ETSI crypto-based access control standards land

Need GDPR compliance now? Ask us how!

7 Reg comments Got Tips?

Worried about enterprise security, access control, and GDPR? Relax, the standards bods at European Telecommunications Standards Institute (ETSI) have you covered.

Covered, that is, if you implement its latest encryption standards. ETSI's Technical Committee on Cybersecurity announced it has released two Attribute-Based Encryption standards designed to help organisations apply access controls to the personal data that European companies have to protect to comply with GDPR.

The aim is to make sure that personal data can only be decrypted if the attributes on a user's key match the encryption attributes.

ETSI reckons attribute-based encryption makes it easier to protect data with “secure by default” access control – access isn't bound to user name and password, for example, but rather to pseudonymous or anonymous attributes. Standardisation also makes interoperability easier, the standards body says.

ETSI's announcement gives HR access as an example: a user could be restricted from accessing employee pay data if they have the attributes of an HR employee, and have been working in the organisation for more than 12 months.

The standards body said using encryption to enforce access control provides better security than software-based solutions, and a given data set can be protected by one encryption attribute, making it efficient.

The specifications in question are ETSI-TS-103-458 and ETSI-TS-103-532.

ETSI-TS-103-458 defines the high-level requirements for attribute-based encryption, covering IoT devices, WLANs, cloud services, and mobile services.

Its four use cases protect data when access is coming from an untrusted mobile network; WLAN access, in which data protection has to take into account end user credentials presented over different wireless networks; network edge and IoT environments, in which data access could be controlled either in the network or on the device; and cloud environments.

The standard, here (PDF), notes that in the mobile use-case, for example, a user's IMEI might be exposed when travelling in a foreign country. Attribute-based encryption would, in that case, help protect stored data in the presence of a hostile listener on the network.

Person meditating on beach

Be The Packet. Take each hop it makes. Your network will repay you


By providing user identity protection across its different use-cases, ETSI-TS-103-458 is designed to reduce the risk that a malicious third party could grab user credentials to access personal data in systems like corporate databases.

The other standard, ETSI-TS-103-532 (PDF here), goes into the technical implementation details of attribute-based encryption.

As ETSI's announcement explained, this “provides a cryptographic layer that supports both variants of ABE- Ciphertext Policy and Key Policy”, with various levels of security assurance to suit the cloud, mobile and IoT use-cases.

ETSI-TS-103-532 includes an extensible cryptographic layer so it can be extended with new crypto schemes in the future, all the way up to the emerging “post-quantum cryptography” world.


Biting the hand that feeds IT © 1998–2020