Document

Download Report

Transcript Document 

A Flexible Role-based Secure
Messaging Service:
Exploiting IBE Technology for
Privacy in Health Care
Marco Casassa Mont
Pete Bramhall
Keith Harrison
Trusted Systems Laboratory
Hewlett-Packard Labs, Bristol, UK
TrustBus 2003, 2-4 September 2003
Prague, Czech Republic
Presentation Outline
• Setting
the Context
• Addressed
Problems
• Scenarios
• Requirements
• Related
• Our
Work
Approach
• Discussion
• Conclusions
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 2
Setting the Context
•
Organisations are more and more complex, dynamic and
flexible: people’s roles, rights and duties can frequently
change
•
Confidential information needs to be protected whilst it is
exchanged and accessed, especially in dynamic
environments
•
Messaging services (such as e-mail services), are commonly
used to exchange information within and across
organisations
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 3
Addressed Problems
• Enforcement of confidentiality and privacy of
information in dynamic contexts, where people’s roles
and permissions are subject to frequent changes
• Allow the exchange of confidential information in a way
that only the entities that satisfy predefined privacy policies,
at a specific point in time, can access it
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 4
Context: UK Health Care Service
• Focus on an Health Care Service:
example of dynamic organisation
Waiting List
Administration Teams
• Roles (GP, Doctor, Consultant,
Nurse, etc.) can be played by
different people at different time
• We partnered with a UK
Health Care Organization
to understand real problems
and have a Technology Trial
of our solutions
GP
• At moment interactions involving
confidential patient data are mainly
paper-based: need to be compliant
with Data Protection and Privacy
Laws …
Assistant
Referral
Letter
Referral
Letter
Nurse
Surgeries
• Most of the employees use the
e-mail service but …
18/07/2015
Referral
Letter
Consultant
Discharge
Letter
Departments
Hospitals
Health Service Network
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 5
Scenarios [1]
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 6
Scenarios [2]
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 7
Our Goals
• Automate the exchange of Confidential Information
by preserving the Privacy of Patients: i.e. only
the people with the right roles and permissions
will access it
• Provide a Flexible, Role-based Secure e-mail
service
• Learn from the Trial and investigate usages of
the adopted solution in other “dynamic contexts”
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 8
High-level Requirements
Requirements for a secure e-mail service (Health Care Trial):
• Strong Authentication of the involved parties
• Privacy and Confidentiality: obfuscation of confidential data
• Policy-based Disclosures: privacy policies strictly associated to
confidential messages. It must be possible
to tell if they have been tampered with.
• Flexibility: Privacy policies must be flexible. it must be possible to
specify role-based disclosure policies. Support for late
binding of roles. Users define their own disclosure policies.
• Simplicity of Usage and Management
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 9
Related Work [1]
Usage of traditional public key cryptography and digital certificates
for confidentiality, non-repudiation and authentication purposes.
Example of S/MIME, for e-mail services:
Alice’s
Private Key
e-mail
service
Alice
Plaintext
Bob’s
Private Key
Public Keys
(Certificates)
Encryption
Bob’s
Public Key
Ciphertext
Bob
Decryption
Plaintext
Bob’s
Private Key
Does it address our problems? …
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 10
Related Work [2]
• If disclosure polices depend on the Identity of the receiver, the usage of digital certificates
and public key cryptography is viable. Confidential messages are encrypted
with the public key (within the digital certificate) of the receiver. Examples: S/MIME
Receiver’s Identity
Known at the
sending time
Alice
Bob
• If these policies do not (directly) depend on the identity but on other aspects, such as Roles
or terms and conditions, the above approach does not work!
At priori (at the encryption time) , the Identity of the Receivers might not be known! Case of
Late Binding of the Identity. This is the case we are addressing.
Bob
Receiver’s Identity
Unknown at the
sending time
18/07/2015
Alice
Role X
Late Binding
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Charles
…
page 11
Related Work [3]
Introducing a further level of indirection via a “third party”:
• It must be trusted
• Encryption/decryption of messages (along with the associated disclosure polices)
by using its keys
• Usage of enveloping techniques (PKCS#7, etc.)
• It can be coupled with Role-based Access Control mechanisms (RBAC)
 It can be implemented by using public key/PKI technologies
Cons: - It is not the most natural way of using public key/PKI for e-mail services (e.g. S/MIME)
- Complexity of PKI-based solutions for end-users
Alice
Encrypted data
+ policies
Bob
Trusted Mediator
Mediator’s
Public Key
18/07/2015
RBAC
Bob has
Role x
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
x
x
Charles
…
page 12
Our Approach
Based on:
Identifier-based Encryption (IBE) technology
Reasons:
• Explore alternative/complementary solutions
• Investigate the suitability of IBE technology
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 13
What is Identifier-based Encryption (IBE)?
