Figure 3 - uploaded by Johannes Feichtner
Content may be subject to copyright.
Source publication
Key authentication as well as an intended recipient not having a key available are, among others, challenges that public key infrastructures (PKIs) still face. Trusted third parties work around these issues. However, identity-based encryption (IBE) systems and later attribute-based encryption (ABE) systems were designed to address these exact chall...
Contexts in source publication
Context 1
... the PKG player is replaced by our central SM. The players required by our approach and their communication paths are illustrated in Figure 3. Formal definitions of our approach are given in Figure 4. ...
Context 2
... players required by our approach and their communication paths are illustrated in Figure 3. Formal definitions of our approach are given in Figure 4. As a first step, Alice has to retrieve the recipient's (Bob's) public key rk pub by providing a set of attributes attrs (identifying Bob) to equation (5) (step (1) in Figure 3). Here, the SM decides if it needs to create a fresh key pair or if a suitable key pair is already available. ...
Context 3
... result is also a public key. After the initial step, Alice has all the data she needs to encrypt some plain payload data p by the means of equation (6) and to send the resulting cipher text c to Bob (step (2) in Figure 3). Compared to the IBE/ABE workflow, there is no need to include the attributes attrs anymore, ...
Context 4
... = rk priv (7) decrypt(rk priv , c) = p (8) Figure 4. IBE/ABE emulation definitions since they are inherent with the key. Bob receives the cipher text c and requests the central SM to decrypt the data (step (3) in Figure 3). Before performing the request, the central SM verifies if Bob has all required attributes and gains the recipient's private key rk priv through equation (7). ...
Citations
... ABE or IBE schemes can be considered as an alternative to traditional PKIs that allow the reliable utilization of public key cryptography without the use of certificates. In 2015, Reimair et al. [63] identified ABE as an alternative to facing the problems of current PKIs. However, as PKIs had already been widely deployed in industry, the authors proposed a way of integrating the benefits of ABE into current PKI systems. ...
... Comparison of pros & cons and different application scenarios of the analyzed approaches[21][22][23][24][26][27][28][30][31][32][33][34][35][36][39][40][41][42]44,[63][64][65][66][67][68][69][70][92][93][94][95][96][97][98][99][100][101]. ...
Digital certificates are regarded as the most secure and scalable way of implementing authentication services in the Internet today. They are used by most popular security protocols, including Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The lifecycle management of digital certificates relies on centralized Certification Authority (CA)-based Public Key Infrastructures (PKIs). However, the implementation of PKIs and certificate lifecycle management procedures in Industrial Internet of Things (IIoT) environments presents some challenges, mainly due to the high resource consumption that they imply and the lack of trust in the centralized CAs. This paper identifies and describes the main challenges to implement certificate-based public key cryptography in IIoT environments and it surveys the alternative approaches proposed so far in the literature to address these challenges. Most proposals rely on the introduction of a Trusted Third Party to aid the IIoT devices in tasks that exceed their capacity. The proposed alternatives are complementary and their application depends on the specific challenge to solve, the application scenario, and the capacities of the involved IIoT devices. This paper revisits all these alternatives in light of industrial communication models, identifying their strengths and weaknesses, and providing an in-depth comparative analysis.
... In 2016, Reimair et al. presented a solution for PKI on a multi-device user, known as the Cryptographic Service Interoperability Layer or CrySIL [14]. While the solution was intended to solve a different problem, namely to address the storage of cryptographic keys across various devices, they proposed that it could be used to emulate IBE/ABE (ABE stands for attribute-based encryption, which is a more general form of identity-based encryption, in that the public key of a user is a set of attributes instead of an identity string) systems [15] using X.509 standard. ...
... It is difficult to reproduce the claimed efficiency of the various PKI-IBC hybrid frameworks, some of which do not have any implementation [10,12]. We compare our system with Price and Mitchell's work [10], Lee's Unified PKI (UPKI) [12], Tan et al.'s original enhanced PKI [13] and IBE/ABE services using X.509 presented by Reimair et al. [15]. We note several key differences and improvement over their work in Table 2. ...
