Users trust Accumulo to properly enforce access control over their data, as specified by the visibility field. This trust can be broken by a malicious administrator or malfunctioning server, revealing sensitive information to unauthorized individuals. Our prior work encrypts data in Accumulo to protect its confidentiality from a malicious server, but does not protect against this attack. To address this threat, we have implemented a client-side tool that cryptographically enforces visibility labels in Accumulo.
Our solution is called Cryptographically Enforced Attribute-Based Access Control (CEABAC), and consists of two components: an encryption protocol and a key management system. CEABAC generates a fresh encryption key for each, then encrypts this key based on the cell’s visibility field. To accomplish this, the user must be able to create, store, retrieve, and revoke keys associated with each attribute that can appear in the system. The protocol guarantees that, if keys are distributed appropriately, a client without the appropriate permissions to view a cell cannot decrypt it, even if they receive its ciphertext. In the talk we will discuss the CEABAC protocol, our key management solution, how we implemented it in Accumulo, and future directions for this work.