Skip to content

SocIoTal Group Manager

sociotal edited this page Aug 29, 2016 · 42 revisions

The SocIoTal Group Manager component is based on the CP-ABE cryptographic as a flexible scheme to enable a secure group data sharing mechanism. The functionality of this component is mainly split into two entities: the Group Manager Server or Attribute Authority (AA), and the Group Manager Client. The Group Manager client API allows obtaining cryptographic material, encrypt, decrypt as well as sharing encrypted information through the Context Manger. This library has been integrated to manage data sharing procedures within SocIoTal bubbles.

Group Manager Server (Attribute Authority)

The Group Manager Server or Attribute Authority (AA) is a HTTPS server accepting requests for CP-ABE keys generation. CP-ABE keys that are generated by the AA are associated to the attributes stored in the Keyrock IdM.

Group Manager Client

The Group Manager Client is a HTTPS client library, which is intended to make requests to the Group Manager Server to obtain CP-ABE keys, which are used to share information with a group or bubble of entities in a secure way. Additionally, the library provides the required functionality to and decrypt data, which can be used together NGSI-9/NGSI-10 to communicate with the SocIoTal Context Manager.

Library

The library of the Group Manager Client can be used on Android devices, and the following description makes reference to the material contained in that folder.

  1. For the time being, this library provides the functionality based on the following API:

    • Settings (String certsFolder, String trustedCerts, String cpabeKeyFile, String publicParamFile). It builds a Settings object by specifyingthe certificates folder path, the trusted certs for HTTPS connection, and the path where the CP-ABE key and public parameters will be stored.

    • GroupManagerClient (Settings settings, String clientID, String tokenID). It builds a GroupManagerClient object with the settings being specified, as well as the client ID and token ID (obtained through the IdM API) of a specific user.

    • requestCPABEKey (String ipAttributeAuthority). It requests a CP-ABE key (required for decryption), as well as the cryptographic public parameters (required for CP-ABE encryption and decryption) to an AA. In case of a successful authentication, a new CPABEObject is obtained containing the public parametersa and CP-ABE key obtained from the AA. This key is associated to the set of identity attributes that are registered in the SocIoTal IdM for the requesting user.

    • encryptData(String public_parameters_file, CPABEPolicy policy, String data_value). It encrypts a piece of data according to the CP-ABE policy being specifed. The public_parameters_file is the file path where the public parameters required by CP-ABE are stored, and they can be obtained by using the requestCPABEKey method. The policy parameter indicates the combination of identity attributes that must be satisfied by data consumers. The data_value parameter is the data to be encrypted. The method return a String representing the encrypted data encoded with Base64. It will return a null value in case there was a problem to encrypt data.

    • decryptData(String public_parameters_file, String private_key, String encrypted_data). It tries to decrypt a piece of data by using a specific CP-ABE key The public_parameters_file is the file path where the public parameters required by CP-ABE are stored. The private_key parameter is the file where the CP-ABE key to decrypt the information is stored. The encrypted_data parameter represents the encrypted data encoded with Base64. The method returns a String representing the decrypted data. It will return a null value in case the private_key does not satisfy the policy that was used to encrpyt.

    • updateContextEncrypted(String contextManagerIP, String entity, String context_attribute, String pubfile). It updates the value of an entity in the Context Manager by encrypting the value through the use of the encryptData method. The contextManagerIP is the IP address of the Context Manager to upload the encrypted data. The entity parameter is the context entity already created in the Context Manager. The context_attribute is an attribute of the context entity already created in the Context Manager. Moreover, the pubfile is the name of the file where the public parameters required by CP-ABE are stored. This file must be under the sharing_material_folder folder that is specified in the GroupManagerClient _config.txt file, The policy parameter indicates the combination of identity attributes that must be satisfied by data consumers according to the mentioned format. Finally, the message is the new value of the attribute of the context entity to be encrypted

  2. The library provides basic functionality to communicate with the SocIoTal Context Manager, including the implementation of NGSI methods, such as queryContext or updateContext.

  3. An example of the library:

Example

import java.util.ArrayList;
import java.util.List;
import org.umu.https.contextmanager.client.HTTPContextManagerClient;
import org.umu.https.contextmanager.messages.ContextManagerMessage;
import org.umu.https.contextmanager.messages.QueryContextMessage;
import org.umu.https.contextmanager.messages.QueryContextResponse;
import org.umu.https.contextmanager.messages.UpdateContextMessage;
import org.umu.https.groupmanager.client.GroupManagerClient;
import org.umu.https.groupmanager.client.GroupManagerClientUtils;
import org.umu.https.groupmanager.client.Settings;
import org.umu.https.groupmanager.cpabe.CPABEObject;
import org.umu.https.groupmanager.cpabe.CPABEOperator;
import org.umu.https.groupmanager.cpabe.CPABEPolicy;

import es.um.security.idm.tokens.Token;
import es.um.security.idm.user.IdMUser;
import es.um.security.idm.user.IdMUserException;
import es.um.security.idm.user.implementation.KeyRockIdMUserClient;
import es.um.security.utilities.Protocols;


public class HTTPSGroupManagerClientTestSimple {
private static final String CPABEKEY_FILE = "sharing_material_folder\\cpabe_key.txt";
private static final String PUBLICPARAMETERS_FILE = "sharing_material_folder\\public_parameters.txt";
private static final String AA_IP = "https://platform.sociotal.eu:8443/AttributeAuthorityServlet/AttributeAuthority";
private static final String CERTS_FOLDER = "certs_sociotal/";
private static final String [] TRUSTEDCERTS = {"PrivateRootCA.cer", "ca.cer", "UniversidaddeCantabria.cer", "UC.crt"};

