Key Revocation Research Articles

IBE-Signal: Reshaping Signal into a MITM-Attack-Resistant Protocol

The Signal Protocol is one of the most popular privacy protocols today for protecting Internet chats and supports end-to-end encryption. Nevertheless, despite its many advantages, the Signal Protocol is not resistant to Man-In-The-Middle (MITM) attacks because a malicious server can distribute the forged identity-based public keys during the user registration phase. To address this problem, we proposed the IBE-Signal scheme that replaced the Extended Triple Diffie–Hellman (X3DH) key agreement protocol with enhanced Identity-Based Encryption (IBE). Specifically, the adoption of verifiable parameter initialization ensures the authenticity of system parameters. At the same time, the Identity-Based Signature (IBS) enables our scheme to support mutual authentication. Moreover, we proposed a distributed key generation mechanism that served as a risk decentralization to mitigate IBE’s key escrow problem. Besides, the proposed revocable IBE scheme is used for the revocation problem. Notably, the IND-ID-CPA security of the IBE-Signal scheme is proven under the random oracle model. Compared with the existing schemes, our scheme provided new security features of mutual authentication, perfect forward secrecy, post-compromise security, and key revocation. Experiments showed that the computational overhead is lower than that of other schemes when the Cloud Privacy Centers (CPCs) number is less than 8.

GAP-MM: 5G-Enabled Real-Time Autonomous Vehicle Platoon Membership Management Based on Blockchain

Autonomous Vehicle Platoon (AVP) is the most anticipated application of 5G ultrareliable and low latency communications. By joining the preexisting platoon to form the real-time AVP (RAVP), individual vehicles could gain benefits such as fuel consumption reduction and traffic safety enhancement. Unlike the scheduled AVP which only contains fixed vehicles, members in RAVP change frequently since individual vehicles would want to join or leave the platoon any time. Besides, malicious vehicles may attempt to sneak into the RAVP and try to manipulate the platoon. Public key cryptography and access control mechanisms can be adopted to create a relatively isolated area for communication inside the platoon. Nevertheless, there exist few works that take into account the regulation of the dynamic change members in RAVP. In this paper, we propose a membership management scheme for 5G-enabled RAVP by integrating revocable attribute-based encryption (RABE) and blockchain, namely, GAP-MM. It realizes fine-grained access control of key distribution and malicious vehicle’s key revocation efficiently. The sufficient evaluations and security analysis indicate that GAP-MM is practical for RAVP scenario in terms of both efficiency and security.

Cryptographic pointers for fine-grained file access security

ABSTRACT We present a paradigm for fine-grained access security in a protection environment featuring files and records. Files are allocated at increasing addresses in a virtual space whose size is extremely large, so that virtual space reuse is never necessary. A record is a portion of a file. A subject certifies possession of an access privilege for a given object, file, or record, by presenting a cryptographic pointer (c-pointer) referencing that object. The c-pointer includes a key, and the composition of the access privilege expressed in terms of the two access rights, to read and to write. The c-pointer is valid if the key descends from a master key indicated in the c-pointer, by application of a universally known, symmetric algorithm. Records can be encrypted, and the key is specific to the given record. A set of security primitives forms the user interface of the security system. The resulting environment is evaluated from a number of viewpoints that include key proliferation, weakening and revocation, selective encryption, file directories, and robustness against security attacks aimed at c-pointer forging.

SIKM – a smart cryptographic key management framework

Abstract For a secure data transmission in symmetric cryptography, data are encrypted and decrypted using an identical key. The process of creating, distributing, storing, deploying, and finally revoking the symmetric keys is called key management. Many key management schemes are devised that each one is suitable for a specific range of applications. However, these schemes have some common drawbacks like the hardness of key generation and distribution, key storage, attacks, and traffic load. In this article, a key management framework is proposed, which is attack resistant and transforms the current customary key management workflow to enhance security and reduce weaknesses. The main features of the proposed framework are eliminating key storage, smart attack resistant feature, reducing multiple-times key distribution to just one-time interpreter distribution, and having short key intervals – minutely, hourly, and daily. Moreover, the key revocation process happens automatically and with no revocation call.

An Industrial IoT-Based Blockchain-Enabled Secure Searchable Encryption Approach for Healthcare Systems Using Neural Network.

The IoT refers to the interconnection of things to the physical network that is embedded with software, sensors, and other devices to exchange information from one device to the other. The interconnection of devices means there is the possibility of challenges such as security, trustworthiness, reliability, confidentiality, and so on. To address these issues, we have proposed a novel group theory (GT)-based binary spring search (BSS) algorithm which consists of a hybrid deep neural network approach. The proposed approach effectively detects the intrusion within the IoT network. Initially, the privacy-preserving technology was implemented using a blockchain-based methodology. Security of patient health records (PHR) is the most critical aspect of cryptography over the Internet due to its value and importance, preferably in the Internet of Medical Things (IoMT). Search keywords access mechanism is one of the typical approaches used to access PHR from a database, but it is susceptible to various security vulnerabilities. Although blockchain-enabled healthcare systems provide security, it may lead to some loopholes in the existing state of the art. In literature, blockchain-enabled frameworks have been presented to resolve those issues. However, these methods have primarily focused on data storage and blockchain is used as a database. In this paper, blockchain as a distributed database is proposed with a homomorphic encryption technique to ensure a secure search and keywords-based access to the database. Additionally, the proposed approach provides a secure key revocation mechanism and updates various policies accordingly. As a result, a secure patient healthcare data access scheme is devised, which integrates blockchain and trust chain to fulfill the efficiency and security issues in the current schemes for sharing both types of digital healthcare data. Hence, our proposed approach provides more security, efficiency, and transparency with cost-effectiveness. We performed our simulations based on the blockchain-based tool Hyperledger Fabric and OrigionLab for analysis and evaluation. We compared our proposed results with the benchmark models, respectively. Our comparative analysis justifies that our proposed framework provides better security and searchable mechanism for the healthcare system.

Deep Learning Based Homomorphic Secure Search-Able Encryption for Keyword Search in Blockchain Healthcare System: A Novel Approach to Cryptography.

Due to the value and importance of patient health records (PHR), security is the most critical feature of encryption over the Internet. Users that perform keyword searches to gain access to the PHR stored in the database are more susceptible to security risks. Although a blockchain-based healthcare system can guarantee security, present schemes have several flaws. Existing techniques have concentrated exclusively on data storage and have utilized blockchain as a storage database. In this research, we developed a unique deep-learning-based secure search-able blockchain as a distributed database using homomorphic encryption to enable users to securely access data via search. Our suggested study will increasingly include secure key revocation and update policies. An IoT dataset was used in this research to evaluate our suggested access control strategies and compare them to benchmark models. The proposed algorithms are implemented using smart contracts in the hyperledger tool. The suggested strategy is evaluated in comparison to existing ones. Our suggested approach significantly improves security, anonymity, and monitoring of user behavior, resulting in a more efficient blockchain-based IoT system as compared to benchmark models.

An Effective Blockchain Based Secure Searchable Encryption System

Security of Patient health records (PHR) is the most important aspect of cryptography over the Internet due to its value and importance preferably in the medical Internet of Things (IoT). Search keywords access mechanism is one of the common approaches which is used to access PHR from database, but it is susceptible to various security vulnerabilities. Although Blockchain-enabled healthcare systems provide security, but it may lead to some loopholes in the existing schemes. However, these methods primarily focused on data storage, and blockchain is used as a database. In this paper, Blockchain as a distributed database is proposed with homomorphic encryption technique to ensure a secure search and keywords-based access to the database. Moreover, the proposed approach provides a secure key revocation mechanism and update various policies accordingly. A secure patient healthcare data access scheme is devised, which integrates blockchain and trust chain to fulfill the efficiency and security issues in the current schemes for sharing both types of digital healthcare data. Our proposed approach provides improved security, efficiency, and transparency with cost effectiveness. We performed our simulations based on the blockchain based tool termed as the Hyperledger fabric and Origionlab for analysis and evaluation. We have compared our proposed results with the benchmark models. Our comparative analysis justify that our proposed framework gives improvement in security and searchable mechanism for healthcare system.

