300 likes | 305 Views
This presentation explores the problem of how to protect and release confidential information at a predefined disclosure time. It discusses various scenarios, requirements, related work, and proposes an IBE-based approach. The core properties and three-player model of IBE are explained.
E N D
The HP Time Vault Service: Exploiting IBE for Timed Release of Confidential Information Marco Casassa Mont Keith Harrison Martin Sadler Trusted Systems Laboratory Hewlett-Packard Labs, Bristol, UK WWW 2003, 20-24 May 2003 Budapest, Hungary
Presentation Outline • Addressed Problem: Timed Release of Confidential Data • Scenarios • Requirements • Related Work • Our IBE-based Approach • Discussion • Conclusions ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Problem: Timed Release of Confidential Data [1] How to Protect Confidential Information Until a Predefined Disclosure Time and Deal With its Subsequent Disclosure? ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Problem: Timed Release of Confidential Data [2] It is a Common Real-life Problem: • Enterprise and Business Environment: confidential data can be disclosed to employee and stakeholders only at well defined point on time • B2B and E-Commerce: blind auctions, marketplaces, etc. The involved parties are prevented from accessing sensitive information for a predefined period of time • Ordinary Life: political elections, students’ exam results, etc. ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Scenarios [1] Generation of Confidential Data + Disclosure Time time Disclosure & Starting to Protect Distribution Confidential Data ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Scenarios [2] Generation of Confidential Data + Disclosure Time time Distribution Disclosure Starting to Protect Confidential Data ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Requirements • Strongly Enforce Disclosure Constraints to Preserve Confidentiality • Avoid Bottlenecks • Be Simple • Be Provided by Accountable Organisations Solutions Dealing With This Problem Should: ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Related Work [1] • Based on Computational Complexity • Intensive Usage of Computational Resources • Interesting Approach, but Unpractical Time-Lock Puzzles: ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Related Work [2] • Uses Trusted Agents (i.e. Trusted Third Parties) • Confidential Data Encrypted and Stored Locally Until its Disclosure Time • Costs in Terms of Resources • Escrow Problem Timed Release Cryptography [Approach 1]: Trusted Agent ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Related Work [3] • Uses Trusted Agents • No Local Storage of Confidential Data • Publication of “Decryption” Secret at the Disclosure Time • Users Must Interact with the Trust Agent for Data Encryption Timed Release Cryptography [Approach 2]: Trusted Agent ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Related Work [4] • Encryption of Data based on Traditional (RSA) Cryptography • Access Control • Hybrid Models Alternative Solutions Based on: ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Our Approach Based on: • “Timed Release” Principles • Identifier-based Encryption (IBE) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
What is Identifier-based Encryption (IBE)? • It is an Emerging Cryptography Technology • Based on a Three-Player Model: Sender, Receiver, Trust Authority (Trusted Third Party) • Same Strength of RSA • Different Approaches: Quadratic Residuosity, Weil Pairing, Tate Pairing … ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
IBE Core Properties • 1st Property: Any Kind of “String” (or Sequence of Bytes) Can Be Used as an IBE Encryption Key: for example a Role, Terms and Conditions, an e-Mail Address, a Picture, a Disclosure Time • 2nd Property: The Generation of IBE Decryption Keys Can Be Postponed in Time, even Long Time After the Generation of the Correspondent IBE Encryption Key • 3rd Property: Reliance on at Least a Trust Authority (Trusted Third Party) for the Generation of IBE Decryption Key ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Alice Bob 4 3 2 5. Bob requests the Decryption Key associated to the Encryption Key to the relevant Trust Authority. 2. Alice knows the Trust Authority's published value of Public Detail N It is well known or available from reliable source 5 6 3. Alice chooses an appropriate Encryption Key. She encrypts the message: Encrypted message = {E(msg, N, encryption key)} 6. The Trust Authority issues an IBE Decryption Key corresponding to the supplied Encryption Key only if it is happy with Bob’s entitlement to the Decryption Key. It needs the Secret to perform the computation. Trust Authority 1 1. Trust Authority - Generates and protects a Secret - Publishes a Public Detail N 4. Alice Sends the encrypted Message to Bob, along with the Encryption Key IBE Three-Player Model ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Leveraging IBE for Timed Release of Confidential Information • Using “Disclosure Times” as IBE Encryption Keys, for example “GMT200401011200” • IBE Decryption Keys are Generated by the Trust Authority only at the Disclosure Time. No need to Store or Secure Them. • The Trust Authority Continuously Generates and Publishes IBE Decryption Keys corresponding to the Current Time, with a Predefined Frequency ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
