Our Paper-based World of Secrets

And, so, the media were red hot last week with the FBI’s search of Donald Trump’s home:
Photo by Kristina Flour on Unsplash

Our Paper-based World of Secrets

And, so, the media were red hot last week with the FBI’s search of Donald Trump’s home:

While this opens up many political questions, my general worry is why in the 21st Century, we are still using paper-based documents. The one thing I know about paper is that it is very difficult to control access to it. And, one might say that those who are “non-technical”, still need paper. But, that argument has long since passed, as Apple iPad and PDFs make access to viewing documents just like reading from paper. In fact, personally, I print out very few research papers and have them all on my iPad.

What we need from a document is thus: Confidentiality (only to be read by those who are trusted) … Integrity (a check on whether something has been created by a trusted entity and that it has NOT been changed)… and Access Control (a way of restricting the physical access to the document). For this — and you must smile — our paper documents are marked with these restrictions, created with wet signatures, and held in trusted physical places (such as a presidential box). It is all rather silly in this modern age — that wet signatures are even considered to have any real level of trust.

Our old world of secrets basically stamped documents with “Classified”, “Top Secret”, “Restricted”, and so on. These were the basic marking we have on paper documents. But, these markings provide very little in the way of access control. With these types of documents, we should be digitally signing and encrypting the documents while integrating strong access control. The continued usage of paper documents just goes to show that we haven’t yet found a good solution to this. In a truly secure environment, the access control policy will make sure that access is restricted to a given policy. This policy might relate to a given location, a given identity, and within given time constraints. This type of approach is related to attributed-based access control (ABAC). At its core, it was the basis of our amazing spin-out — Symphonic — and which was recently acquired by Ping Identity.

If we have a strong access control policy, and encrypted documents, we can easily revoke access. With this, we have a zero-trusted policy approach, and where no one can gain access to a document, and only if we add the access rights in a policy, will they get any access rights. For top-secret documents, we might even define a strict time limit for access. In Donald Trump’s case, a revocation of access when he left office would have been the natural way to do this. But, of course, we need to make sure we also define rights of access for R(read) and W(rite), and for copying a document. While these are not easy, the budgets of governments must make it possible to implement strong access control on restricted, confidential and top secret documents.

Attribute-based encryption (ABE)

We are generally poor at properly integrating security, and often use overlay models to overcome our lack of embedded security. Our models of security often, too, come from our legacy operating systems, and which fail to protect data (as they were designed to protect files and directories rather than data). We thus often we fail to encrypt data properly, and we fall back to the operating system to provide rights to files. Our overall policies thus focus on documents and not on data.

We have thus created a data world which is open, and then to protect it we put up perimeters. But we find out that there’s insiders who sit behind the firewall and can access our data. So we then encrypt with an encryption key, but this is often applied on a fairly large scale basis. So how do we control access to sensitive data when we use cloud-based storage? Well, we need to look at better ways of protecting our data, while still being able to process it.

The systems we have created have grown up through operating system security, and apply role-based security. In a Linux system we can have:

User: bob
Group: gp

and we have access rights as:

User=rwx Group=rwx Everyone=rwx

In this case, Bob will have access rights based on his ownership of a file, or on the group, he is in — and is defined as role-based security. In an Active Directory infrastructure, Bob can also be part of multiple groups, and will this gain him rights. But being part of a group is not properly applying security, and we thus have to normally overlay a security model to check Bob’s rights to access to a given file. What we really want is to be able to define that the access is based on other things, such as his location, or whether he is the clinician associated with a patient. These are defined as attributes for his access rights, and define as attributed-based security.

One of the best methods of embedding security into data is ABE (Attributed-based Encryption), and where we can define fine-grained control on the decryption process. For example, we might define that some sensitive health information is only accessible when the patient and the clinician have both authenticated themselves, and are in a provable location. Thus during the encryption process, we apply a policy:

Policy = ((user=GP and location=Edinburgh) or (user=Patient and location=Scotland)

In this case, we would allow access to a file based on a user who is a GP in Edinburgh, or a Scottish patient. In this way, we can base our access on real attributes, rather than operating system rights.

There are two main types of ABE. The first is Key-policy attribute-based encryption (KP-ABE) and the other is ciphertext-policy attribute-based encryption (CP-ABE). In KP-ABE we generate the key based on a policy that contains attributes. For CP-ABE we use a tree structure with different keys in order to access given attributes.

The following provides a basic demo of BWS CP-ABE, and where we use the JB for pairing-based encryption [1]:

https://asecuritysite.com/pairing/abe

and in this case we encrypt a message which has an associated cipher policy. With CP-ABE (Cipher Policy — Attributed-Based Encryption) we can generate an encryption key based on a policy and a set of attributes:

https://asecuritysite.com/pairing/go_abe

Conclusions

Sometimes, you feel that encryption is one of the least understood areas of our digital world and that we have generally failed to properly implement the methods. And remember, cryptography now only provides confidentiality, it ensures that things have not been changed. Try doing that with a paper document. The best we can do with that is to create wet signatures.

Our fundamental problem is that those in cybersecurity have failed to properly address the fundamental problem of moving from paper to digital forms, and where we have ended up with fragmented systems, that never really integrate

References

[1] Bethencourt, J., Sahai, A., & Waters, B. (2007, May). Ciphertext-policy attribute-based encryption. In Security and Privacy, 2007. SP’07. IEEE Symposium on (pp. 321–334). IEEE.