A Secure Authorization System in PHR based on CP-ABE

The 5^th IEEE International Conference on E-Health and Bioengineering - EHB 2015 Grigore T. Popa University of Medicine and Pharmacy, Iaşi, Romania, November 19-21, 2015

978-1-4673-7545-0/15/$31.00 ©2015 IEEE

A Secure Authorization System in PHR based on CP-ABE

Ho Hui Chung¹, Peter Shaojui Wang¹, Te-Wei Ho², Hsu-Chun Hsiao¹, Feipei Lai¹²³

1Department of Computer Science and Information Engineering,

2Graduate Institute of Biomedical Electronics and Bioinformatics,

3Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan

Abstract—In this paper, we proposed a method based on the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) to dynamically authorize the user according to their private keys. The key feature of our model is the users do not have to involve in key revocation process. Our model utilizes an additional Key Management Server (KMS) which uses the lazy revocation technique and additional attribute keys to perform effective user revocation. It enables the cloud to differentiate user authentication sessions to protect their keys from different session attackers and this approach could perform direct user revocations from a group without user interventions. The operation does not require re- encryption of existing ciphertext. Our method supports backward and perfect forward secrecy and is escrow-free. Lastly, we present that our method is secure under the chosen identity key attack.

Keywords: Session Authorization, Attribute Keys, Direct Revocation

I. INTRODUCTION

At present, the hospital starts to share patients’

information and electronic medical records online for higher availability of their health records. It is also better for patients on treatment in different hospitals. Such system (namely the Personal Health Record, PHR) benefits from medical records availability for patients receiving treatment in different hospitals. The PHR is commonly presented these days due to the advancement in today’s cloud system, which serves as the successor of EHR (Electronic Health Records) which stores data in local hospital. PHR serves as a medium to provide doctors with patient records across different medical institutions using the cloud system which resulting in new security challenges in securing medical records made online.

A number of CP-ABE PHR schemes are proposed in contrast to KP-ABE [1] due to it is more “owner centric” in terms of document security. However, these medical records are still under the threat from increasing unknown parties’

interceptions.

Therefore, in order to secure documents while lowering the overhead of servers, the concept of Attribute-Based Encryption (ABE) [2] is discovered and slowly put into practice. This method incorporates the access permissions as part of the ciphertext to prevent malicious intentions of permission modification thereafter. There are two well-

known versions of ABE such as the Key-Policy Attribute- Based Encryption (KP-ABE) [1] and the Ciphertext-Policy Attribute-Based Encryption (CP-ABE) [3]. The CP-ABE version of ciphertext has a built-in access policy where users have to hold a set of descriptive attribute keys to fulfill the document policy in order to recover the document decryption key.

From the latest data security perspective, the cloud storage systems should be providing data owner with the following security specifications: (1) Dynamic access rights management; (2) Fine-grained access control; (3) Efficient key management; (4) Efficient data encryption; (5) Document secrecy; and (6) User-friendly.

II. M^ETHODS A. Concept

This paper proposed a new approach, namely the Dynamic Key Update and Delegation (DKUD) in CP-ABE.

The DKUD algorithm will perform an update on the user’s attribute keys from the key management server (KMS) storage upon successfully login. The KMS runs the key update algorithm that uses the user login session key to perform the attribute keys update or revocation, and the resulting updated key is only used to the particular logged in user because he owns the sessions. The user with a private key registered under his identity key (IDK) could then make use of the identity key IDK to request the key encryption key (KEK) of a document from the cloud. The cloud generates the KEK by user’s request using the document delegation key (DK) from the cloud storage and identity key of the user. The user with a combination of a private key, attribute keys and KEK could recover the document encryption key (DEK) to decrypt the encrypted document.

