Realizing IoT service’s policy privacy over publish/subscribe-based middleware
A subscriber can successfully access the requested event only its attributes match
the publisher’s authorization policy, the subscriber can accept the subscribed event
from the published event type only the event attributes match the subscriber’s authorization
policy. Thus our access control solution is correct. In this section, we try to clarify
that, no matter what form the attacks take from adversaries, our scheme keeps privacy.
Policy privacy analysis
The Two-layer access control framework keeps privacy, which is performed through defining
the concept of policy privacy and privacy proof. Home brokers are assumed to be semi-honest.
This means that they follow predefined protocols while they try to find out as much
secret information as possible. Home brokers might not collude with malicious users,
but arbitrarily send any information to users. Given such a privacy assumption, we
first introduce the definition 
of policy evaluation scheme, and then define the policy-privacy model for 
.
Definition 8
(Policy Evaluation Scheme
.)
consists of four algorithms as follows:
1.
Init On input the attribute set W of a customer and an authorization policy 
, the blinding attribute algorithm and the blinding policy algorithm generates the
blinded attribute set 
and the blinded policy 
respectively.
2.
On input the 
attribute conjunction in an authorization policy 
of the data owner i, it outputs some randomized code 
and 
by invoking Encoding Procedure.
3.
On input the 
attribute conjunction in the attribute expression 
of the customer j, it outputs some randomized code 
by invoking Encoding Procedure.
4.
On input attribute codes 
, 
and 
, it outputs whether two codes are matched by invoking Matching Procedure. If the algorithm outputs a negative result, the access request of the customer is
rejected.
A policy evaluation scheme 
in the access control system is Chosen-Plaintext Attack (CPA) policy-privacy if adversaries
cannot win with a non-negligible advantage, the game is defined as follows:
Definition 9
(Non-intersection CPA for
) For the policy evaluation scheme 
and a probabilistic polynomial time adversary Adv running in two phases, it is policy-privacy if Adv’s advantage is negligible in the following game:
Setup: The challenger invokes the Init algorithm of 
.
Training Phase 1: The adversary is allowed to issue queries for the following oracles:
1. Queries 
oracle for EncodeforAttributes and EncodeforPolicy of 
. That is to say, choosing one subject attribute conjunction 
and one attribute conjunction in an authorization policy 
, outputting encoded attributes 
and encoded policy 
.
2. Queries 
oracle for MatchinginPEP of 
.
Challenge Phase The adversary Adv submits two random attribute conjunctions in two authorization policies 
, 
and an subject attribute conjunction A. The challenger flips a random coin 
, and outputs a randomized code 
to the adversary. No attribute conjunctions 
, 
have appeared in the previous queries.
Training Phase 2 Training phase 1 is repeated exactly, except that the adversary may not query MatchinginPEP, for 
, not query oracles with any element in 
, 
.
Guess Finally, the adversary outputs their guess 
, and wins the game if 
.
The probability is over the random bits used by the challenger and the adversary,
where Adv makes at most polynomial queries to the oracles.
This definition implies that:
1. For two attribute conjunctions, the adversary cannot distinguish their encodings,
i.e., they are unable to link a Bloom Filter to a specific attribute conjunction.
2. The Non-intersection requires that any element in the challenge sets 
and 
should not have appeared or will not appear in other queries. This indicates that
our scheme 
has weaker security than that under CPA.
Definition 10
(PRF CPA ASSUMPTIOM) Given a pseudo-random function PRF(seed, key, input) with seed, key being secretly set, and two attribute conjunctions, PRF(seed, key, input) chooses one attribute conjunction and returns one random number, and then it is
hard to determine which attribute conjunction is chosen according to the returned
random number without knowing seed, key.
Definition 11
(
Scheme) A Bloom Filter BF is initialized to zero, and a key and n seeds are secretly generated. Given an attribute set eSET, it invokes PRF(seed, key, input) for each attribute 
as input with n different seeds to obtain n random numbers that are in (0, m], i.e., being greater than 0 and less than 
. The position in BF is set 1 if one value of n random numbers points to it. When all attributes in eSET are iterated, BF is output.
Lemma 1
The
scheme is CPA-secure if each element in the challenge set is not queried on.
The conclusion is straightforward. In the security proof, multiple random numbers
for one element of the challenge set can be seen as multiple oracle queries for the
element during a CPA-Security game, where the oracle answers each query with attaching
fixed different numbers to the queried element as different inputs. The random numbers
for multiple elements in the challenge set can be seen as multiple oracle queries
for different elements. The premise that each element in the challenge set is not
queried indicates that, during the challenge of 
, no queried elements are challenged. It is natural to require that any element in
the challenged set will not be queried after challenging.
Theorem 1
PES
is non-intersection CPA policy-privacy.
Proof
Suppose algorithm B is given a private key, it also generates a series of seeds for random generation.
B initializes the 
scheme with the key and seeds.
Init Given a set of attributes 
, B generates a random string 
for each attribute 
, and randomly generates 
according to the probability p. Replacing 
with 
, we will obtain a new blinded set of attributes 
.
Setup B maintains a set hash list 
, which is initially empty, and responds to the random oracle queries for Adv as described below.
1. Random oracle for a set 
: If this query already appears on the 
, then returns the predefined value. Otherwise, the query invokes the 
scheme with the set of 
to get a Bloom Filter 
. 
is defined. Finally, it adds the tuple 
to the list 
and respond with 
.
2.
: If BF can be found in 
with 
in 
and 
, then returns true, otherwise returns false.
3.
: If 
and 
cannot be found in 
with 
in 
and 
in 
, then returns false. Otherwise, if 
, then returns true, otherwise returns false.
Phase 1 In this stage, the adversary Adv issues a series of queries, which are subject to the restrictions of the Non-Intersection-CPA
game. B maintains a list 
that is initially empty.
1. Encoding Query 
: Algorithm B finds the corresponding 
for each 
in W, and obtains a new set 
. If the cardinality of the set sT is less than the parameter k, some random bit strings are generated and are added into sT such that the cardinality of sT is equal to k. Finally, adds the tuple 
to the list 
and responds with H(sT).
2. Matching Query 
: If 
and 
cannot be found in 
with 
in 
and 
in 
, then returns false. Otherwise, if 
, then returns true, otherwise returns false.
Challenge When Adv decides that Phase 1 is over, Adv chooses two random attribute conjunctions in authorization policies 
and an attribute conjunction A. B responds as follows:
1. Finds the corresponding 
for each 
of 
and 
in the blinded attribute set 
, and keeps 
unchanged if no 
in 
, then obtains two new sets 
and 
. We simply assume that 
and 
have the same cardinality (otherwise, padding with random strings ). At the same
time, finds the corresponding 
for each 
of A in the blinded attribute set W, then then gets two new sets 
.
2.
B chooses 
and submits 
, 
and 
as a challenge to 
, i.e., sends 
and 
as a Matching Query. Assuming that 
are the returned results, B sends it to Adv.
Phase 2: The phase 1 is repeated exactly, except that the adversary may not query oracles
with any element in 
and MatchinginPEP for 
.
Guess: Eventually, the adversary Adv returns a guess 
to B. B also outputs 
as the guess of 
for 
game.
If Adv has a non-negligible probability 
in making a successful guess, i.e., guess 
. It indicates Adv has another non-negligible probability in distinguishing 
, 
, which contradicts the fact that 
scheme is CPA security. Thus, we reach a contradiction. 
Privacy management
Based on the policy embedding scheme 
, the authorization management becomes efficient and simple. The policy-privacy authorization
management includes Customer Grant, New Subscription Authorization, Authorization
Update, and Customer Revocation.
Customer Subscribing Grant When a new customer B subscribing him or herself to the SCADA system A, the system uses the traditional authorization administration tool to decide whether
customer B is granted. If B can be granted, A computes as follows:
1. It converts B’s subject attribute expression 
into a blinded one 
according to 
.
2. It encodes 
by the encoding procedure in definition 
.
3. It sends corresponding attribute Bloom Filters 
to B’s home brokers the access control service.
New Event Grant When a new event is published in the SCADA system, it extracts the authorization
expression 
from the authorization policies. It then computes as follows:
1. It converts the authorization expression 
into a blinded one 
according to 
.
2. Each conjunction 
in 
is encoded into Bloom Filters 
and 
.
3. It sends the corresponding Bloom Filters 
to the home brokers.
4. Only a hash indicator is attached to the published event. If the encoding policies
have been sent for this event type, no policy conversion and transmission take place.
Authorization Update When a SCADA application modifies the authorization policy for the event type that
it will publish, the access control system computes new Bloom Filters 
, 
according to the new authorization policy. It then sends 
, 
to the home brokers to replace 
, 
.
Customer Revocation When the access control system revokes some privilege of the customer B, it computes new Bloom Filters 
. It sends 
to the home brokers to replace 
.