The following cybersecurity industry challenges in the Healthcare industry were used to demonstrate this prototype’s use and viable applications. It is to be noted that this prototype is applicable to other industries that use client/patient records as part of their everyday business such as the insurance industry.
Current and core problems identified:
- Electronic Health Record Operational Costs: majority of organizations shy away from adopting online e-Record applications and practices due to the set up costs and on-going operational costs such as maintenance and staff training;
- Cloud Security/Privacy: current practices are labour intensive and demand good internal processes heavily reliant on human dependencies. Further the cloud provider cannot be completely trusted to maintain the privacy of eHealth records, as storing records in the cloud are more vulnerable to attack and exploitation due to the more general availability of the cloud; and
- Traditional Encryption is limited as the Solution: the current method in solving the problem of an untrustworthy cloud environment is to encrypt the data before an upload to the cloud utilising traditional cryptography. Even if the cloud storage is compromised, then the records remain private due the encryption. However the current method of encryption is limited by a scalability issue. The traditional encryption limitation is that it does not scale well for an application like eHealth records as traditional encryption requires every user to have an associated key. For example, if a doctor needs to access a record in the cloud, then there needs to be an encrypted record using the doctor’s key in the cloud. More generally, there needs to be an encrypted record for each user that needs to access the record in order to enforce security. This problem grows more significant as more users are added to the environment.
The proof-of-concept is a self-contained desktop application with the main objective of the proposed prototype effort being – to divide the desktop implementation into the fundamental elements that comprise the application enabling the system to be employed in a web application environment.
Some key benefits of this solution;
- This prototype develops and implements a cloud-based system that uses Attribute Based Encryption (ABE) to provide security for eHealth Records. The idea behind Attribute Based Encryption is to encrypt data with respect to a policy that is defined over a collection of attributes. This is contrast to traditional cryptography where each user has an associated key. As a consequence, we can overcome the scalability problems.
- The project prototype also allows the ability to encrypt according to a policy, where the policy is defined by attributes. This means that it is not necessary to obtain a user’s key prior to encryption. It is only necessary that the individual possesses the requisite attributes so that decryption works correctly.
- As the prototype encrypts according to attributes, not individual keys of users as found using traditional encryption techniques, the system can be far more efficient overall. Fundamentally, we can avoid many repeated encryptions while maintaining the ability to enforce a secure policy.
- Further, the prototype encrypts records according to a policy in terms of attributes which offers a change in perspective in terms of security. This results in that the prototype does not manage individual users and their keys, but grouping users according to attributes within the system.
This prototype has other benefits in attributes. If you would like to learn more about this project prototype please contact the project lead Xun Yi.
This White Paper provides a clear and succinct of the problem and the solution.
The following publications were a direct result of this POC prototype project:
Hui Cui, Zhiguo Wan, Xinlei Wei, Surya Nepal, Xun Yi: Pay as You Decrypt: Decryption Outsourcing for Functional Encryption Using Blockchain. IEEE Trans. Inf. Forensics Secur. 15: 3227-3238 (2020)
Abstract: “The concept of functional encryption (FE) has been introduced to address the shortcomings of public-key encryption (PKE) in many emerging applications which require both data storage and data sharing (e.g., cloud storage service). One of the major issues existing in most FE schemes is the efficiency, as they are built from bilinear pairings of which the computation is very expensive. A widely accepted solution to this problem is outsourcing the heavy workloads to a powerful third party and leaving the user with the light computation. Nevertheless, it is impractical to assume that the third party (e.g., the cloud) will provide free services. To our knowledge, no attention has been paid to the payment procedure between the user and the third party in an FE with outsourced decryption (FEOD) scheme under the assumption that neither of them should be trusted. Leveraging the transactions on cryptocurrencies supported by the blockchain technology, in this paper, we aim to design FE with payable outsourced decryption (FEPOD) schemes. The payment in an FEPOD scheme is achieved through a blockchain-based cryptocurrency, which enables the user to pay a third party when it correctly completes the outsourced decryption. We define the adversarial model for FEPOD schemes, and then present a generic construction of FEPOD schemes. Also, we evaluate the performance of the proposed generic construction by implementing a concrete FEPOD scheme over a blockchain platform.”
Hui Cui, Russell Paulet, Surya Nepal, Xun Yi, Butrus Mbimbi, Two-Factor Decryption: A Better Way to Protect Data Security and Privacy, The Computer Journal, July 2020.
Abstract: “Biometric information is unique to a human, so it would be desirable to use the biometric characteristic as the private key in a cryptographic system to protect data security and privacy. In this paper, we introduce a notion called two-factor decryption (TFD). Informally speaking, a TFD scheme is a variant of the public-key encryption (PKE) scheme. In a TFD scheme, messages are encrypted under public keys as that in a standard PKE scheme, but both private keys (i.e. the first factor) and biometric inputs (i.e. the second factor) are required to decrypt the ciphertexts and obtain the underlying plaintexts. We first describe a framework of TFD, and then define a formal security model for TFD. Thereafter, we present a generic construction on TFD based on the cryptographic primitives of linear sketch and functional encryption (FE) with certain properties and analyse its security. In addition, we give instantiations of TFD by applying concrete FE schemes into the generic construction and show their applications.”