Since the users do not own the actual attribute keys, the system could perform direct revocations when necessary as opposed to [4, 5, and 6]. Key renewal process for unrelated users are effectively made obsolete in this technique where revocation of user attributes would not trigger key updates for the other users sharing the same attributes as in [7, 8]. The system could easily modify the user session key expiration to

reduce the key update overhead with a little tradeoff in security. It is still significantly efficient compared to [9].

B. Dynamic Key Update and Delegation (DKUD)

The first part of the scheme explains the scheme protocol and assumptions as well as the architecture entities, which will make use of to achieve the goal described in the above section. The second part of the scheme gives the details of algorithms, which are being used by the DKUD. The scheme of Figure 1 introduces an additional entity from the original [3] CP-ABE scheme, the local key management server (KMS) in the hospital that stores all users’ attribute keys. The hospital outsources all encrypted documents to the third party cloud and outsources the private key generation operation to a semi-trusted third party key generation center (KGC). The KMS is responsible for most of the laborious key managerial tasks involving user attribute keys adding and deleting (revoke). There are four assumptions as the following: (1) Assume all servers are Semi-Trusted (Honest-but-curious); (2) Assume all users are registered to the cloud; (3) Assume cloud would not delegate (KEK) keys for unregistered users;

and (4) Assume users could not collude with more than a semi-trusted party. We uses the entities of Figure 2 to illustrate the en-decryption operations.

C. Construction

Below are the constructions of DKUD-CP-ABE scheme.

(1) 1 → , . The setup algorithm is executed by Key Management Server (KMS) during the Initial phase. It takes no input except implicit random exponents and random parameters. It outputs the public parameters PK as the Equation (1) which is published on cloud server and shared among all other entities and a master key stored secretly by KGC in Equation (2).

Public Parameter, , , , , ^∝ (1)

Master Key, , ^∝ (2)

ĩijĪ , , , → . The encryption function

takes in the public parameters , a message , an access structure T, and the document encryption key . The user first encrypts the document under the initial attribute keys. After that, the KMS will then perform attribute keying by selecting a set of attribute keys : and correspond to the ciphertext’s

attribute key on each leaf node in . The algorithm encrypts and output a ciphertext as in Equation (3).ġ

, , ^∝ , , (3)

∀ ∈ : , . (4)

(3) KeyGen MK, SA → PK , PK . The KeyGen algorithm is split into two parts. The first part is run by KGC that takes the master key MK and a set of attributes SA as input. It generates a random user identity and outputs an initial private key PK in Equation (4) which contains the static private key PK , the Identity Key K as well as the initial attribute keys PK _{_} of the user. The second part is run by a key management center which performs attribute keying operation on the set of the initial attribute keys PK _{_} and output the Equation (5) keyed attributes PK .

(4) Decrypt CT, SK , KEK → M . The decrypt algorithm takes in three parameters, ciphertext CT which contains an access policy T , secret key for decryption SK which contains a set of session-added attribute keys PK _ in Equation (6) and encryption key KEK which has the DEK encapsulated in it and requires valid user static key for utilization. If the DEK is successfully utilized and the attribute keys in PK _ satisfy the access policy T of CT, then the algorithm returns message, M as in Equation (7) otherwise, it returns . For leaf node j, Decrypts each node x in T as

, , ,

,

, ,

∙ ,

,

e g ∙ g ∙ g

e g , g

e g ∙ g ∙ g

e g ∙ g , g

,

, , (7)

Let , ,

where =root node ,

Let q 0 λ s, A e g, g

Fig. 1. DKUD-based Secure Personal Health Record System

Fig. 2. DKUD Secure PHR Architecture Entities

To decrypt a message:

, ∙ ,

∝

,

, ^∝ ,

, ^∝ ∙

, ^∝ ,

, ^∝

, ^∝

, ^∝ (8)

D. DKUD-CP-ABE introduces two additional algorithms

(1) , , →

_ , . Key management Server run the KeyUpdate algorithm which takes two mandatory inputs, the hashed identity key of user and the session key of a login user, and an optional set of attribute(s) to be revoked . The algorithm outputs a set of updated session- added attribute keys _ as in Equation (8) and an updated shared session key as in Equation (9) between user, cloud and key KMS generated by KMS, .