The owner of confidential information encrypts it with an IBE encryption key – i.e. disclosure time of the document, for example “GMT200401011200”, and then distributes it (No Interactions Required with the Time Vault Service!) The receiver(s) has to wait until the right time has come before the IBE decryption key is made available by the Time Vault Service Time=“GMT200401011200” Decryption Key = sdfsdfsdf32 Here the owner of confidential information uses a predictable encryption key knowing that the corresponding decryption key will only be available after a specific time The Time Vault Service continuously generates and Publish IBE Decryption Keys, related to the current time, with a predefined frequency Time Vault Service The HP Time Vault Service: Model ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
WS APPS DB WS APPS DB WS APPS DB GUI Trusted Clock secret Publishing <Date Time, IBE Decryption Key> IBE Decryption Module IBE Encryption Module IBE decryption key Generator IBE Crypto Libraries IBE Crypto Libraries PD Trusted Time Server (Trusted Authority) Distribution Service (on the Internet/Intranet) Client Application/ Plug-in The HP Time Vault Service: Architecture ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
The HP Time Vault Service: Prototype [1] Any Type Of File (.NET) Application Web Server (IIS) (.NET) Web Service (.NET) Application date time (Encryption Key) PC Clock secret GUI IBE Encryption Module IBE Decryption Module IBE decryption key generator <Date Time, Decryption Key> IBE Decryption key IBE Crypto Libraries ASP scripts IBE Crypto Libraries PD .TLF file (encrypted data + metadata) Pub. Key Dec. Key SQL Server Client Application/ Plug-in Time Server Distribution Service ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Comparison with a Solution based on Traditional Cryptography [1] A Similar Service Can Be Build, Based on Traditional Public Key (RSA) Cryptography: • A Public key is Associated to the Time Server • Users Encrypt Confidential Information with a Symmetric Key • and Envelopes it along with the Time-based Disclosure Policies • (via the Time Server’s Public key) • On request, the Time Server Interprets the Disclosure • Polices: if satisfied issues the Symmetric key to the Requestor ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Comparison with a Solution based on Traditional Cryptography [2] Time Vault Service: Traditional RSA-based Approach 1. Define disclosure date (string) 2. Generate Symmetric Key Sk 3. Encrypt Document with Sk 4. Encrypt Sk with Time Server’s Public Key 5. Cluster the encrypted document with the above metadata: got an extended document 8. Interpret Metadata: decide if disclosure time has come. If it has, decrypt the encrypted symmetric key Sk Public Key Private Key Sender Access Points Time Server 7. Send metadata to Time Server (through its Access Point) 6. Distribute your extended document 9. Return symmetric key or an Error 10. Decrypt or wait … Receiver(s) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Comparison with a Solution based on Traditional Cryptography [3] Time Vault Service: IBE-based Approach *. (repeated) The Time Server continuously generates and publishes IBE decryption keys associated to the current time (IBE encryption key) 1. Generate Symmetric Key Sk 2. Encrypt Document with Sk 3. Encrypt Sk with disclosure date i.e. IBE encryption key 4. Bundle the encrypted document with the above metadata: get an extended document Distribution Service Public Detail Secret Sender 6. Ask for IBE decryption key associated to IBE encryption key (stored in document’s metadata) Time Server 5. Distribute the extended document 7. Return decryption key or an Error 8. Decrypt or wait … Receiver(s) ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Comparison with a Solution based on Traditional Cryptography [2] Our IBE-based approach: • Is Simpler To Run and More Modular • Potentially Simpler to Secure • More Efficient: The Time Server Has Not to Interpret • any Disclosure Policies during User Interactions ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Conclusions • We addressed the Problem of Timed-release of Confidential Information • Current Solutions based on Timed-Release Cryptography Require Interactions • with a Trusted Agent at the Encryption Time • Solutions based on Traditional Cryptography Introduce Complexity • at the Time Server Side, during the Decryption Time • We described our IBE-based Solution: Simpler, more Modular and Efficient • The Feasibility of Our Approach demonstrated by a Working Prototype ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Backup Slides RSA and IBE Cryptography Models ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Msg encrypt e and N published Encrypted Msg Compute N = p*q Compute d&e Keep d secret decrypt N and d Secrets p&q Msg RSA Model ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Encrypt Encrypted Msg Decrypt Msg Msg Public details E D Compute public details Compute Key pairs Secrets s IBE Model [1] ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Get decrypt Key,e Choose e Encrypt Encrypted Msg Decrypt Msg Msg Public details Compute public details Generate Decryption Key Secrets s IBE Model [2] ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
The HP Time Vault Service: Prototype [2] date time (Encryption Key) IBE Decryption key <Date Time, Decryption Key> Client Application/ Plug-in Distribution Service Time Server ﴀTrusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK