Hidden Access Control Policies with Hidden Credentials Keith Frikken, Mikhail Atallah, Jiangtao Li CERIAS and Department of Computer Sciences Purdue University Workshop on Privacy in the Electronic Society (WPES) October 2004

Motivation In an open environment, access control decisions are often based on the attributes of the requester. Often, both credentials and access policies are sensitive. Previous trust negotiation approaches disclose sensitive credentials and policies (they try to minimize, e.g., piecewise disclosure). Our protocols reveal nothing – not the structure of the policies, nor why access was granted, …etc.

Our Model and Result Alice gets M if and only if her credentials satisfy Bob’s policy P. Bob does not learn whether Alice got access or not. Bob does not learn anything about Alice’s credentials. Alice learns neither Bob’s policy structure nor which credentials causes her to gain access. Bob (Server) Alice (Client) Alice: request for M M, P C=C 1,C 2,…,C m Secure Protocol M if C satisfies P

Hidden Credentials [HBSO’03] Generation of hidden credentials –CA issues Alice a Secret-Agent credential –CA  Alice: IBE_KeyGen(Alice||Secret-Agent) Usage of hidden credentials –Bob  Alice: IBE_Encrypt(M, Alice||Secret-Agent) –Alice can decrypt only if she has a Secret-Agent credential –Bob does not learn whether Alice is a secret agent or not

Policy Definition Policy over a set of credentials C –A policy P contains n attributes attr 1, …, attr n –P(C) = p(x 1, …, x n ) p(x 1, …, x n ) is a Boolean function x i =1 iff  cred  C such that cred.attr = attr i –The credentials set C satisfies P ⇔ p(x 1, …, x n ) = 1 Example –Alice is a senior citizen and has low income –Policy = (disability  senior-citizen)  low-income = (x 1  x 2 )  x 3 = (0  1)  1 = 1

Two-Phase Protocol Phase 1: Credential and Attribute Hiding –For each attr i in his policy, Bob generates two random keys {r i [0], r i [1]}. –Alice learns n values k 1, k 2, …, k n. If Alice’s credentials possess attr i, then k i = r i [1], otherwise k i = r i [0]. Phase 2: Blinded Policy Evaluation –Suppose Alice inputs r 1 [x 1 ], r 2 [x 2 ], …, r n [x n ], Bob inputs a private Boolean function p. In the end, Alice receives M if and only if p(x 1, …, x n ) = 1.

Protocol for Phase 1 Input: Alice inputs m hidden credentials C 1,C 2,…,C m; Bob inputs attr, r[0], r[1]. Output: Alice gets r[1] if there exist C j such that C j.attr = attr, she gets r[0] otherwise. Steps: 1.Bob  Alice: IBE_Encrypt(k[0], Alice||attr) 2.Alice decrypts using her hidden credentials and gets m random values 3.Alice and Bob run a set intersection protocol, if one of Alice’s m values matches k[0], she obtains k[1] 4.Alice and Bob engage a 1-out-of-2 OT with Bob’s input {r[0], E(r[1], k[1])} 5.If Alice gets k[1] in step 3, she can obtain r[1], otherwise, she gets r[0]

Protocol for Phase 2 Scrambled circuit evaluation [Yao86] –Bob  Alice: E K (M) –Bob builds a scrambled circuit that computes p(x 1, …, x n ). Bob sets the 1 encoding of the output wire as the decryption key K. –Bob  Alice: the scrambled circuit –Alice evaluates the circuit and decrypts E K (M) using the value from the output wire. –If Alice gets 1 encoding, she obtains M.

Questions?