∀ ∈ : ∙ ,

(9)

∈ (10)

(2) , , → .

The KeyDelegate algorithm takes as inputs the document delegation key , an identity key and the session key shared between user, cloud and KMS. It checks and compare the identity key againsts the revocation list and compares its registration date with the one of the delegation key . It returns a as in Equation (10) with valid document encryption key if the identity key is registered before the document delegation key and the identity key is not in the revocation list.

Otherwise, it returns a without .

eitherauthorize , or unauthorize , (11) Users logins to the system to obtain his attribute keys.

The KMS performs lazy revocation(if any) and update his attribute keys to be usable under the particular login session.

Then, he/she requests for the authorization key for the downloaded document. Upon obtaining the authorization key, they combines the keys that they obtained (attribute keys and authorization key) with his/her static user private keys for decrypting the document (Figure 3).

III. S^ECURITY ANALYSIS OF DKUD

We now analyse the security of DKUD-CP-ABE which is being used in the scheme. The goal of the adversary is exploit the system and determine whether the given ciphertext is a proper DDH (Decisional Diffie-Hellman) tuples. A security

game similar to [1] is used to define a notion of Chosen Identity Key Security. Assuming the cloud would only delegate document keys for authorized users using their user identity keys. The security game demonstrates the DKUD- CP-ABE scheme is secure against the collusion attack between Key Generation Center and user under the Decisional Bilinear Diffie-Hellman assumption (DBDH). We proof that the security level of DKUD-CP-ABE against chosen identity key attack (CIKA) in the security game reduces to the hardness of the DBDH assumption.

(1) Theorem 1. If an adversary can break the DKUD-CP- ABE scheme in the CIKA model, then an algorithm can be constructed to play DBDH game with a non-negligible advantage .

(2) Proof. Suppose there exists a polynomial-time adversary , that can attack the DKUD-CP-ABE scheme in the CIKA, we construct an algorithm that can play the game with advantage .

We let the challenger set the group G and G with an efficient bilinear map, and generator . The challenger flip a fair binary coin outside of ’s view. If 0 , the

challenger sets , , , , , , , ;

otherwise it sets , , , , , , , from random , , , ∈ .

(3) Init. The algorithm runs . selects an access structure and chooses a set of attributes as ,⋯,

which it wishes to be challenged upon.

(4) Setup. sets the parameter , , of public key . sends the public parameter to . (5) Phase 1. adaptively makes private key request for an

access structure with a set of chosen attributes ,⋯, . Case 1 - A is able obtain set of attributes that either do not satisfy the access structure or case 2 - the attributes set satisfy the access structure but the identity key is invalid or revoked.To generate the private key, assigns a polynomial

for every node in the access tree , denoted by

,⋯, . Case 1. constructs the attribute keys for access tree in which the root is satisfied. chooses random

∈ Z for each leaf node and bind them under s identity.

where is chosen randomly for each attribute. After that, continuing defines the other remaining attribute keys. Upon

Fig. 3. CP-ABE Key update and delegation

completion of attribute key generation, defines the static key of . The generated private key as in Equation (11, 12)

is defined as , ¹ _′

∀ ∈ : ∙ , (12)

,

∝ / , ^⁄ (13)

Case 2. constructs the attribute keys for access tree in which the root is unsatisfied. sets the attribute key for every leaf node . For every unsatisfied leaf node , sets attribute keys using the same method as in case 1 whereas for every other satisfied leaf node of , it chooses random ∈ Z and bind them under s identity. The structure of the private key for is identical to that in DKUD-CP-ABE KeyGen().

