CP-ABE

Why we need it?

The CP-ABE component is integral to the proper usage of KeyTray and also works in cooperation with the SSE Client. Its main functionality is to ensure that both SSE keys are correctly encrypted, to avoid sending them as plain-text over the network and encrypting them on KeyTray, a flow that would create a security vulnerability. Moreover, it implements the reverse flow of decrypting the encrypted pair of SSE keys using the user’s ABE key, which is retrieved via Keycloak.

How does it work?

When a new pair of SSE keys need to be submitted to KeyTray, the SSE Client invokes the CP-ABE component in order to handle their encryption and secure transfer. CP-ABE first retrieves the user’s CP-ABE key stored in the Trusted Authority service and, taking into account the currently implemented access policy, encrypts the pair of SSE keys using both of the aforementioned parameters. This ensures that only users who possess attributes that satisfy the access policy requirements can access the SSE keys and the files they encrypt. The reverse flow of trying to decrypt a pair of SSE keys is done in a similar manner, with the requestor’s CP-ABE key determining if the decryption attempt is successful.