... Following this logic, we consider the following common 3 attacks scenarios on a PKI for the implementations considered under Table 2. We found by ad hoc reasoning, that in 3 of the scenarios, our implementation is comparably secure as the implementation presented by Reimair et al. [15]. ...
Public key infrastructure (PKI) plays a fundamental role in securing the infrastructure of the Internet through the certification of public keys used in asymmetric encryption. It is an industry standard used by both public and private entities that costs a lot of resources to maintain and secure. On the other hand, identity-based cryptography removes the need for certificates, which in turn lowers the cost. In this work, we present a practical implementation of a hybrid PKI that can issue new identity-based cryptographic keys for authentication purposes while bootstrapping trust with existing certificate authorities. We provide a set of utilities to generate and use such keys within the context of an identity-based environment as well as an external environment (i.e., without root trust to the private key generator). Key revocation is solved through our custom naming design which currently supports a few scenarios (e.g., expire by date, expire by year and valid for year). Our implementation offers a high degree of interoperability by incorporating X.509 standards into identity-based cryptography (IBC) compared to existing works on hybrid PKI–IBC systems. The utilities provided are minimalist and can be integrated with existing tools such as the Enterprise Java Bean Certified Authority (EJBCA).
... Their work on Cryptographic Service Interoperability Layer (CrySIL) proposes an architecture that supports distributed usage of cryptography services for environments consisting of diverse solutions and complex workflows characterizing long-evolving organizations. CrySIL facilitates interoperability by integrating various forms of authentication, deploying distributed crypto execution and emulation environment (Reimair & Feichtner, 2015) and leveraging the range of platforms, such as smartphones, to serve as cloud crypto service providers . ...
The extensive cloud adoption among the European Public Sector Players empowered them to own and operate a range of cloud infrastructures. These deployments vary both in the size and capabilities, as well as in the range of employed technologies and processes. The public sector, however, lacks the necessary technology to enable effective, interoperable and secure integration of a multitude of its computing clouds and services. In this work we focus on the federation of private clouds and the approaches that enable secure data sharing and processing among the collaborating infrastructures and services of public entities. We investigate the aspects of access control, data and security policy languages, as well as cryptographic approaches that enable fine-grained security and data processing in semi-trusted environments. We identify the main challenges and frame the future work that serve as an enabler of interoperability among heterogeneous infrastructures and services. Our goal is to enable both security and legal conformance as well as to facilitate transparency, privacy and effectivity of private cloud federations for the public sector needs.
Modern times introduced a highly heterogeneous device landscape. The landscape was populated by distributed applications. These applications are used by modern multi-device users. A modern user wants to create, process, and share potentially sensitive data among her devices. For instance, start a document at the smart phone, continue on the laptop and finish the document on a tablet. A common way to protect sensitive data against disclosure and theft is cryptography. Cryptography, however, requires for all devices in question to be able to perform appropriate operations and protect the subsequent cryptographic primitives against attacks. Unfortunately, different devices have different capabilities when it comes to cryptography. Some have hardware-backed solutions available, some cannot do any cryptography at all. In general, it is hard to provide adequate (and potentially equal) cryptographic methods on every device of the modern landscape – be it rather basic and well-known schemes or new methodologies that are long awaited to stand the challenges of the cloud. In order to tackle the above mentioned status and bring cryptography to the modern multi-device user, we present CrySIL, the Cryptographic Service Interoperability Layer. CrySIL is designed as a flexible and extensible layer between the user and the cryptographic primitive. In a nutshell, CrySIL can use local key storage solutions, offers remote key storage and crypto provider deployments, and features strong authentication methodologies to constrain access to cryptographic primitives. In this work, we explain the motivation of CrySIL, describe its architecture, highlight its deployment in a typical modern use case, and reflect on achievements and shortcomings.
