Realizing IoT service’s policy privacy over publish/subscribe-based middleware
A subscriber can successfully access the requested event only its attributes match
the publisher’s authorization policy, the subscriber can accept the subscribed event
from the published event type only the event attributes match the subscriber’s authorization
policy. Thus our access control solution is correct. In this section, we try to clarify
that, no matter what form the attacks take from adversaries, our scheme keeps privacy.
Policy privacy analysis
The Two-layer access control framework keeps privacy, which is performed through defining
the concept of policy privacy and privacy proof. Home brokers are assumed to be semi-honest.
This means that they follow predefined protocols while they try to find out as much
secret information as possible. Home brokers might not collude with malicious users,
but arbitrarily send any information to users. Given such a privacy assumption, we
first introduce the definition of policy evaluation scheme, and then define the policy-privacy model for .
Definition 8
(Policy Evaluation Scheme.) consists of four algorithms as follows:
1.
Init On input the attribute set W of a customer and an authorization policy , the blinding attribute algorithm and the blinding policy algorithm generates the
blinded attribute set and the blinded policy respectively.
2.
On input the attribute conjunction in an authorization policy of the data owner i, it outputs some randomized code and by invoking Encoding Procedure.
3.
On input the attribute conjunction in the attribute expression of the customer j, it outputs some randomized code by invoking Encoding Procedure.
4.
On input attribute codes , and , it outputs whether two codes are matched by invoking Matching Procedure. If the algorithm outputs a negative result, the access request of the customer is
rejected.
A policy evaluation scheme in the access control system is Chosen-Plaintext Attack (CPA) policy-privacy if adversaries
cannot win with a non-negligible advantage, the game is defined as follows:
Definition 9
(Non-intersection CPA for) For the policy evaluation scheme and a probabilistic polynomial time adversary Adv running in two phases, it is policy-privacy if Adv’s advantage is negligible in the following game:
Setup: The challenger invokes the Init algorithm of .
Training Phase 1: The adversary is allowed to issue queries for the following oracles:
1. Queries oracle for EncodeforAttributes and EncodeforPolicy of . That is to say, choosing one subject attribute conjunction and one attribute conjunction in an authorization policy , outputting encoded attributes and encoded policy .
2. Queries oracle for MatchinginPEP of .
Challenge Phase The adversary Adv submits two random attribute conjunctions in two authorization policies , and an subject attribute conjunction A. The challenger flips a random coin , and outputs a randomized code to the adversary. No attribute conjunctions , have appeared in the previous queries.
Training Phase 2 Training phase 1 is repeated exactly, except that the adversary may not query MatchinginPEP, for , not query oracles with any element in , .
Guess Finally, the adversary outputs their guess , and wins the game if .
The probability is over the random bits used by the challenger and the adversary,
where Adv makes at most polynomial queries to the oracles.
This definition implies that:
1. For two attribute conjunctions, the adversary cannot distinguish their encodings,
i.e., they are unable to link a Bloom Filter to a specific attribute conjunction.
2. The Non-intersection requires that any element in the challenge sets and should not have appeared or will not appear in other queries. This indicates that
our scheme has weaker security than that under CPA.
Definition 10
(PRF CPA ASSUMPTIOM) Given a pseudo-random function PRF(seed, key, input) with seed, key being secretly set, and two attribute conjunctions, PRF(seed, key, input) chooses one attribute conjunction and returns one random number, and then it is
hard to determine which attribute conjunction is chosen according to the returned
random number without knowing seed, key.
Definition 11
(Scheme) A Bloom Filter BF is initialized to zero, and a key and n seeds are secretly generated. Given an attribute set eSET, it invokes PRF(seed, key, input) for each attribute as input with n different seeds to obtain n random numbers that are in (0, m], i.e., being greater than 0 and less than . The position in BF is set 1 if one value of n random numbers points to it. When all attributes in eSET are iterated, BF is output.
Lemma 1
Thescheme is CPA-secure if each element in the challenge set is not queried on.
