Access Control and Encryption in Cloud Environments

James WernickeNew Mexico Tech

Department of Computer Science & Engineering

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

Terminology

Access control:A system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system

Encryption:The process of transforming information (“plaintext”) using an algorithm (“cipher”) to make it unreadable to anyone except those possessing special knowledge (“key”).

Cloud:Computing system where shared resources, software, and information are provided to computers and other devices on demand like the electricity grid.

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 2 -

Motivation

• Organizations no longer need to control the computing infrastructure that supports them. They just need a place to store, access, and manipulate their data.• The usual cryptographic methods are limiting,

inflexible, and don’t scale well.• Access management has always been done

internally.• Research related to this semester’s projects

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 3 -

Scenarios

• Outsourcing computations on sensitive data• Querying large sets of encrypted data• Electronic voting• Search engine privacy• Trend analysis on personal information

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 4 -

Boolean Circuits

• A series of additions and multiplications• Any computation can be expressed as a series

of Boolean circuits.• Sooo…oComputations are just series of additions and

multiplications.

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 5 -

Homomorphism

• Addition and multiplication operations can be performed before or after a function is applied with the same results.

f(a+b) = f(a) + f(b)f(ab) = f(a) * f(b)

•What does this mean for encryption?oOperations on ciphertext produce a result which,

when deciphered, produces the same result as the same operations on the plaintext

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 6 -

DES/AES Encryption

• Not homomorphic at all• Encrypt P to get C, multiply C by 2, decrypt 2C,

get some gibberish

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 7 -

RSA Encryption

•Multiplicatively homomorphic• Encrypt P to get C, multiply C by 2, decrypt 2C,

get 2PoThis isn’t really helpful unless we just want to do a

bunch of multiplications

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 8 -

Gentry’s Homomorphic Encryption

• Fully homomorphic• Encrypt P to get C, do an arbitrary number of

additions and multiplications on C to get C , ′decrypt C , get P′ ′• Awesome… in theory

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 9 -

Limitations

• Encrypted Google search takes one trillion times longer• Number of multiplications needs to be fixed

when public key is generatedoNeed to know what to compute before encrypting

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 10 -

Access Control

• Attribute-based management• Traditionally, server authenticates user• Data now distributed across many serversoMore serversoMore chance of compromise

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 11 -

Ciphertext-Policy Attribute-Based Encryption (CP-ABE)

• Access policy associated with ciphertext• Private keys associated with attributes• So why is this good?oEncryptor enforces access policy, not serveroData can be decrypted by more than one user

• Collusion resistance

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 12 -

Conclusions

•More research into fully homomorphic encryption could revolutionize the way cloud services are utilized for sensitive data.• CP-ABE can provide a new approach to

managing access control on untrusted servers.

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 13 -

References

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 14 -

Hakala, David (2009-04-29). “The Top 10 Cloud Computing Trends”. Focus.com. Retrieved 2010-09-08.Danielson, Krissi (2008-03-26). “Distinguishing Cloud Computing from Utility Computing”. Ebizq.net. Retrieved 2010-09-08.Gentry, Craig (2009-05-31). “Fully Homomorphic Encryption Using Ideal Lattices”. STOC ‘09. Retrieved 2010-09-08.Prince, Brian (2009-06-25). “IBM Discovers Encryption Scheme That Could Improve Cloud Security, Spam Filtering”. eWeek.com. Retrieved 2010-09-08.“Practical Applications of Homomorphic Encryption Algorithms”. Stack Overflow. Retrieved 2010-09-08.Micciancio, Daniele (2010). “A First Glimpse At Cryptography’s Holy Grail”. Communications of the ACM. Retrieved 2010-09-08.Schneier, Bruce (2009-07-09). “Homomorphic Encryption Breakthrough”. Schneier on Security. Retrieved 2010-09-08.Cooney, Michael (2009-06-25). “IBM Touts Encryption Innovation”. Computerworld. Retrieved 2010-09-08.Martin, Luther (2009-07-24). “Gentry’s Homomorphic Encryption”. Voltage Security. Retrieved 2010-09-08.Ghalimi, Ismael (2009-10-11). “I Think There Is A World Market for Maybe Five Clouds”. IT Redux. Retrieved 2010-09-09.Bethencourt, John et al. “Ciphertext-Policy Attribute-Based Encryption”. Retrieved 2010-09-09.

Questions?

A Designated Center of Academic Excellence in Information Assurance by the National Security Agency

- 15 -