Authors: Antonio de la Piedra (Kudelski Security Research Team) and Marloes Venema (Radboud University Nijmegen)
This week at Black Hat Europe 2021 we have presented our work on attacking attribute-based encryption implementations: https://www.blackhat.com/eu-21/briefings/schedule/#practical-attacks-against-attribute-based-encryption-25058.
Attribute-based encryption (ABE) provides fine-grained access control on data where the ability to decrypt a ciphertext is determined by the attributes owned by a user of the system. Hence, data can be stored by an entity that is not necessarily trusted to enforce access control.
ABE has been proposed to secure the Internet of Things and enforce authorization in Cloud systems. This is typically exemplified in the healthcare setting, where all “nurses” of the hospital “A” can only decrypt certain records whereas “doctors” of the same hospital have access to additional information about the patients.
In this type of deployment, the following parties are involved:
- Key generation authorities (KGAs): They setup and deploy the system and register the users of the system.
- Data owners: They encrypt sensitive data using user’s encryption keys according to a certain policy.
- Users: They register in the system, and receive a set of attributes. They can decrypt data according to their attributes.
Typically ABE schemes are based on pairings (albeit some new schemes based on lattice assumptions have appeared in the last few years), since it is generally known that secure schemes only based on ECC assumptions (such as DDH) do not exist.
For instance, in the example below, Bob has the following attributes: “doctor”, “Mayo Clinic” and “neurology”. In this particular case, another user in the system, Alice, can encrypt a message for Bob using the following policy: “(doctor or nurse) and Mayo clinic and neurology”. Bob can then decrypt this message since using his attributes i.e. doctor, “Mayo Clinic” and “neurology”, he can satisfy the policy utilized by Alice.
Moreover, multi-authority variants of ABE exist and extend these capabilities to multiple-domain settings thus removing the requirement of having a trusted third party.
For instance, in this case both Bob and Charlie can receive attributes from two attribute authorities, the Hospital and the Insurance company authorities.
Applications of ABE
ABE can be utilized as an authorization mechanism in the Cloud as different works have proposed. In this case, data owners e.g. Alice publish:
- Symmetrically encrypted content e.g. media, health records, etc.
- Encrypted keys according to a particular access policy.
- Only users e.g. Bob, Charlie, with certain attributes can decrypt.
Below, we show how ABE can be used in the Cloud depicting the general architecture of DAC -MACs , a highly-cited scheme:
In this case, there are two KGAs in the system: the Insurance company KGA and the Hospital KGA. Alice, is the data owner that wants to share with the user Charlie sensitive data. First, Alice
generates a symmetric encryption key that uses to encrypt a message. The message is encrypted using the following policy: ‘(doctor or nurse) and Mayo Clinic and neurology’. Using the token generation mechanism of DAC-MACs , Charlie can obtain the ciphertext created by Alice and obtain the content key that opens the sensitive data shares by Alice.
On the other hand, other practitioners have proposed to secure Internet of Things deployments using ABE. In this case, most works are related to the Smart City paradigm. Different types of sensing data are gathered from various sources of the city such as transportation providers and energy infrastructure with the goal of optimization. In this case, ABE can be used to enforce authorization on the collected data to different data owners for analysis. One ABE scheme provided by different open-source libraries and that focuses on IoT deployments is YCT14 .
Cryptanalysis frameworks and broken schemes
Several practitioners have proposed techniques and heuristics to analyze the security of ABE schemes This year, at the CT-RSA 2021 conference , Venema and Alpár presented attacks against 11 ABE and MA-ABE schemes, including DAC-MACS  and the YJ14 scheme . Further, in 2019, Herranz  showed that several schemes only based on elliptic curve were broken such as the YCT14  scheme.
In our talk, we demonstrated the practicality of these attacks. We have implemented three
different types of the attacks:
- A decryption attack against DAC-MACS , where a single user is able to decrypt ciphertexts with policies she cannot satisfy. This user does not even need to collude with other users or corrupt an authority.
- Second, a decryption attack with corruption of one of the authorities against the YJ14 scheme .
- A decryption attack against the YCT14  scheme were two users collude in order to obtain a decryption key based on the work of Herranz .
Open-source libraries such as CHARM  and RABE  provide, among others, implementations of these schemes. We have implemented the attacks in the CHARM cryptographic library and show that the implementations of DAC-MACS , YJ14  and YCT14  schemes provided by this particular library are vulnerable to decryption attacks.
Based on the status of the schemes, we have obtained the following CVEs:
- CVE-2021-37587: https://nvd.nist.gov/vuln/detail/CVE-2021-37587
- CVE-2021-37588: https://nvd.nist.gov/vuln/detail/CVE-2021-37588
Demonstrating the attacks
Together with our presentation, we provide a Python library implementing some of the cryptanalytic attacks of Venema and Alpár  against the aforementioned ABE schemes: abeattacks (available at https://pypi.org/project/abeattacks/) .
Further, we have prepared 3 Jupyter notebooks where ABE and the practical attacks against the ABE schemes are illustrated (available at https://github.com/kudelskisecurity/abeattacks/jupyter/). These notebooks can be used to learn more about the attacks in practice.
We have released a Dockerfile with everything ready at https://github.com/kudelskisecurity/abeattacks/tree/main/docker. You can follow the instructions below to see how the attacks work in practice:
$ git clone https://github.com/kudelskisecurity/abeattacks/ $ cd abeattacks/docker $ ./build_and_run.sh
Then, open your browser at the suggested location by jupyter:
You can follow the decryption attack against DAC-MACS  for instance:
Finally, we have published the slides of our presentation at https://github.com/kudelskisecurity/abeattacks/tree/main/slides/.
(We use URLs to full papers in PDF if they are available).