sets the attribute key to prevent uncover of the polynomial secret, 0 of node in if the correspondingd attribute key is satisfied, otherwise would still knows only the invalid node for as is unsatisfied. Therefore, performs injection on the attribute key exponent as

for each attribute key in beforehand. The operations effectively render in case 1 for supporting , . Likewise, it sets exponent on in case 2 to reduce to exponent instead. Upon completion of attribute key generation, define the static key of . The generated private key as in Equation (13, 14) is defined as

,

∀ ∈ : ∙ , (14)

,

D g^{∝ /} , g ^⁄ (15)

(6) Challenge. Adversary submits two identity keys , to the challenger . flips a random coin

∈ 0,1 and delegate and sends the authorization key AK in Equation (16) under the to together with the encrypted document in Equation (15).

, , ,

∀ ∈ : ,

(16)

Authorization key AK g , AK g (17)

If 0 then , .

, , , .

deduces that the ciphertext is a valid random encryption of message . If 1, then , which implies , and is just given a random 4-tuple.

(7) Phase 2. Phase in is repeated with the same restriction with attribute set ,⋯, .

(8) Guess. The adversary outputs a guess of . If correctly guessed of , the algorithm outputs 0 to indicate that it was given a valid DBDH-tuple

otherwise, it will output 1 as a result of just a random 4-tuple. The probability of in guessing when 1 is so would guess 1 with probability of . On the other hand, if 0 then sees the encryption of and could guess with negligible advantage so does for . Finally, ’s advantage as the Equation (17) in this game is

| 0 | 1

(18) IV. CONCLUSION

According to the DKUD-CP-ABE scheme, the utilization of key delegations from an online cloud achieve direct revocations with backward and perfect forward secrecy through the binding of a session key for each private attribute key set. We realize the main functionality of the lookup attribute keys in KMS could be set as optional to provide perfect forward secrecy only where necessary, that is users could opt for “changing the attribute keys on each login”

option only when using a publicly shared system to dispose of their sensitive key information upon logout. One of the weaknesses of such scheme is to maintain an always online server such as in [10] to perform required key delegations and updates even for direct revocations for the sake of instantaneity.

R^EFERENCES

[1] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based Encryption For fine-Grained Access Control of Encrypted Data,”

Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 89–98, 2006.

[2] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Advances in Cryptology–Eurocrypt 2005, volume 3494, pages 457–

473. Springer, 2005.

[3] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attribute- based encryption,” in Proceedings of the 2007 IEEE Symposium on Security and Privacy. IEEE Computer Society, 2007, pp. 321–334.

[4] M. Pirretti, P. Traynor, P. McDaniel, and B. Waters, “Secure attribute-based systems,” in Proceedings of the 13th ACM Conference on Computer and Communications Security, ser.

CCS ’06. New York, NY, USA: ACM, 2006, pp. 99–1.

[5] Z. Xu and K. Martin, “Dynamic user revocation and key refreshing for attribute-based encryption in cloud storage,” in Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on, June 2012, pp. 844–849.

[6] M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic proxy cryptography,” in In EUROCRYPT. Springer-Verlag, 1998, pp. 127–144.

[7] Minakshi V.Shinde, Prof.H.A.Hingoliwala, “Secure Cloud Storage using Multi Attribute Authority with Multi Central Authority,” April 2015 Volume 3 Issue 4, International Journal on Recent and Innovation Trends in Computing and Communication (IJRITCC), ISSN: 2321-8169, PP: 1797 – 1801.

[8] Kan Yang, Xiaohua Jia, KuiRen,Bo Zhang,and Ruitao Xie, “DAC- MACS:Effective Data Access Control for Multiauthority Cloud Storage Systems,” IEEE Transaction on Information Forensics and Security, Vol.8,No.11,Nov 2013.

[9] Lyes Touati and Yacine Challal, “Batch-Based CP-ABE with Attribute Revocation Mechanism for the Internet of Things”.

[10] S. Jahid and N. Borisov., “PIRATTE: Proxy-based Immediate Revocation of ATTribute-based Encryption,” 2012.