Upgrade 2021: CIS LAB Speakers
September 20, 2021 // Upgrade 2021: CIS LAB Speakers
Practical Business and Personal Use Cases for Attribute-based Encryption
Kei Karasawa, VP of Strategy, NTT Research
Transcript of the presentation Practical Business and Personal Use Cases for Attribute-based Encryption, given at the NTT Upgrade 2021 Research Summit, September 20, 2021.
Kei Karasawa: Thank you for watching our video titled “Silhouette.” The title is named after our current privacy problem in the digital world. As you can see here, digital transformation gives you a lot of benefits from the digital world instantly. On the other hand, your private data can be easily accessible to someone else. I would like to show you an example. In the video, some guy is paying by smart phone or credit card, but the list of information is sent to somewhere else. To think about my data were it in the smartphone.
Actually, I store a couple of credit cards and transit pass and hopefully a driver’s license should be stored in my data wallet. It’s more convenient, I feel. And many people expect the Covid vaccine record will be stored in a data wallet. On the other hand, The Wall Street Journal mentioned last month, talking about the how to show your proof of vaccine record in your smartphone. But on the other hand, there is a privacy risk. Someone who can scan your smartphone may get private information like date of birth, or other things. So, actually the newspaper said you should not store a password, nor social security numbers in your data wallet.
It’s not so convenient, I feel. So at NTT Research we’re tackling this problem by using cutting-edge technologies. I introduce “Attribute-Based Encryption” today, actually, which was invented by Dr. Brent Waters here about 10 years ago. But it’s now good timing to make it practical.
ABE has two critical functions. First, “encryption”, of course, the other one is “Attribute-Based Access Control at the Data Layer”. I’m going to show how it works.
ABE can embed attribute-based access control for each data element. For example, in the data wallet, by encryption.
Look at this credit card. There are a couple of pieces of information and attributes. There is a digital number. This is the credit card number. That string is an attribute of this credit card number. And there is other information – the expiration date, and the username is also an attribute. And credit card itself is an attribute.
ABE can embed these attributes into this encrypted data wallet. And ABE can enforce this attribute access policies when decrypted. I’m going to show three examples for decryption.
First at an airport, you need to show your driver’s license to check your identity. ABE can issue a decryption key to access your driver’s license only by using attributes of the driver’s license. In that case, the green key has the access policy to read this information and you can store this inclusion key into the airport system. After that, you can just go to the airport, just send your encrypted data wallet to the system, and the system can only read these lines of data. So this is the simplest example.
The second example: think about reloading your transit pass by your credit card. The system needs to access the credit card and transit pass at the same time. ABE can create a single key to access both lines, credit card and transit pass. After that you can just go to the system and hand it over, your encrypted data in the data wallet.
The third example is a little bit complicated. Think about going to a very crowded sports stadium. You need to go with your photo ID and vaccine record. But you don’t want to share your date of birth or address information. In that case, ABE can create a decryption key for a specific cell, like name of driver’s license or date of vaccine record. Once we create a decryption key, it’s the same. You can just go to there and the encrypted data wallet system can only read these things.
And one more thing I like to add: these access controls are embedded into the data only. So, it works even when the system is offline. This is quite an important feature for a high performance system like a stadium gateway, because stadium gateways need to process thousands of people in a short time. It does not have time to access to all the internet centers. So, the encryption supports these types of high performance systems.
Okay. I would like to explain about our demo system on the cloud. I would like to actually simulate these three stories on the cloud.
Okay. Let’s start logging the system. And I would like to talk about how to encrypt the data. I would like to upload the data file. There is a file card here, like driver’s license and Covid vaccine record. And I’d like to put attributes in the first column, set the string of attribute types, and click attribute up here.
In yellow each column has an attribute of card type. And also we can set the attribute in the row. The row has a driver’s license and the top left corner cell has both a card type and driver’s license, and we can embed these attributes into the file by encryption.
I can check the attributes when I click the file. There are attributes, which I already set. I prepared the data wallet file by already setting all attributes on it and will try to decrypt it. At the beginning, all gray data is encrypted. The first key is the airport key. We can just read the driver’s license information. When I click it, you can see the first line within a second. And second information is the transit pass reloading system. When they click it, you can see the two lines of the data within a second, too. And the third information is for stadium gateway system. You need to access a specific cell. So, you need to set a little bit longer policy in the key. However, when you click it, it can read a specific cell within a second. That kind of access control is only on the data layer.
So, if you change the key, the accessible data has been changed. And also you can download this file to send it anywhere. So, I clicked the download button and stored it in my local PC. After that we can delete all files and upload another file. So I would like to upload another file to simulate someone else, maybe bring the data to another place. The data has same information, but different attributes on it.
