Low-overhead data encryption bound by attribute-based policy. Isolate and compartmentalise information flow based on arbitrary metadata.
With CABE, data of any size can be safely encrypted for transport through untrusted and hostile environments, while being labeled according to the identity and context of the producer. CABE can support any labelling schema as needed to support mission objectives — label data according to sensitivity, compartment, or based on any other selector.
Every object is bound to its associated label metadata and encrypted before transport or storage. Decryption is gated by attribute-based access control (ABAC) policy which can be configured as needed for the mission environment. Both protected data objects and workloads accessing objects are assigned a set of metadata labels, and system policy determines which workloads can access which data according to arbitrary metadata predicates.
CABE is built on cryptographic primitives which are post-quantum safe, and state-of-the-art internet ecosystem standards such as the IETF's COSE and CBOR, providing a compact, low-overhead envelope format. CABE can scale performantly to messages which are arbitrarily large — or arbitrarily small, even a single byte.
Get your hands on with CABE concepts with the CABE Policy Simulator — an interactive browser-based introduction to attribute-based encapsulation based around a live demonstration of a real Cedar policy evaluation engine driving key management.
CABE is a family of publicly-available specifications that fit together in a cohesive framework.
The core specifications are critical to any CABE system.
Core envelope encapsulation format for CABE-protected messages.
Read specification →The protocol used by CABE clients to interact with a CABE Key Server and the reference architecture of CABE Key Servers.
Read specification →Additional specifications provide extended functionality.
Defines an architecture for operation of multi-Key Server CABE domains including federation, high availability, and resilient operation in DDIL environments.
Defines an isomorphic mapping between NATO ACP240 information classification labelling and CABE Attribute Sets.
An ultra-low-overhead encryption format for efficiently transporting large numbers of small units of information — even a single byte — in the context of a CABE Base Message.
Sign up and receive more information on:
