The European Telecommunications Standards Institute (ETSI) Technical Committee on Cybersecurity recently released two encryption specifications that could be key for access control in highly distributed systems such as 5G and IoT.
The specifications are for Attribute-Based Encryption (ABE) that describes how to secure personal data. ABE is an asymmetric, multi-party cryptographic scheme that bundles access control with data encryption.
In such a system, data can only be decrypted if the set of attributes of the user key matches the attributes of the encryption. A standard using ABE avoids binding access to a person’s name, but instead to pseudonymous or anonymous attributes. ETSI says ABE is also space-efficient, since only one ciphertext is needed to cater for all access control needs of a given data set.
The first specification defines personal data protection on IoT devices, WLAN, cloud, and mobile services where secure access to data has to be given to multiple parties. The second specification defines trust models, functions, and protocols to control access to data.
Both specifications enable compliance with the General Data Protection Regulation (GDPR), enforced since May 2018, by allowing secure exchange of personal data among data controllers and data processors.
ABE might sound a bit similar to blockchain. But in an email to SDxCentral, an ETSI spokesperson said they are not the same. “At the core, blockchain provides strong integrity assurance by chaining blocks together using cryptographic hashes. There is no built-in confidentiality (no encryption). So-called anonymity is provided by digital signature using key pairs, which in fact act as pseudonyms. A blockchain provides a log of historical events. It doesn't facilitate live communications or encrypt data - which ABE does.”
ABE is an encryption scheme that primarily provides confidentiality, but it also provides access control. Under the hood it is based on secret sharing schemes and other mathematical features that make it secure, so that it is possible to declare access control policies and grant access depending on attributes of the object or the entity that is requesting the data. In order to decrypt the encrypted text under ABE a user will need an appropriate key. Most of the time in ABE the keys will provide pseudonymity but proper selection of attributes can grant full anonymity.