A Generic Approach to Build Revocable Hierarchical Identity-Based Encryption

Revocable hierarchical identity-based encryption (RHIBE) is an extension of HIBE that provides the efficient key revocation function by broadcasting an update key per each time period. Many RHIBE schemes have been proposed by combining an HIBE scheme and a tree-based revocation method, but a generic method for constructing an RHIBE scheme has not been proposed. In this paper, we show for the first time that it is possible to construct RHIBE schemes by generically combining underlying cryptographic primitives and tree-based revocation methods. We first generically construct an RHIBE-CS scheme by combining HIBE schemes and the complete subtree (CS) method, and prove the adaptive security by using the adaptive security of the HIBE schemes. Thus, we obtain RHIBE schemes under the quadratic residuosity assumption, CDH assumption, and factoring assumption. Next, we generically construct an RHIBE-SD scheme with shorter update keys by combining HIBE and hierarchical single revocation encryption (HSRE) schemes, and the subset difference (SD) method to reduce the size of update keys. Finally, we generically construct an RHIBE-CS scheme with shorter ciphertexts by combining HIBE schemes with constant-size ciphertext and the CS method. Through different kind of generic combinations, we obtain various RHIBE schemes that provide a trade-off between shorter ciphertexts and shorter update keys.

ESAR: Enhanced Secure Authentication and Revocation Scheme for Vehicular Ad Hoc Networks

Vehicle Ad Hoc Network (VANET) systems that use Public Key Infrastructure (PKI) experience significant delays when checking Certificate Revocation Lists (CRLs) and performing key pair-based asymmetric cryptographic operations. This paper offers a fast and secure mechanism for revocation checking, processing and PKI key pair updating called the Enhanced Secure Authentication and Revocation (ESAR) scheme for VANETs. The ESAR Vehicle-To-Vehicle (V2V) authentication method applies Keyed-Hash-based Message Authentication Code (H-MAC) cryptogram validation for On-Board-Unit (OBU) revocation checks instead of the CRL search. We examined the ESAR together with a similar VANET scheme and achieved better results. We selected the Expedite Message Authentication Protocol for Vehicular Ad Hoc Networks (EMAP), which, upon a review of the literature, was seen to offer fewer countermeasures to provide resistance to most attacks. In addition, we completed the missing parts of the EMAP scheme with performance improvements and we compared it with other schemes in terms of security. Our ESAR scheme includes the following improvements. (1) The unauthorized update protection of sensitive assets is handled by revocation key sender verification and revocation version validation. (2) Privacy concerns are addressed by the use of keyed trimmed H-MAC-based pseudo ID creation. (3) Reliable data transmission issues are resolved by including missing message identification tags. (4) Performance concerns are addressed by eliminating and combining network requests to offer fast security key revocation. We targeted system performance and durability and also attack resistance using anomaly detection improvements. We ran three simulations: the standard (using CRL only), the proposed (ESAR), and the existing (EMAP) methods. According to the findings of our simulation analysis, our proposed system was more efficient in terms of performance and network congestion than the other examined methods.

A Security-Mediated Encryption Scheme Based on ElGamal Variant

Boneh et al. introduced mediated RSA (mRSA) in 2001 in an attempt to achieve faster key revocation for medium-sized organizations via the involvement of a security mediator (SEM) as a semi-trusted third party to provide partial ciphertext decryption for the receiver. In this paper, a pairing-free security mediated encryption scheme based on an ElGamal variant is proposed. The scheme features a similar setting as in the mediated RSA but with a different underlying primitive. We show that the proposed security mediated encryption scheme is secure indistinguishably against chosen-ciphertext attack (IND-CCA) in the random oracle via the hardness assumption of the computational Diffie-Hellman (CDH) problem.

IIBE: An Improved Identity-Based Encryption Algorithm for WSN Security

Wireless sensor networks (WSN) have problems such as limited power, weak computing power, poor communication ability, and vulnerability to attack. However, the existing encryption methods cannot effectively solve the above problems when applied to WSN. To this end, according to WSN’s characteristics and based on the identity-based encryption idea, an improved identity-based encryption algorithm (IIBE) is proposed, which can effectively simplify the key generation process, reduce the network traffic, and improve the network security. The design idea of this algorithm lies between the traditional public key encryption and identity-based public tweezers’ encryption. Compared with the traditional public key encryption, the algorithm does not need a public key certificate and avoids the management of the certificate. Compared with identity-based public key encryption, the algorithm addresses the key escrow and key revocation problems. The results of the actual network distribution experiments demonstrate that IIBE has low energy consumption and high security, which are suitable for application in WSN with high requirements on security.