When I try to decrypt it and send it to some airport system, that system cannot read anything because the attributes have been changed. So, you can control the access rights by putting attributes in your data wallet.
So, let’s go back to the original data to apply the original data wallet file and upload it. And actually, if you think about system access controls, in that case, it doesn’t work. But when I embed access rights into data, it is recovered at the beginning. So, if you go to the stadium, you can see only specific data. So, this is my presentation.
So, in this scenario, as you can see here, ABE is quite simple, but it’s very powerful technology for the current IoT world.
Okay, I’m going to talk about a little bit more about the business side. I talked about the data wallet for individual persons, but adjusted the wallet makes personal information available to services. Data lakes in companies make corporate information available to services such as IoT or smart city. For example, this data lake in the company is integrating business records, human resources and accounting information. And many companies regularly like to analyze this data to make some business decisions as quickly as possible by using AI technologies.
But there is so much private information like a salary information in HR, or customer information in accounts. So we need to hide that type of information from specific people. So, we can control the access rights at the data layer. And also to think about smart city; government collecting transportation information, supply chain management, transaction information. This is quite useful for smart cities. Actually, the next presentation by Bennett Indart talks about smart cities. They are collecting a lot of information in the street, or image information comes through the center, but we should protect private information, for example, people’s names or faces. That kind of information should be protected at the data layer. I would like to work with them and make this world secure.
And NTT actually will provide access control services at the data layer. Our future is just supporting a data holder like a wallet, wallet holder, or company CISO or government CISO. They decide the security policy, for example, through a security PAP, Policy Administration Point, which supports people setting the attributes of policy setting. As I showed in the demonstration at the beginning, they need to set the first access policy, but once the data owner sets the policy, NTT provides a key generation server to deliver encryption key and module decryption key and the controlled access right at the data layer.
Okay, I’m going to talk about, a little bit, about global standards. Two things I would like to mention. First, access control. Actually, industry is embracing attribute-based access control because NIST, “National Institute of Standards and Technology,” already published the specifications for ABAC back in 2014. So, Gartner actually predicted wide deployment of ABE. Actually many people listen to about ABE, so far. And the standardization of ABE itself will be the second topic. Actually, we are waiting for standard in the NIST, but already ETSI, “European Telecommunications Standards Institute”, published a specification “ABE for ABAC” back in 2018 and it was updated in May of this year. Actually, you can find NTT algorithms in this specification. Dr. Brent Waters’ algorithms are in this specification. So, please watch it.
And talk about the business development. NTT Research and NTT Group is working for the customer to create a smart city or secure city. This is an example from NTT Holdings. NTT Holding announced the cooperation with New South Wales Government in Australia in March this year. And they will promote and accelerate innovations to rewrite smart city in a secure way. Actually, NTT Research is supporting these activities by providing ABE technologies.
Lastly, ABE is the best solution for two critical needs. First, zero-trust data storage and second, fine-grain access control. Zero-trust storage, including offline devices, like a stadium gateway or distributed edges. To think about IoT systems like Bio Digital Twins. You can deliver many sensors in the human body, or maybe sit in the city, the sensor generates lots of information and sends it to the center. It is almost impossible to collect all the information into one place. You need to distribute it in servers to process the huge amount of data.
In that case, a server may run in an unsecured environment. Encryption technology supports making it secure. Second, fine-grain access control. You can handle a single set of data. You can use ordinary encryption technologies. However, if you think about changing access rights, time or location, or recently, AI technology gives us lots of metadata on the data. If you control that access right by using AI tag metadata, it should be more dynamic. So, in that case ordinary encryption technology is not good enough. You should use an ABAC function on the data right here.
If you have two critical needs in the two fields, ABE is the best solution. We would like to support your digital world by using ABE technology. NTT will upgrade the reality in this way. Thank you for listening.
Presented at the NTT Research Upgrade 2021 Summit on September 20, 2021.
NTT Research Vice President of Strategy
Kei Karasawa has been leading research and development (R&D) at NTT for more than 20 years. He is currently the vice president of strategy at NTT Research, Inc. From 2015–2019, he worked with the R&D planning department at NTT and built cooperative relationships with NTT operating companies around the world to deploy NTT R&D technology to global markets. He led applied R&D at NTT EAST from 2011–2015 and put the technology into practice in developing network services. Prior to that, he researched network software technologies, implemented patented software, such as security and distributed systems, and developed commercial services for the Next Generation Network. In 2005, he conducted basic research on cryptography and information processing as a visiting scholar, with Prof. Dan Boneh, in the Security Laboratory at Stanford University. He holds a doctorate of engineering in data-driven parallel computer technology and has extensive knowledge and experience in information processing-related technologies, from basic technology to applications. Personal interests include sports, like tennis and golf, and travelling with his wife and kids.