Millions of people share sensitive information over the digital cloud, yet with a new data-breach scandal in the media every week, few trust its security. One team of university researchers has taken the latest in encryption methodology and enhanced it – protecting users against even the server authorities.
The Illinois Institute of Technology (IIT) team suggests adding an extra layer of security to an emerging method of encryption called attribute-based encryption (ABE). The goal is to make it tougher for hackers to access sensitive data like business documents that are typically transmitted through cloud-based platforms like Google Drive, Dropbox, web-based email, etc. The key element in the team’s research is a concept called “oblivious transfer.”
ABE (which was first introduced by Amit Sahai and Brent Waters) allows data owners to set their own access policies. For example, unlike retrieving data in today’s Google Drive and Dropbox with a single direct request, ABE functions so that only people with certain attributes – such as employer, name, nationality, position, etc. – can decrypt information with their own private “identity” keys. If their keys contain attributes that match the data owner’s policy, they can upload the data; if not, they will receive an error message.
This process is made possible by a third-party system called an attribute authority, a server on a local computing device, that distributes the keys. This lifts the process away from the public cloud for more-securely vetted data sharing in a controlled environment.
The problem, though, is that ABE does not ensure a user’s identity is protected; on the contrary, now the attribute authority has visibility to everyone’s personal information, which is generally not seen as a ideal in a post-Snowden era. Furthermore, the authority servers could be vulnerable to hackers seeking sensitive information for profit or cyber-attack, just as in the cloud.
While this model could be applied to any cloud platform, including social media, […] its most practical potential lies in controlling classified, high-profile documents, such as government, banking or insurance files.
The team at IIT first tackled this issue in 2013 when it suggested decentralizing the central encryption authority so that a user’s attributes are scattered among multiple servers, breaking down whole identities. In this way, someone operating the authority server might only see the attribute “male,” rather than the full picture: “Male Scandinavian who works at Google, age 34, blonde, 6’1.”
That leads us back to the new concept of “oblivious transfer.” The team recently published a subsequent article in IEEE Transactions on Information Forensics and Security proposing the oblivious transfer scheme for even fuller anonymity. The new model is a complex algorithm that ensures the authority is blind to even single attributes. In other words, one’s key set of attributes is itself encrypted along with the data, so, using the example above, even “male” would be undecipherable to an authority.
This further reduces the chances of information leakage.
“Our model could add many layers of privacy. It would work anywhere as desired in our current cloud system,” said Taeho Jung, lead researcher for the IIT team.
While this model could be applied to any cloud platform, including social media, Jung believes its most practical potential lies in controlling classified, high-profile documents, such as government, banking or insurance files. These types of documents require utmost confidentiality and do not benefit from random sharing as, say, a creative portfolio might.
The team’s anonymous ABE models successfully passed the Diffie-Hellman security assumption. But they still face a major challenge due to the volume and distribution of attribute sets, which require high overhead and could be slow in granting user access.
The fact that cyber breaches and incidents involving stolen data have unfortunately become common, however, suggest the investment could be well worth it.
You can also find more articles about “encryption” in IEEE Xplore.