•
It is an Emerging Cryptography Technology
•
Based on a Three-Player Model: Sender, Receiver, Trust Authority
(Trusted Third Party)
•
Same Strength of RSA
•
Different Approaches: Quadratic Residuosity, Weil Pairing, Tate
Pairing …
•
SW Library and Technology available at HP Laboratories
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 14
IBE Core Properties
•
1st Property: any kind of “String” (or sequence of bytes) can
be used as an IBE encryption key: for example a Role, an e-Mail
Address, a Picture, a Disclosure Time, Terms and Conditions, a
Privacy Policy …
•
2nd Property: the generation of IBE decryption keys can be
postponed in time, even long time after the generation of the
correspondent IBE encryption key
•
3rd Property: reliance on at least a trust authority (trusted third
party) for the generation of IBE decryption key
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 15
IBE Three-Player Model
Alice
2 3
4
2. Alice knows the Trust Authority's
published value of Public Detail N
It is well known or available from
reliable source
3. Alice chooses an appropriate Encryption
Key. She encrypts the message:
Encrypted message
= {E(msg, N, encryption key)}
4. Alice Sends the encrypted Message
to Bob, along with the Encryption Key
18/07/2015
Bob
5
5. Bob requests the Decryption
Key associated to the
Encryption Key to the relevant
6 Trust Authority.
6. The Trust Authority issues
an IBE Decryption Key
Trust 1
corresponding to the supplied
Authority
Encryption Key only if it is
happy with Bob’s
1. Trust Authority
entitlement to the Decryption Key.
- Generates and
It needs the Secret to perform the
protects a Secret computation.
- Publishes a
Public Detail N
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 16
Our Solution [1]
• Based on the IBE Model: reliance on Trust Authority(ies)
• Privacy policies are represented as IBE encryption keys:
 Generated by the sender of confidential messages
 Contain list of roles to be played by the intended receivers
Example: “Member of The Waiting List Team”
 If tampered with, the associated e-mail cannot be decrypted
• Trust Authority (TA):
 Checks for policy compliance
 Generates, on-the-fly, IBE decryption keys
• Policy compliance check:
 Authentication of the requestor to the TA
 The requestor must have the roles defined by the IBE encryption key at the
request time
 List of people’s current roles managed by the TA
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 17
Our Solution [2]
1
Encrypted confidential data
+ IBE Encryption Key
(Required Roles)
Sender
e-mail
service
Receiver
2
Request for
IBE Decryption Key
3
Generation and issuance of
IBE Decryption Key,
If the receiver has the
required roles
Trust
Authority
18/07/2015
Tables
Roles
<Identity, Roles> Mappings
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 18
Additional Technical Constraints
Technical constraints dictated by the trial environment:
• Authentication of Health Care’s employees via Microsoft Authentication (NT Logon).
Unique login account for each employee. Policies dictate its correct usage
• MS Windows Trust Domains associated to Health Care Entities (Surgeries, Hospitals, etc)
for “authentication management” purposes
• Usage of Microsoft Outlook 2000 at the client site (GPs, Nurses, Consultants, etc.) as
e-mail browser
• Exchange of confidential information within the Health Care Organisation’s Intranet
GP
Trust Domain
Hospital
Trust Domain
Health Care Organisation - Intranet
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 19
High-level System Architecture
• E-mail Browser Add-in:
- Standard MS Outlook 2000add-in,
containing IBE encryption/decryption
libraries
- Secure connection (https) and
authentication to the TA
- XML-based encryption envelopes
Health Care Organisation - Intranet
Users
Users
Outlook 2000
IBE Add-in
• Trust Authority (TA):
secure web service, with IBE key
generation libraries. Protection
of TA secret in secure vault. Run in a
stand-alone TA trust domain by
trusted administrators, in a secure site
• Database:
simple MS SQL Server database at
the TA site containing list of
current roles and up-to-date mappings of
users’ identities (NT logon) to their roles
18/07/2015
Outlook 2000
MS Exchange
Server 5.5
IBE Add-in
Hospital Trust Domain
https
https
IIS
ASP
TA Secret
Secure
Vault
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
Trust
Authority
Engine
GP Trust Domain
Trust
Authority
Service
Role Info
SQL Server
TA Trust Domain
page 20
System Architecture: Information Flow
MS Outlook 2000
MS Outlook 2000
IBE Add-in
e-mail service
Encrypted e-mail
Sender
IBE Add-in
1
Request for
IBE Decryption Key by
sending (part of) the
