SECURE, POLICY-BASED, MULTI-RECIPIENT DATA SHARING
Files
Publication or External Link
Date
Authors
Advisor
Citation
DRUM DOI
Abstract
In distributed systems users often need to share sensitive data with other users
based on the latter's ability to satisfy various policies. In many cases the data owner
may not even know the identities of the data recipients, but deems it crucial that they
are legitimate; i.e., satisfy the policy. Enabling such data sharing over the Internet
faces the challenge of (1) securely associating access policies with data and enforcing
them, and (2) protecting data as it traverses untrusted proxies and intermediate
repositories. Furthermore, it is desirable to achieve properties such as: (1) flexibility
of access policies; (2) privacy of sensitive access policies; (3) minimal reliance on
trusted third parties; and (4) efficiency of access policy enforcement. Often schemes
enabling controlled data sharing need to trade one property for another. In this
dissertation, we propose two complimentary policy-based data sharing schemes that
achieve different subsets of the above desired properties.
In the first part of this dissertation, we focus on CiphertextPolicy Attribute-
Based Encryption (CP-ABE) schemes that specify and enforce access policies
cryptographically and eliminate trusted mediators. We motivate the need for flexible
attribute organization within user keys for efficient support of many practical
applications. We then propose Ciphertext-Policy Attribute-Set Based Encryption
(CP-ASBE) which is the first CP-ABE scheme to (1) efficiently support naturally
occurring compound attributes, (2) support multiple numerical assignments for a
given attribute in a single key and (3) provide efficient key management. While the
CP-ASBE scheme minimizes reliance on trusted mediators, it can support neither
context-based policies nor policy privacy. In the second part of this dissertation,
we propose Policy Based Encryption System (PBES), which employs mediated decryption
and supports both context-based policies and policy privacy. Finally, we integrate the
proposed schemes into practical applications (i.e., CP-ASBE scheme with Attribute-Based
Messaging (ABM) and PBES scheme with a conditional data sharing application in the Power Grid) and demonstrate their usefulness in practice.