MY TAKE: Agile cryptography is coming, now that ‘attribute-based encryption’ is ready for prime time

By Byron V. Acohido

Encryption agility is going to be essential as we move forward with digital transformation.

Refer: The vital role of basic research

All of the technical innovation cybersecurity vendors are churning out to deal with ever-expanding cyber risks, at the end of the day, come down to protecting encrypted data. But cryptography historically has been anything but agile; major advances require years, if not decades, of inspired theoretical research.

Now comes something called attribute-based encryption, or ABE, a new approach to encrypting data that holds the potential to infuse agility into how encryption gets done online.

I had the chance to learn more about ABE from Brent Waters, a distinguished scientist in the Cryptography & Information Security (CIS) Lab at NTT Research. Waters has been a leading figure in deriving the mathematical concepts behind ABE. For a drill down on our discussion, please give the accompanying podcast a listen. Here are the key takeaways:

PKI basics

If you’re thinking encryption is the polar opposite of agile, you’re correct, historically speaking. Encryption is an arcane science that has long presented an irresistible challenge to the best and brightest researchers. Top mathematicians have been hammering away at improving encryption since before World War II. And since 2005 or so, one area of focus has been on sharpening the math formulas that make attribute-based encryption possible.

ABE opens the door to an advanced form of the Public Key Infrastructure, or PKI, the system we use to encrypt data, as well as to authenticate individual users and the web servers they log onto. PKI revolves around the distribution of digital certificates to validate the authenticity of websites. And this gets coupled with the encrypting of data that transits between a user and a web server.

As part of this well-established process, two different cryptographic keys – a public key and a private key – get issued. The public key gets used on both ends to encrypt the information that gets transmitted across the Internet; but only one party holds the corresponding private key to decrypt the data on the other end. “With PKI, when I’m encrypting, I have a particular person in mind to receive this data, and that person has a certain private key, so I’m targeting the data to that person,” Waters explains.

PKI has worked very well for expanding e-commerce into what it is today. That said, it may not be well-suited, in its current form, to achieve the level of security needed in an environment where companies rely on multi-cloud and hybrid cloud networks and wide-open software development.

Customized keys

Enter attribution-based encryption. ABE is a new form of public-key encryption in which a private key can be issued that works only when a specific set of conditions are met – and those conditions can range from simplistic to extensive. From what I learned from Waters, this capability appears to be exactly what’s needed to dramatically improve security where it really counts: at the data layer.

Waters gave me the example of a large online retailer transacting with customers and third-party suppliers, with all parties leveraging cloud processing and data storage, as well as participating in DevOps, a highly dynamic process to develop, acquire and leverage cool new apps at high speed.

In this frenetic environment, PKI is holding together an acceptable level of security. Yet, the bottom line is that the retailer, in this scenario, really has no choice but to accept the sizable risk that a private key will eventually get brute-forced hacked, stolen or simply left out in the open.

ABE alters this paradigm by, in essence, making it possible to issue highly customized private keys designed to serve very granular purposes. Say this online retailer needed a worker to analyze inventory data, but only with respect to information about a specific supplier at a certain location, during a specific window of time. Attribute-based encryption would enable this retailer to issue a private key that worked only when those parameters were met.

“Instead of targeting encryption to an individual, what you’re really doing is you’re encrypting with a policy in mind,” Waters says.

Fine-grained control

Granular encryption seems logical and straight forward, not much different than the data analytics Netflix uses to recommend movies, or that Visa and Mastercard use to detect fraud. So why isn’t it already standard practice? It took the scientific community seven years of focused research to derive the math formulas that moved ABE from being a nice, new cryptographic theory to a practical possibility. And that’s where we are today.


“We’ve theoretically shown that, using certain tools, we can do attribution-based encryption for any type of Boolean formula,” Waters told me. “We can do it for a very simple policy of A and/or B; or you can draw a tree and implement any type of much more complex policy that you can think of.”

The next step, he says, is for a few early-adopter enterprises to deploy ABE systems in a live environment. This would be one small step towards a giant leap forward, in terms of closing off gaping exposures that now exist and are only getting worse as digital transformation accelerates.

“The big bottleneck is not so much on the cryptographic research side, it’s actually more on the adoption sides,” Waters says. “If I’m the IT manager, I need to figure out how I want to go about doing fine-grained access control.”

This means taking stock of digital assets, gaining a deep understanding of all of the far-flung connectivity that’s being done in pursuit of digital agility and then thoughtfully writing more robust privileged access policies. This is the due diligence challenge of the moment for organizations of all sizes and in all sectors.

It’s the same obstacle that needs to be overcome in order for other promising cybersecurity frameworks to gain wider traction, movements such as Secure Access Service Edge (SASE) and Zero Trust Networking Access (ZTNA.) Attribute-based encryption falls into this bucket; it is another necessary ingredient to cybersecurity evolving into what it truly needs to be.

“We’re at the point where we need to start looking at the ecosystem built around deploying attribute-based encryption, maybe build a feedback loop back into the research,” Waters says. “My feeling is that the next steps aren’t so much where I live, which is on the cryptographic research side, it’s more on the ‘Hey, let’s deploy it and see what happens’ side.”

Clearly, encryption agility needs to happen. I’ll keep watch, and keep reporting.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)



Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone