Abstract: Techniques are described herein for a messaging system to allow publishers that are aware of the identities of their respective subscribers to target content at those subscribers directly. This may be accomplished by allowing users and other targets (e.g., groups) to register their identities at particular computing nodes of a system. Then publishers (e.g., applications) may send out messages targeted at particular identities, and a publishing system may forward messages to appropriate nodes based on which identities are registered at those nodes. Legacy applications that are not able to target particular identities may instead connect to application adapters that are configured to learn which identities should be targeted by each application. In addition, anonymized identities may be used for application messages that need to cross between domains having differing security levels.

Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.

Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.

Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.

Abstract: Techniques for subscriber revocation in a publish-subscribe network using attribute-based encryption (ABE) are disclosed, including: generating a tree data structure including leaf nodes representing subscribers, subtrees of the tree data structure representing subsets of subscribers having different likelihoods of ABE key revocation; generating ABE keys associated with edges in the tree data structure; assigning ABE keys to the leaf nodes, each leaf node being assigned a subset of the ABE keys associated with edges that form a path from a root node to the leaf node; based at least on a revocation record that indicates one or more revoked subscribers, determining a minimal subset of ABE keys that covers all non-revoked subscribers; and encrypting a payload using an encryption policy requiring at least one ABE key in the minimal subset of the ABE keys, to obtain a ciphertext that is not accessible to the one or more revoked subscribers.

Abstract: Techniques for stream-based key management are disclosed. A system obtains a first payload to be published to a first set of one or more subscribers, encrypts the first payload using a symmetric key, to obtain a first payload ciphertext, encrypts the symmetric key using an attribute-based encryption (ABE) policy associated with the first payload, to obtain a key ciphertext, and publishes the first payload ciphertext and the key ciphertext. The system obtains a second payload to be published to a second set of one or more subscribers. Responsive at least to determining that each subscriber in the second set of one more subscribers is in the first set of one or more subscribers and the ABE policy is associated with the second payload, the system encrypts the second payload using the symmetric key, to obtain a second payload ciphertext, and publishes the second payload ciphertext without republishing the key ciphertext.

Abstract: Techniques for enforcing trust policies for payload data transmitted through a data provisioning layer include: receiving, by a node in the data provisioning layer, payload data to be delivered to a recipient; obtaining, by the node, a trust policy indicating multiple attributes used to determine trustworthiness of payloads; determining, by the node, a set of values of the attributes associated with the payload data; generating, by the node, a trustworthiness opinion based at least on the trust policy and the set of values of the attributes; transmitting, by the node, the payload data and the trustworthiness opinion via the data provisioning layer toward the recipient; computing, by the recipient, a trustworthiness metric associated with the payload data based at least on the trustworthiness opinion; and determining, by the recipient, an action to take with respect to the payload data based at least on the trustworthiness metric.

Abstract: Techniques for metadata-based information provenance are disclosed. A node in a data provisioning layer receives encrypted payload data to be delivered to a recipient. The node generates provenance metadata that describes at least one action taken by the node with respect to the encrypted payload data. The node transmits the encrypted payload data and the provenance metadata via the data provisioning layer toward the recipient.

Abstract: Techniques for metadata-based information provenance are disclosed. A node in a data provisioning layer receives encrypted payload data to be delivered to a recipient. The node generates provenance metadata that describes at least one action taken by the node with respect to the encrypted payload data. The node transmits the encrypted payload data and the provenance metadata via the data provisioning layer toward the recipient.

Abstract: Systems and techniques for policy-based access control in content networks are herein described. Content and metadata describing the content may be encrypted by using an access control policy and a cryptographic key associated with the access control policy. The access control policy may be defined with a set of access control attributes. Each node in the content-based network may be assigned a set of access control attributes and a cryptographic key generated as a function of its assigned set of access control attributes. Each node in the content-based network may be configured to decrypt successfully the metadata or the content if and only if the assigned set of access control attributes of the node satisfies the access control policy used to encrypt the metadata or content.

Abstract: Systems and techniques for policy-based access control in content networks are herein described. Content and metadata describing the content may be encrypted by using an access control policy and a cryptographic key associated with the access control policy. The access control policy may be defined with a set of access control attributes. Each node in the content-based network may be assigned a set of access control attributes and a cryptographic key generated as a function of its assigned set of access control attributes. Each node in the content-based network may be configured to decrypt successfully the metadata or the content if and only if the assigned set of access control attributes of the node satisfies the access control policy used to encrypt the metadata or content.