: Admin User Side PD-Condition-Enc

21 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 21 Policy Deployment: Service Provider Side PD-Condition-Re-Enc

22 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 22 Request: Requester Side PE-Attributes-Enc

23 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 23 Request: Service Provider Side PE-Attributes-Re-Enc

24 Top right corner for field-mark, customer or partner logotypes. See Best practice for example. Slide title 40 pt Slide subtitle 24 pt Text 24 pt Bullets level 2-5 20 pt 24 Policy Evaluation Match Yes or No

Download ppt "Slide title In CAPITALS 50 pt Slide subtitle 32 pt ESPOON: Enforcing Security Policies in Outsourced Environments M. Rizwan Asghar SRI International Menlo."

Similar presentations

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.

Trusted Data Sharing over Untrusted Cloud Storage Provider Gansen Zhao, Chunming Rong, Jin Li, Feng Zhang, and Yong Tang Cloud Computing Technology and.
PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.

PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.

Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt G3X Series Fixed Wireless Terminals for GSM/EDGE Networks.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt G3X Series Fixed Wireless Terminals for GSM/EDGE Networks.
Broadcast Encryption and Traitor Tracing 2001. 12. 2001507 Jin Kim.

Broadcast Encryption and Traitor Tracing Jin Kim.
Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.

Role Based Access Control Venkata Marella. Access Control System Access control is the ability to permit or deny the use of a particular resource by a.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt Ericsson satsning på Public Safety - National Security HIØ Personalseminar – 9. mai 06 - Ed.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Ericsson satsning på Public Safety - National Security HIØ Personalseminar – 9. mai 06 - Ed.
Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.

Improving Privacy and Security in Multi- Authority Attribute-Based Encryption Advanced Information Security April 6, 2010 Presenter: Semin Kim.
Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas.

Privacy-Preserving Computation and Verification of Aggregate Queries on Outsourced Databases Brian Thompson 1, Stuart Haber 2, William G. Horne 2, Tomas.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Research interest: Secure database outsourcing Presented by Alla Lanovenko Thesis Adviser: Professor Huiping Guo 599 A 11 December 2006.

Research interest: Secure database outsourcing Presented by Alla Lanovenko Thesis Adviser: Professor Huiping Guo 599 A 11 December 2006.
11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.

11 World-Leading Research with Real-World Impact! Role and Attribute Based Collaborative Administration of Intra-Tenant Cloud IaaS (Invited Paper) Xin.
Ciphertext-Policy, Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA.

Ciphertext-Policy, Attribute-Based Encryption Brent Waters SRI International John Bethencourt CMU Amit Sahai UCLA.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
Slide title In CAPITALS 50 pt Slide subtitle 32 pt Consumers’ Awareness of, Attitudes Towards and Adoption of Mobile Phone Security Stewart Kowalski, Ericsson.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Consumers’ Awareness of, Attitudes Towards and Adoption of Mobile Phone Security Stewart Kowalski, Ericsson.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
Sinaia, Romania August, 2014 14 TH Workshop “Software Engineering Education and Reverse Engineering” Dhuratë Hyseni, Betim Çiço South East European University.

Sinaia, Romania August, TH Workshop “Software Engineering Education and Reverse Engineering” Dhuratë Hyseni, Betim Çiço South East European University.
Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.

Construction of efficient PDP scheme for Distributed Cloud Storage. By Manognya Reddy Kondam.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt Improved project management practices as a key to the successful IS implementation Željka Požgaj*, Hrvoje.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Improved project management practices as a key to the successful IS implementation Željka Požgaj*, Hrvoje.

Similar presentations

Ads by Google