The conclusion is straightforward. In the security proof, multiple random numbers
for one element of the challenge set can be seen as multiple oracle queries for the
element during a CPA-Security game, where the oracle answers each query with attaching
fixed different numbers to the queried element as different inputs. The random numbers
for multiple elements in the challenge set can be seen as multiple oracle queries
for different elements. The premise that each element in the challenge set is not
queried indicates that, during the challenge of , no queried elements are challenged. It is natural to require that any element in
the challenged set will not be queried after challenging.
Theorem 1
PESis non-intersection CPA policy-privacy.
Proof
Suppose algorithm B is given a private key, it also generates a series of seeds for random generation.
B initializes the scheme with the key and seeds.
Init Given a set of attributes , B generates a random string for each attribute , and randomly generates according to the probability p. Replacing with , we will obtain a new blinded set of attributes .
Setup B maintains a set hash list , which is initially empty, and responds to the random oracle queries for Adv as described below.
1. Random oracle for a set : If this query already appears on the , then returns the predefined value. Otherwise, the query invokes the scheme with the set of to get a Bloom Filter . is defined. Finally, it adds the tuple to the list and respond with .
2.
: If BF can be found in with in and , then returns true, otherwise returns false.
3.
: If and cannot be found in with in and in , then returns false. Otherwise, if , then returns true, otherwise returns false.
Phase 1 In this stage, the adversary Adv issues a series of queries, which are subject to the restrictions of the Non-Intersection-CPA
game. B maintains a list that is initially empty.
1. Encoding Query : Algorithm B finds the corresponding for each in W, and obtains a new set . If the cardinality of the set sT is less than the parameter k, some random bit strings are generated and are added into sT such that the cardinality of sT is equal to k. Finally, adds the tuple to the list and responds with H(sT).
2. Matching Query : If and cannot be found in with in and in , then returns false. Otherwise, if , then returns true, otherwise returns false.
Challenge When Adv decides that Phase 1 is over, Adv chooses two random attribute conjunctions in authorization policies and an attribute conjunction A. B responds as follows:
1. Finds the corresponding for each of and in the blinded attribute set , and keeps unchanged if no in , then obtains two new sets and . We simply assume that and have the same cardinality (otherwise, padding with random strings ). At the same
time, finds the corresponding for each of A in the blinded attribute set W, then then gets two new sets .
2.
B chooses and submits , and as a challenge to , i.e., sends and as a Matching Query. Assuming that are the returned results, B sends it to Adv.
Phase 2: The phase 1 is repeated exactly, except that the adversary may not query oracles
with any element in and MatchinginPEP for .
Guess: Eventually, the adversary Adv returns a guess to B. B also outputs as the guess of for game.
If Adv has a non-negligible probability in making a successful guess, i.e., guess . It indicates Adv has another non-negligible probability in distinguishing , , which contradicts the fact that scheme is CPA security. Thus, we reach a contradiction.
Privacy management
Based on the policy embedding scheme , the authorization management becomes efficient and simple. The policy-privacy authorization
management includes Customer Grant, New Subscription Authorization, Authorization
Update, and Customer Revocation.
Customer Subscribing Grant When a new customer B subscribing him or herself to the SCADA system A, the system uses the traditional authorization administration tool to decide whether
customer B is granted. If B can be granted, A computes as follows:
1. It converts B’s subject attribute expression into a blinded one according to .
2. It encodes by the encoding procedure in definition .
3. It sends corresponding attribute Bloom Filters to B’s home brokers the access control service.
New Event Grant When a new event is published in the SCADA system, it extracts the authorization
expression from the authorization policies. It then computes as follows:
1. It converts the authorization expression into a blinded one according to .
2. Each conjunction in is encoded into Bloom Filters and .
3. It sends the corresponding Bloom Filters to the home brokers.
4. Only a hash indicator is attached to the published event. If the encoding policies
have been sent for this event type, no policy conversion and transmission take place.
Authorization Update When a SCADA application modifies the authorization policy for the event type that
it will publish, the access control system computes new Bloom Filters , according to the new authorization policy. It then sends , to the home brokers to replace , .
Customer Revocation When the access control system revokes some privilege of the customer B, it computes new Bloom Filters . It sends to the home brokers to replace .