All the latest quantum computer articles

See the latest stories on quantum computing from eeNews Europe

Tuesday, August 21, 2018

New cryptographic standards add secure access control for the IoT

By Nick Flaherty

The ETSI Technical Committee on Cybersecurity has released two specifications on Attribute-Based Encryption (ABE) that describe how to protect personal data securely with fine-grained access controls that are particularly suited to the Internet of Things (IoT).

ABE is an asymmetric, multi-party cryptographic scheme that bundles access control with data encryption. In such a system, data can only be decrypted if the set of attributes of the user key matches the attributes of the encryption. For instance, access to particular data could only be granted to a specific role and a person with sufficient experience and authority. 

Because ABE enforces access control at a cryptographic (mathematical) level, it provides better security assurance than software-based solutions. It is also space-efficient, since only one ciphertext is needed to cater for all access control needs of a given data set.

Attribute-Based Encryption has been identified by ETSI as a key enabler technology for access control in highly distributed systems, such as 5G and the IoT:

ETSI TS 103 458 describes the high-level requirements for Attribute-Based Encryption. One objective is to provide user identity protection, preventing disclosure to an unauthorized entity. It defines personal data protection on IoT devices, WLAN, cloud and mobile services, where secure access to data has to be given to multiple parties, according to who that party is.

ETSI TS 103 532 specifies trust models, functions and protocols using Attribute-Based Encryption to control access to data, thus increasing data security and privacy. It provides a cryptographic layer that supports both variants of ABE- Ciphertext Policy and Key Policy - in various levels of security assurance. This flexibility in performance suits various forms of deployments, whether in the cloud, on a mobile network or in an IoT environment. The cryptographic layer is extensible and new schemes can be integrated in the standard to support future industry requirements and address data protection challenges in the post-quantum era.

Both specifications enable compliance with the General Data Protection Regulation, enforced since May 2018, by allowing secure exchange of personal data among data controllers and data processors.

A standard using Attribute-Based Encryption has several advantages for the industry. It provides an efficient, secure-by-default access control mechanism for data protection that avoids binding access to a person’s name, but instead to pseudonymous or anonymous attributes. ABE offers an interoperable, highly scalable mechanism for industrial scenarios where quick, offline access control is a must, and where operators need to access data both in a synchronous manner from the equipment as well as from a larger pool of data in the cloud.

This means ETSI TS 103 532 is particularly well-suited to the Industrial IoT as it enables access control policies to be introduced after data has been protected, it provides forward-compatibility with future business and legal requirements, such as the introduction of new stakeholders.

Related stories:

  • MISRA-compliant embedded crypto toools target IoT
  • Low cost crypto chip to secure the Internet of Things

  • Using Static Analysis to Improve IIoT Device Security
  • Maxim launches reference design for IoT node security 
  • Two factor security IP designed into IoT microcontrollers 
  • Cybersecurity researchers design a chip that checks itself 

No comments: