Presentation is loading. Please wait.

Presentation is loading. Please wait.

ETSI STF 529 on Attribute Based Encryption for IoT, Cloud, mobile

Published byJuliana Alannah Todd Modified over 6 years ago

Similar presentations

Presentation on theme: "ETSI STF 529 on Attribute Based Encryption for IoT, Cloud, mobile"— Presentation transcript:

1 ETSI STF 529 on Attribute Based Encryption for IoT, Cloud, mobile
Presentation to oneM2M SEC WG4, July 5, 2017 Dr. Giovanni Bartolomeo (CNIT), François Ambrosini (IBIT Ambrosini UG (Haftungsbeschränkt)) © ETSI All rights reserved

2 Objectives for today’s call
Introduction to Attribute-based encryption Objectives of STF 529 Mapping to oneM2M architecture Next steps with oneM2M © ETSI All rights reserved

3 What is Attribute-Based Encryption?
© ETSI All rights reserved

4 What is Attribute-Based Encryption? (1)
Encryption is widely used to protect confidentiality of data in untrusted environments Where a message has to be transmitted to several parties, it has to be encrypted separately for each party The sender must know in advance the identity and public key of each individual to whom the data should be disclosed Such encryption schemes provide a simple “access control” solution To provide full access control, conventionally encryption schemes have to be integrated with a key management and access control infrastructure The general structure adopted to date is that Attribute Based Access Control (ABAC) In ABAC, Access Control Policies (ACPs) are based on attributes that one or more authorities provide to parties © ETSI All rights reserved

5 What is Attribute-Based Encryption? (2)
Attribute Based Encryption (ABE)… …is a crypto scheme that provides a level of protection similar to ABAC, leveraging on crypto algorithms only (no software-based PEP/PDP, the algorithm is the PEP) …has two main variants: CP-ABE and KP-ABE Can support different trust models Data at rest (data storage) and B2B data sharing Processing at isolated (offline) devices Platform Provider Different use cases in IoT, Cloud, Mobile Current focus on confidentiality of PII and personal data © ETSI All rights reserved

6 What is Attribute-Based Encryption? (3)
Composition of a KP-ABE cryptosystem Setup(k): takes as input the security parameter k and outputs a master public key MPK and a master secret key MSK. Encryption(MPK,A,m): takes as input the master public key MPK, a set of attributes A, and a message m, and outputs a ciphertext C associated with the attributes from A. KeyGeneration(MSK,MPK,AS): takes as input the master secret key MSK, the master public key MPK, and an access structure AS, and outputs a secret key SKAS associated with the access structure AS. Decryption(SKAS,MPK,C): takes as input a secret key associated with an access structure AS, a master public key MPK, and a ciphertext C associated with some attributes, and outputs a message m if the attributes in C satisfy the access structure AS or an error code that indicates that decryption failed (from draft ETSI TS clause 4.2) © ETSI All rights reserved

7 What is Attribute-Based Encryption? (4)
Composition of a CP-ABE cryptosystem Setup(k): takes as input the security parameter and outputs a master public key MPK and a master secret key MSK. Encryption(MPK,AS,m): takes as input the master public key MPK, an access structure AS, and a message m, and outputs a ciphertext C associated with the access structure AS. KeyGeneration(MSK,MPK,A): takes as input the master secret key MSK, the master public key MPK, and a list of attributes A, and outputs a secret key SKA associated with the set of attributes A. Decryption(SKA,MPK,C): takes as input a secret key associated with a set of attributes A, a master public key MPK, and a ciphertext C associated with some access structure, and outputs a message m if the attributes in skA satisfy the access structure in the ciphertext or an error code that indicates that decryption failed. (from draft ETSI TS clause 4.3) © ETSI All rights reserved

8 What is Attribute-Based Encryption? (5)
ABAC laymans‘ terms for use of ABE schemes In KP-ABE the ciphertext holds attributes describing the data the private key holds the access policy Distributing a private key is similar to granting access rights to the subject In CP-ABE the ciphertext holds the access policy, the private key holds attributes describing the subject Distributing a private key is similar to granting a role to the subject This is only a rough, first approximation One challenge with ABE lies in the balance between giving attributes to subjects vs. giving attributes to objects © ETSI All rights reserved

9 Objectives of STF 529 © ETSI All rights reserved

10 Objectives of STF 529 Develop and ABE-based toolkit for data access control cloud, mobile and IoT Interoperability and flexibility is a key requirement Two drafts under development at TC CYBER TS Use Cases (Q1/2018) TS Functional Architecture and Protocols (Q1/2018) Aspects addressed in TS Variants definition (CP-ABE, KP-ABE) Revocation (attributes, keys, expiration…) Distribution (keys, attributes, policies) Multi-authority scheme(s) Expressiveness and limitations (compared to ABAC) Trust and assertions (data capture, data access…) Performance and overhead (public-key crypto) © ETSI All rights reserved

11 Objectives of STF 529 (2) Intermediate Access Control Language to ensure interoperability of ABE-based access control Binds ABE primitives to an access control language Adaptable to ABAC, NGAC and others Takes ontologies into account for data types and attribute semantics Our current model: (from draft ETSI TS clause 7.4) © ETSI All rights reserved

12 ABE and the Internet of Things
© ETSI All rights reserved

13 ABE and the Internet of Things (1)
OneM2M (TS-0003r2) use cases for ABE Platform Provider model ABAC based ACP/tokens Focus on interoperability (Restful API, json, URI, ontologies) © ETSI All rights reserved