private static final String KEYROCK_IP = "platform.sociotal.eu";
private static final String KEYROCK_PORT = "8443";
private static final String CONTEXTMANAGER_IP = "http://platform.sociotal.eu:3500";
private static final String QUERYCONTEXT_URI = "/SocIoTal_CM_REST_V3/NGSI10_API/queryContext";
private static final String UPDATECONTEXT_URI = "/SocIoTal_CM_REST_V3/NGSI10_API/updateContext";


public static void main(String[] args) {
	String client_id = "joseluis";
	String client_password = "joseluispass";
	Token auth_token = null;
	try {
		IdMUser identityManagerUSer = new KeyRockIdMUserClient(Protocols.HTTPS, null, KEYROCK_IP, KEYROCK_PORT);
		auth_token = identityManagerUSer.authenticateById(client_id, client_password);
		System.out.println("**********************************");
	} catch (IdMUserException e1) {
		e1.printStackTrace();
	}
	String token_id = auth_token.getToken_id();

	Settings settings = new Settings(CERTS_FOLDER, TRUSTEDCERTS, CPABEKEY_FILE, PUBLICPARAMETERS_FILE);
	GroupManagerClient gm = new GroupManagerClient(settings, client_id, token_id);

	/* REQUESTING A CP-ABE KEY TO THE AA*/
	CPABEObject cpabeObject = gm.requestCPABEKey(AA_IP);
	System.out.println("************************: " + cpabeObject.getCpabeKey());
	System.out.println("************************: " + cpabeObject.getPublicParameters());
	System.out.println("************************: " + cpabeObject.getAttributesKey());

	GroupManagerClientUtils.storeCPABEKey(cpabeObject.getCpabeKey(), CPABEKEY_FILE);
	GroupManagerClientUtils.storePublicParameters(cpabeObject.getPublicParameters(), PUBLICPARAMETERS_FILE);
	GroupManagerClientUtils.storeMyAttributes(cpabeObject.getAttributesKey(), "myAttributes.txt");

	/************************/
	/****Encrypting data****/
	/************************/
	List<String> attributes = new ArrayList<>();
	attributes.add("department=diic");
	attributes.add("organization=umu");

	CPABEPolicy cpabepolicy = new CPABEPolicy(attributes, CPABEOperator.AND);

	String message = "This is a test";
	String encryptedData = null;
	try {
		encryptedData = gm.encryptData(PUBLICPARAMETERS_FILE, cpabepolicy, message);
	} catch (Exception e) {
		// TODO Auto-generated catch block
		e.printStackTrace();
	}

	System.out.println("ENCRYPTED DATA:" + encryptedData);
	/************************/
	/****Decrypting data****/
	/************************/

	String decryptedData = gm.decryptData(PUBLICPARAMETERS_FILE, CPABEKEY_FILE, encryptedData);
	System.out.println("Decrypted data: " + decryptedData);

	HTTPContextManagerClient cmc = new HTTPContextManagerClient();
	boolean isPattern = false;
	ContextManagerMessage queryContextMessage = QueryContextMessage.buildQueryContextMessage("entityID", "entityType", "attribute", isPattern);
	String s = cmc.getAccess(CONTEXTMANAGER_IP + QUERYCONTEXT_URI, queryContextMessage, "communityToken");
	
	QueryContextResponse qcr = new QueryContextResponse(s);

	ContextManagerMessage updateContextmessage = UpdateContextMessage.buildUpdateContextMessage("entityID", "entitytype", "attributename", "attributetype", "attributevalue", "UPDATE");

	String answer = cmc.getAccess(CONTEXTMANAGER_IP + UPDATECONTEXT_URI, updateContextmessage, "communityToken");
}
}

SocIoTal Bubbles Android Application

By making use of the Group Manager Client library, we have developed and Android Application to provide data sharing procedures within SocIoTal bubbles. Before giving a description of the application's functionality, let us assume the user has already defined different communities and bubbles through the Web User Environment. Below, a summary of the main steps of this application is provided.

1. Once you have installed the apk, the main screen is shown, in which you can provide your user ID and password that you provided when registering in the SocIoTal IdM.

2. Note that you can configure the application by making use of the Settings menu.

3. The aspect of the Settings menu. Important: you need to download the certificates folder and make them accessible to the application by specifying it in the Certificates Folder option.

4. When login, the application will detect if the user already has the cryptographic material required to sharin within bubbles.

5. If not, the user is forced to get this material (CP-ABE key and Public Parameters) from the Attribute Authority

6. When the user has obtained the required cryptographic material, she is able to see her attributes (associated to the CP-ABE key previously obtained and share within bubbles

7. The aspect of the My Attributes screen.

8. If the user makes clic on Go to Share, the first screen contains the communities of that user (left image). We see the user had already defined those communities through the WUE (right image).

9. In this case, she clics on the second community in which a bubbles is defined. On the one hand, the members field indicates the entities that are associated to this bubble. On the other hand, the Policy makes reference to the CP-ABE policy that is employed to encrypt all the information of the entities associated to this bubble.

10. When clics, the user can see the entities of that bubble, as well as the attributes of each entity.

11. The user is able to query each attribute of each entity of the bubble by clicking on Query (e.g. the attribute Location)

12. The user is able to update each attribute of each entity of the bubble by clicking on Update. In this case, she is asked to encrypt the value of the attribute being specified.

13. When she specifies the new value, it is encrypted with the policy that was defined for that bubble. We see the effect on the WUE.

14. Finally, she is able to decrypt the new value.

You can’t perform that action at this time.