You are here

Fortifying Data-at-Rest Encryption with a Credential/Functional-Based Encryption Layer

Description:

OBJECTIVE: Investigate innovative and cost-effective techniques and algorithms to strengthen data-at-rest encryption by incorporating user's credentials (i.e. clearances) as part of the encryption scheme. DESCRIPTION: Traditional public-key encryption involves a user encrypting data using the recipient's public key. The recipient is able to decrypt and access the encrypted data using his/her own private key. While this has been a standard philosophy for data confidentiality, it still does not address the case where a recipient has the authority to access the data. Consider the case where encrypted data must be decrypted only by users who possess Clearance A. Prior to encryption, the user that encrypts the data could consult a database or a trusted authority that can verify the recipient's credentials. However, if this is not feasible due the sensitivity of the clearance or the requested user's privileges, the encrypted data should not be transmitted as the recipient may not be authorized to access it with their current clearance level. Functional encryption, a relatively new system to the cryptography community, uses the philosophy that data can be encrypted with an access policy. This eliminates the need to determine whether the intended recipient should access the decrypted data. If the intended recipient is part of the access policy, he/she is able to decrypt and access the encrypted information. Another application is the case where a user wishes to encrypt data whose intended recipient is specifically unknown but is part of a set of individuals with appropriate credentials. Functional encryption overcomes the unknown by simply encrypting the data with the access policy. Any one individual within the designated set would be able to decrypt and access the information. Data-at-rest security is one of the key components of the Navy/Marine Corps Intranet (NMCI), providing full encryption of user data stored on secondary storage (i.e. hard drives) and protection against the disclosure of the stored user data if physically compromised. While the use of a PKI certificate and/or username/password combination have proven their strengths, adding an additional layer of encryption via functional encryption has the potential of providing greater assurance in the confidentiality of user data. PHASE I: Research functional encryption techniques and algorithms and determine the best application of it towards currently utilized data-at-rest encryption systems. Research must include proof that the techniques and algorithms are feasible, secure, efficient, and interoperable with existing data-at-rest encryption systems. PHASE II: Design a prototype/proof-of-concept that makes use of the functional encryption techniques and algorithms that current data-at-rest encryption systems can use. The prototype/proof-of-concept should illustrate efficiency and the feasibility of the research developed in Phase I. PHASE III: Transition the technology into current data-at-rest encryption systems. PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: Functional encryption can also be utilized by the private sector to provide an additional layer of security and assured resistance to information leakage.
US Flag An Official Website of the United States Government