The invention relates to the general field of telecommunications.
It more specifically concerns the field of data protection and specifically the management of access rights to personal and/or confidential data of a user stored on a storage server implementing an encryption primitive.
The invention thus has a preferred but nonlimiting application in the context of dematerialized computing, also called cloud computing, for the purpose of providing a remote space for storing data (e.g. personal and/or confidential data) that is secure, can be accessed by several users and offers dynamic management of access rights that can vary according to the data stored.
Today there are so-called “proxy re-encryption” solutions allowing a storage server to store, for a single user, personal and/or confidential data of this user in an encrypted form. These data are for example encrypted using a public-key encryption algorithm using the public key of the user. The server has no plaintext knowledge of the data thus stored, preserving their security and confidentiality. The storage server can however give access to this data to third parties authorized by the user without the latter having to disclose his private encryption key, and although this data was not initially addressed to these third parties.
Such a solution is for example described in the document by G. Ateniese et al. titled “Improved proxy re-encryption schemes with applications to secure distributed storage” ACM Transactions on Information and System Security, vol. 9, n°1, February 2006.
According to this solution, a user U1 wishing to store data on the storage server, encrypts this data using his public encryption key PK1, and provides the storage server with the data thus encrypted. The user U1 also generates and transmits to the storage server a so-called re-encryption or transition key for the use of the user U2, giving a user U2 right of access to this data. The storage server uses this re-encryption key to reencrypt the encrypted data provided by the user U1 so that the user U2 can access it using his private key SK2.
In this way, the storage server never has access to the plaintext data of the user U1: this is because the re-encryption carried out by the storage server does not require any prior decryption of the data encrypted by the user U1. This solution is therefore secure.
However, this solution has the drawback that the user U1 who trusts the user U2 can effectively give him access rights for his data stored on the storage server, but cannot limit these access rights to only a selection of his data (for example a specific data file in a folder or directory.) This solution offers sharing in “all or nothing” mode and therefore does not allow for finetuning of access rights to the data of the user U1 stored on the storage server.
To palliate this drawback, Q. Tang describes a solution of conditional re-encryption (or “conditional proxy re-encryption”) wherein the data of the user U1 is no longer only encrypted for the user U1 but also for an access condition C1. The user U1 can still access his data stored on the storage server using his private key SK1. On the other hand, the access condition C1 determines, among the third parties trusted by the user U1, those who will be capable of accessing these data.
Thus if the user U1 wishes to offer access rights to data pertaining to the condition C1, he creates a key for re-encryption from himself to the user U2 for the access condition C1. This re-encryption key allows the storage server to convert the data encrypted for the user U1 and the condition C1 into data encrypted for the user U2. The user U2 can thus access the data associated with the access condition C1 on the storage server using his private key SK2.
If data pertains to a different access condition to C1 or belongs to a different user to U1, this re-encryption key pertaining to the user U1 and the access condition C1 will not allow the storage server to convert the data into data encrypted for the user U2 and decryptable by the latter using his private key SK2.
This solution is however not very flexible in practice.
Specifically, if one considers the example of a data file, once it is encrypted for an access condition C1, it is not possible to modify the latter, even at the request of the user U1. It is then necessary for the user U1 to intervene, retrieve the plaintext data file and restart the process of encryption and storage for the modified access condition.
Moreover, a data file is rarely isolated and is often included in a tree of files and/or directories. This tree can be more or less large (i.e. comprise more or fewer levels) and contain several sets of files in different directories, subdirectories etc.
It can be desirable for the user U1 to be able to apply different access conditions to different parts of this tree. But, if a directory of such a tree pertains to an access condition C1 (and therefore all the files it contains), it is not possible, with the solution proposed by Tang, to make a file contained in this directory also pertain to an access condition C2.
Furthermore, this solution does not make it possible to easily manage the updating of the tree of files, for example by inserting new files and/or directories into the tree, or by moving and/or copying one file and/or directory to another directory.