14 ABE and the Internet of Things (2)
Additional IoT use cases for ABE Best supported by KP-ABE Cover the industrial sectors where employee personal data is interleaved with business data Support PII protection, according to data owner instructions, with accessibility to trusted third-parties such as Basic health information for emergency responders (including offline requests) emergency / work incident (e.g. location update) Lone worker situations Incident audits Business improvement audits Data processing by third-parties Untrusted data stores © ETSI All rights reserved

15 Next steps with oneM2M © ETSI All rights reserved

16 Proposed next steps with oneM2M
STF 529 and TC CYBER have identified oneM2M as a potential user of our ABE-toolkit The ABE-based access control toolkit should be flexible yet address the needs of users Check interest within oneM2M The STF would welcome discussion on requirements / use cases from oneM2M SEC group (and other groups?) that would help us progress the work further collaboration in order to ensure the toolkit can be easily used (or adapted) in oneM2M specifications © ETSI All rights reserved

17 THANK YOU! Contact Liaisons Statements should be sent to ETSI TC CYBER
Presenters’ contact information: giovanni.bartolomeo AT uniroma2.it (STF Leader) francois.Ambrosini AT famb.info Check STF 529 activities on the ETSI portal THANK YOU! About ETSI: ETSI produces globally-applicable standards for Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and internet technologies and is officially recognized by the European Commission as a European Standards Organization. ETSI is a not-for-profit organization whose Member Organizations benefit from direct participation and are drawn from countries worldwide. For more information, please visit:   About ETSI Specialist Task Forces (STF): STFs are teams of highly-skilled experts working together over a pre-defined period to draft an ETSI standard under the technical guidance of an ETSI Technical Body and with the support of the ETSI Secretariat.  The task of the STFs is to accelerate the standardization process in areas of strategic importance and in response to urgent market needs. For more information, please visit the STF home page © ETSI All rights reserved

Download ppt "ETSI STF 529 on Attribute Based Encryption for IoT, Cloud, mobile"

Similar presentations

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.

Topic 7: Using cryptography in mobile computing. Cryptography basics: symmetric, public-key, hash function and digital signature Cryptography, describing.
OneM2M Draft proposal for slide set. This is not intended to be a oneM2M presentation. It is a collection of source material slides which can be used.

OneM2M Draft proposal for slide set. This is not intended to be a oneM2M presentation. It is a collection of source material slides which can be used.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.
Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All SMART GRID ICT: SECURITY, INTEROPERABILITY & NEXT STEPS John O’Neill, Senior Project Manager CSA.

Halifax, 31 Oct – 3 Nov 2011ICT Accessibility For All SMART GRID ICT: SECURITY, INTEROPERABILITY & NEXT STEPS John O’Neill, Senior Project Manager CSA.
GSC-19 Meeting, 15-16 July 2015, Geneva Agenda IoT session – part 2 Luis Jorge Romero, Director General, ETSI Document No:GSC-19_200c Source:ETSI Contact:Luis.

GSC-19 Meeting, July 2015, Geneva Agenda IoT session – part 2 Luis Jorge Romero, Director General, ETSI Document No:GSC-19_200c Source:ETSI Contact:Luis.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Digital Agenda Unleashing the Potential of Cloud Computing in Europe Ken Ducatel Head of Unit DG Connect, Software and Services, Cloud 05 December 2012.

Digital Agenda Unleashing the Potential of Cloud Computing in Europe Ken Ducatel Head of Unit DG Connect, Software and Services, Cloud 05 December 2012.
OneM2M Partnership Project. Contents Introduction Founding Partners Participation Scope & Objectives Structure Deliverables Contacts © 2013 oneM2M Partners.

OneM2M Partnership Project. Contents Introduction Founding Partners Participation Scope & Objectives Structure Deliverables Contacts © 2013 oneM2M Partners.
Update on ETSI Security work Charles Brookson OCG Security Chairman DOCUMENT #:GSC13-PLEN-57 FOR:Information SOURCE:Charles Brookson AGENDA ITEM:6.3

Update on ETSI Security work Charles Brookson OCG Security Chairman DOCUMENT #:GSC13-PLEN-57 FOR:Information SOURCE:Charles Brookson AGENDA ITEM:6.3
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.

9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
IoT R&I on IoT integration and platforms INTERNET OF THINGS

IoT R&I on IoT integration and platforms INTERNET OF THINGS
SDN & NFV Driving Additional Value into Managed Services.

SDN & NFV Driving Additional Value into Managed Services.
TAG Presentation 18th May 2004 Paul Butler

TAG Presentation 18th May 2004 Paul Butler
With Office 365, Collaborative Solution by Qorus Streamlines Document Assembly and Enhances Productivity for Any Business-Critical Documents OFFICE 365.

With Office 365, Collaborative Solution by Qorus Streamlines Document Assembly and Enhances Productivity for Any Business-Critical Documents OFFICE 365.
Shucheng Yu, Cong Wang, Kui Ren,

Shucheng Yu, Cong Wang, Kui Ren,
Standardization activities on IPTV in CCSA

Standardization activities on IPTV in CCSA
STF489 - Total Conversation for Emergency Communications

STF489 - Total Conversation for Emergency Communications
Training for developers of X-Road interfaces

Training for developers of X-Road interfaces

Similar presentations

Ads by Google