ETSI Releases Crypto Specs for Secure Access Control
SOPHIA ANTIPOLIS, France -- ETSI Technical Committee on Cybersecurity has recently released two specifications on Attribute-Based Encryption (ABE) that describe how to protect personal data securely—with fine-grained access controls. ABE is an asymmetric, multi-party cryptographic scheme that bundles access control with data encryption. In such a system, data can only be decrypted if the set of attributes of the user key matches the attributes of the encryption.
For instance, access to employee pay data will only be granted to the role of Human Resources Employee working in the payroll department of a company, who has been there for one year or more. Because ABE enforces access control at a cryptographic (mathematical) level, it provides better security assurance than software-based solutions. It is also space-efficient, since only one ciphertext is needed to cater for all access control needs of a given data set.
Attribute-Based Encryption has been identified by ETSI as a key enabler technology for access control in highly distributed systems,
Both specifications enable compliance with the General Data Protection Regulation, enforced since May 2018, by allowing secure exchange of personal data among data controllers and data processors.
A standard using Attribute-Based Encryption has several advantages for the industry. It provides an efficient, secure-by-default access control mechanism for data protection that avoids binding access to a person’s name, but instead to pseudonymous or anonymous attributes.
ABE offers an interoperable, highly scalable mechanism for industrial scenarios where quick, offline access control is a must, and where operators need to access data both in a synchronous manner from the equipment as well as from a larger pool of data in the cloud. ETSI TS 103 532 is thus particularly well-suited to the Industrial IoT and the public sector alike. As it enables access control policies to be introduced after data has been protected, it provides forward-compatibility with future business and legal requirements, such as the introduction of new stakeholders, and support for social benefit schemes.