XML Wrapper
(via https channel)
+ XML Wrapper
(containing encrypted
IBE Encryption Key)
Receiver
2
3
Generation and Issuance of
IBE Decryption Key,
If privacy policies are satisfied
(via https channel)
IIS
IIS
.ASP
ASP
Trust
Authority
18/07/2015
Trust Trust
Authority
Authority
Engine
TA Secret
Secure
Vault
Tables
Roles
<Identity, Roles>
Mappings
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 21
Encrypted e-Mail: XML Wrapper Details
<?xml version="1.0" ?>
- <IBEMailCiphertext>
<EphemeralKey>1628655488</EphemeralKey>
<IBEPublicKeyCiphertextLength>280</IBEPublicKeyCiphertextLength>
<IBEPublicKeyCiphertext>
3affcffdc1ea36455fcf6 ....5rt4rg5uyhg6u
(Random) Ephemeral Key
To encrypt Disclosure Policy
Encrypted Disclosure Policy
</IBEPublicKeyCiphertext>
<IBEMailBodyCiphertextLength>
1384
</IBEMailBodyCiphertextLength>
Exposed to TA (no e-mail
content is ever exposed
to TA)
<IBEMailBodyCiphertext>
d53f07f88946e6411db83f4daeb72bdb8...625c2b900
</IBEMailBodyCiphertext>
<OriginalSender>[email protected]</OriginalSender>
Encrypted e-Mail Body
(e-mail attachments are
encrypted and attached)
<UID>293364736</UID>
<TimeSent>03:14:31 PM, Monday, Mar 17 2003</TimeSent>
Information for Receipting
</IBEMailCiphertext>
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 22
E-mail Browser Add-in: Snapshots
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 23
Addressing the Requirements
Authentication`
Reliance on Windows Authentication (out of our scope in the trial).
Introduced a TA trust domain that trusts the existing trust domains
Privacy and
Confidentiality
Encryption of Confidential e-mail by using IBE
Policy based
Disclosure
Disclosure policies expressed via IBE Encryption Keys, specifying the roles to
be played by the intended receivers. The TA interprets and checks for their
compliance. Control given to the senders of confidential information.
Flexibility
Flexibility in defining disclosure policies: they can be extended to include
more complex terms and conditions. Support for late binding of roles. Usage
of multiple TAs if required.
Simplicity
Users: Intuitive, integrated solution with e-mail browser
Administrator: database tables to be kept up-to-date (similar issues to RBAC)
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 24
Discussion
• Our solution is a practical application of IBE cryptography deployed in a real
context (related work: IBE-based e-mail service by Stanford University)
• We leveraged IBE for encryption purposes. It was straightforward
to do it, in a close and trusted environment. Need to explore the
implications in an open, untrusted environment …
• Heavy reliance on a “third party” authentication mechanism …
• We are exploring IBE-based authentication mechanisms. We do not have
practical evidence that they are better or more usable than traditional (PKI)
solution.
• In general we believe IBE is a complementary technology to
public key cryptography/PKI …
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 25
Current and Future Work
• We have an optimised version of IBE cryptography libraries
(performance of cryptographic operations comparable to RSA).
• We are exploring how to extend our solution to include:
o multiple IBE Trust Authorities (for key-escrow and trust reasons)
o more complex disclosure policies
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 26
Conclusions
• Privacy management is a major problem for modern, dynamic
organisations
• Important issue: preserve data confidentiality when exchanged
via e-mail
• Current limitations and complexity of PKI-based solutions
• We partnered with a Health Care Organisation.
Goal: provision of a flexible, role-based secure e-mail service
• Our approach: leveraging IBE technology to enforce
privacy, in a flexible, simple and secure way
• We have built a solution that is used in a Trial.
IBE is a viable technology for encryption purposes
• The Trial is ongoing and our research is in progress …
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 27
Backup Slides
RSA and IBE
Cryptography Models
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 28
RSA Model
encrypt
e and N
published
Compute d&e
Keep d secret
Compute N = p*q
decrypt
Secrets p&q
18/07/2015
N and d
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 29
IBE Model [1]
Encrypt
Decrypt
Public
details
E
Compute public
details
D
Compute
Key pairs
Secrets s
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 30
IBE Model [2]
Get decrypt
Key,e
Choose e
Encrypt
Decrypt
Public
details
Compute public
details
Generate
Decryption Key
Secrets s
18/07/2015
‫ﴀ‬Trusted Systems Laboratory – Hewlett-Packard Labs, Bristol - UK
page 31