An Implementation Suite for a Hybrid Public Key Infrastructure

Public key infrastructure (PKI) plays a fundamental role in securing the infrastructure of the Internet through the certification of public keys used in asymmetric encryption. It is an industry standard used by both public and private entities that costs a lot of resources to maintain and secure. On the other hand, identity-based cryptography removes the need for certificates, which in turn lowers the cost. In this work, we present a practical implementation of a hybrid PKI that can issue new identity-based cryptographic keys for authentication purposes while bootstrapping trust with existing certificate authorities. We provide a set of utilities to generate and use such keys within the context of an identity-based environment as well as an external environment (i.e., without root trust to the private key generator). Key revocation is solved through our custom naming design which currently supports a few scenarios (e.g., expire by date, expire by year and valid for year). Our implementation offers a high degree of interoperability by incorporating X.509 standards into identity-based cryptography (IBC) compared to existing works on hybrid PKI–IBC systems. The utilities provided are minimalist and can be integrated with existing tools such as the Enterprise Java Bean Certified Authority (EJBCA).

DIIA: Blockchain-Based Decentralized Infrastructure for Internet Accountability

The Internet lacking accountability suffers from IP address spoofing, prefix hijacking, and DDoS attacks. Global PKI-based accountable network involves harmful centralized authority abuse and complex certificate management. The inherently accountable network with self-certifying addresses is incompatible with the current Internet and faces the difficulty of revoking and updating keys. This study presents DIIA, a blockchain-based decentralized infrastructure to provide accountability for the current Internet. Specifically, DIIA designs a public-permissioned blockchain called TIPchain to act as a decentralized trust anchor, allowing cryptographic authentication of IP addresses without any global trusted authority. DIIA also proposes the revocable trustworthy IP address bound to the cryptographic key, which supports automatic key renewal and efficient key revocation and eliminates complexity certificate management. We present several security mechanisms based on DIIA to show how DIIA can help to enhance network layer security. We also implement a prototype system and experiment with real-world data. The results demonstrate the feasibility and suitability of our work in practice.

A cloud-based mobile payment system using identity-based signature providing key revocation

A cloud-based mobile payment system using identity-based signature providing key revocation

Lattice‐based revocable attribute‐based encryption with decryption key exposure resistance

Attribute-based encryption (ABE) is a promising management method that enables fine-grained access control in large-scale systems. Revocable ABE (RABE) can support a key revocation mechanism in an ABE system. With the advent of the Internet of Things, users may need to delegate their decryption capacity to other devices, which requires that RABE meet a necessary feature called decryption key exposure resistance (DKER). Although many constructions about RABE from bilinear maps have been proposed, the situation of lattice-based constructions with DKER is less satisfactory. In order to narrow this gap, this paper propose the first lattice-based RABE with DKER. First, a formal description of RABE with DKER and the corresponding security models is proposed. Subsequently, a lattice-based RABE scheme without DKER is constructed and it is proved to be selective indistinguishability under chosen-plaintext attack (IND-CPA) security based on Learning with Errors (LWE). To achieve DKER, this paper construct a RABE scheme by using the RABE scheme without DKER and a key extension mechanism as its building blocks. Finally, this paper show that this scheme is selective IND-CPA security, with the DKER based on LWE.

A New Distributed, Decentralized Privacy-Preserving ID Registration System

Blockchain, a distributed ledger technology, is used in various fields, including many types of critical infrastructure, such as smart grids. Recently, studies have dealt with privacy preservation in smart grids. One such study presented a privacy-preserving aggregation system that provides integrity and anonymity using blockchain technology in a smart grid. In earlier work, a Bloom filter was used for rapid authentication on the blockchain, and a key management center was used for user key management. However, due to its high dependence on the key management center, it was not able to provide a completely distributed environment, and there was a linkability problem. In addition, there was a limitation in that key revocation and update functions through the Bloom filter could not be provided. In this article, we propose a decentralized privacy-preserving ID scheme that provides a fully distributed environment to address the limitations of existing research. The proposed scheme provides unlinkability to protect the anonymity of users using a blind signature. It also provides update or revocation functionalities of the pseudonym by the counting Bloom filter or the revoked-pseudonym Bloom filter. In addition, fully distributed operation is guaranteed through the certification authority responsible for user key management. Our scheme is applicable not only to blockchain-based decentralized privacy-preserving systems such as billing systems in a smart grid or smart cities, but also to any critical infrastructure, such as banks, hospitals, and systems including e-bulletins, e-surveys, e-voting, and so on.

Adaptively secure revocable hierarchical IBE from k-linear assumption

Revocable identity-based encryption (RIBE) is an extension of IBE with an efficient key revocation mechanism. Revocable hierarchical IBE (RHIBE) is its further extension with key delegation functionality. Although there are various adaptively secure pairing-based RIBE schemes, all known hierarchical analogues only satisfy selective security. In addition, the currently known most efficient adaptively secure RIBE and selectively secure RHIBE schemes rely on non-standard assumptions, which are referred to as the augmented DDH assumption and q-type assumptions, respectively. In this paper, we propose a simple but effective design methodology for RHIBE schemes. We provide a generic design framework for RHIBE based on an HIBE scheme with a few properties. Fortunately, several state-of-the-art pairing-based HIBE schemes have the properties. In addition, our construction preserves the sizes of master public keys, ciphertexts, and decryption keys, as well as the complexity assumptions of the underlying HIBE scheme. Thus, we obtain the first RHIBE schemes with adaptive security under the standard k-linear assumption. We prove adaptive security by developing a new proof technique for RHIBE. Due to the compactness-preserving construction, the proposed R(H)IBE schemes have similar efficiencies to the most efficient existing schemes.

Revocable Identity-Based Broadcast Proxy Re-Encryption for Data Sharing in Clouds

Cloud computing has become prevalent due to its nature of massive storage and vast computing capabilities. Ensuring a secure data sharing is critical to cloud applications. Recently, a number of identity-based broadcast proxy re-encryption (IB-BPRE) schemes have been proposed to resolve the problem. However, the IB-BPRE requires a cloud user (Alice) who wants to share data with a bunch of other users (e.g., colleagues) to participate the group shared key renewal process because Alice's private key is a prerequisite for shared key generation. This, however, does not leverage the benefit of cloud computing and causes the inconvenience for cloud users. Therefore, a novel security notion named revocable identity-based broadcast proxy re-encryption (RIB-BPRE) is presented to address the issue of key revocation in this work. In a RIB-BPRE scheme, a proxy can revoke a set of delegates, designated by the delegator, from the re-encryption key. The performance evaluation reveals that the proposed scheme is efficient and practical.

Indirect Revocable KP-ABE With Revocation Undoing Resistance

Lately, many cloud-based applications proposed attribute-based encryption (ABE) as an all-in-one solution for achieving confidentiality and access control. Within this paradigm, data producers store the encrypted data on a semi-trusted cloud server, and users, holding decryption keys issued by a key authority, can decrypt data according to some access control policy. To be used in practical cases, any ABE scheme should implement a key revocation mechanism which assures that a compromised decryption key cannot be used anymore to decrypt data. Yu <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> (2010) introduced an ABE scheme with revocation capabilities that enjoys several unique advantages, such as reactivity and efficiency. In the scheme, the cloud server is entitled to update keys and ciphertexts in order to achieve revocation. Unfortunately, the cloud server retains the power to undo the revocation of a key (revocation undoing attack) so endangering confidentiality. In this article, we propose a revocable ABE scheme that still ensures the advantages of Yu <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> ’s scheme, but it also resists to the revocation undoing attack. We formally prove the security of our scheme and show through simulations that the user experiences a slightly higher computational cost with respect to Yu <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> ’s scheme.

PHAS-HEKR-CP-ABE: partially policy-hidden CP-ABE with highly efficient key revocation in cloud data sharing system

In recent years, attribute-based encryption (ABE) provides a new idea to help researchers solving the problem of data privacy protection in cloud. But there are two issues in traditional ABE, the first issue is that the attributes in the access structures will be sent to users in cleartext together with the ciphertext. So a attacker has the opportunity to obtain some of the private information from the plaintext access structure. And the other issue is the traditional ABE scheme cannot revoke the users' illegal keys in an efficient way. To handle both of the above challenges, we come up with a large universe ciphertext-policy ABE (CP-ABE) scheme which supports partially hidden access structures (PHAS) and highly efficient key revocation at the same time in this paper. What's more, unlike most previous schemes, first our access structure is based on the expressive linear secret sharing scheme (LSSS) which supports both AND and OR gates in access formulas and second our scheme is built from the prime-order bilinear pairing groups. The comparison with other relevant works presents that our scheme is more comprehensive and efficient. Finally we rigorously prove and analyze that our scheme is selectively indistinguishable secure under chosen plaintext attacks (IND-CPA) in the random oracle model (ROM) and our access structure is really anonymous against off-line dictionary attacks.